24/7 TECHNICAL SUPPORT AT 1.877.877.2269 OR VISIT BLACKBOX.COM
WIFI (AUX)
WIFI (MAIN)
SD CARD
USB PORTS
V.92 MODEM
CONSOLE ERASE
BACK
OK
PWR
H/B SER NETWIFI
Page 2
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
TABLE OF CONTENTS
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
REVISION HISTORY ........................................................................................................................................................................ 12
ABOUT THIS MANUAL ................................................................................................................................................................... 14
Who Should Read this Manual? ................................................................................................................................................................... 14
Types of Users .............................................................................................................................................................................................. 15
Where to Find Additional Information.........................................................................................................................................................16
1.1 LES1500 Series ....................................................................................................................................................................................... 17
1.2 LES1600 Series .......................................................................................................................................................................................19
1.3 LES1700 Series ............................................................................................................ ........................................................................... 21
2. OVERVIE W .................................................................................................................................................................................... 23
2.1 Available Models Comparison Charts ..................................................................................................................................................23
2.2 What’s Included ......................................................................................................................................................................................24
2.2.1 LES1500 Series (LES1516A, LES1532A, LES1548A) ................................................................................................................................24
2.2.2 LES1600 Series ................................................................................................................................................................................................24
2.2.3 LES1700 Series ................................................................................................................................................................................................24
2.3.1 LES1500 Series .................................................................................................................................................................................................25
2.3.2 LES1600 Series ................................................................................................................................................................................................26
2.3.3 LES1700 Series ................................................................................................................................................................................................27
3.1 Power Connection ..................................................................................................................................................................................28
3.3 Serial Port Connection ...........................................................................................................................................................................29
3.4 USB Port Connection .............................................................................................................................................................................31
3.5 Fitting Cellular SIM and Antennas ........................................................................................................................................................ 31
4. SYSTEM CONFIGURATION ........................................................................................................................................................ 33
4.2.1 Change Default Root System Password .....................................................................................................................................................36
4.2.2 Set Up a New Administrator ..........................................................................................................................................................................37
4.2.3 Name the System ............................................................................................................................................................................................37
4.3.2 Dynamic DNS (DDNS) Configuration ...........................................................................................................................................................40
4.4 Services and Service Access ................................................................................................................................................................ 41
Brute Force Protection ..............................................................................................................................................................................................45
4.5 .2 PuT T Y .................................................................................................................................................................................................................47
4.5 .3 S S H Term ............................................................................................................................................................................................................47
4.6.1 Enable the Management LAN ........................................................................................................................................................................48
4.6.2 Configure the DHCP Server ...........................................................................................................................................................................51
4.6.3 Select Failover or Broadband OOP ...............................................................................................................................................................52
4.6.4 Aggregating the Network Ports ....................................................................................................................................................................53
4.6.5 Wi-Fi Wireless LAN ..........................................................................................................................................................................................54
4.7 Configuration Over DHCP (ZTP) ...........................................................................................................................................................57
4.7.1 Ensuring the Console Server is Unconfigured ............................................................................................................................................57
4.7.2 Example ISC DHCP (dhcpd) Server Configuration ....................................................................................................................................58
4.7.3 Setup When the LAN is Untrusted ................................................................................................................................................................58
4.7.4 Prepare a USB Drive and Create the X.509 Certificate and Private Key ................................................................................................59
4.7.5 What an Unconfigured Console Server Does on First Boot ....................................................................................................................59
4.7.6 Using What an Unconfigured Console Server Does on First Boot to Update Firmware ...................................................................60
4.7.7 The URLs in DHCP OFFER, Option 43, Sub-Option 1 ................................................................................................................................ 61
4.7.8 Importing the Configuration File ................................................................................................................................................................... 61
4.7.9 Running a Restore or Update in Secure Recovery Mode..........................................................................................................................62
5. SERIAL PORT, HOST, DEVICE AND USER CONFIGURATION ................................................................................................... 63
5.1 Configure Serial Ports ............................................................................................................................................................................64
5.1.1 C o m mo n S et t i n g s ............................................................................................................................................................................................. 65
5.1.2 Console Server Mode ......................................................................................................................................................................................66
5.1.5 Terminal Server Mode .....................................................................................................................................................................................72
5.1.6 Serial Bridging Mode ........................................................................................................................................................................................72
5.1.7 Sysl o g ..................................................................................................................................................................................................................74
5.1.9 USB Ports ........................................................................................................................................................................................................... 75
5.1.10 Link Layer Discovery Protocol (LLDP) ........................................................................................................................................................76
5.2 Add and Edit Users ................................................................................................................................................................................. 77
5.2.1 Set Up New Groups ..........................................................................................................................................................................................78
5.2.2 Set Up New Users ............................................................................................................................................................................................78
5.6 Serial Port Cascading ............................................................................................................................................................................82
5.6.1 Automatically Generate and Upload SSH Keys ..........................................................................................................................................82
5.6.2 Manually Generate and Upload SSH Keys ..................................................................................................................................................83
5.6.3 Configure the Slaves and their Serial Ports ................................................................................................................................................84
5.6.4 Managing the Slaves .......................................................................................................................................................................................85
5.7 Serial Port Re-direction (PortShare) .....................................................................................................................................................86
Enable the VPN Gateway ..........................................................................................................................................................................................88
5.10 Open VPN ..............................................................................................................................................................................................90
5.10.1 Enable the OpenVPN ......................................................................................................................................................................................90
5.10.2 Configure as Server or Client .......................................................................................................................................................................92
5.10.3 Windows OpenVPN Client and Server Setup ...........................................................................................................................................93
5.11.1 Enable the PPTP VPN Server .......................................................................................................................................................................98
5.11.2 Add a PPTP User ............................................................................................................................................................................................99
5.11.3 Set Up a Remote PPTP Client ......................................................................................................................................................................99
5.12 Call Home ............................................................................................................................................................................................100
5.12.1 Set Up Call Home Candidate ......................................................................................................................................................................100
5.12.2 Accept Call Home Candidates as Managed Consoles .........................................................................................................................102
5.12.3 Calling Home to a Generic Central SSH Server .....................................................................................................................................103
5.13 IP Passthrough ...................................................................................................................................................................................103
5.13.2 IP Passthrough Pre-requisite Pre-configuration Steps ........................................................................................................................104
5.13.3 IP Passthrough Certification......................................................................................................................................................................104
5.13.4 Service Intercepts ........................................................................................................................................................................................105
5.13.5 IP Passthrough Status ................................................................................................................................................................................105
6.2.2 Using SDT Connector Client ........................................................................................................................................................................108
4
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
Page 5
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
TABLE OF CONTENTS
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
6.2.3 Set Up Windows XP or Later Client ............................................................................................................................................................108
6.2.4 Set Up Earlier Windows Clients ...................................................................................................................................................................109
6.2.5 Set Up Linux Clients .......................................................................................................................................................................................109
6.6.1 Connecting to a GSM HSUPA/UMTS Carrier Network ..........................................................................................................................116
6.6.2 Connecting to a CDMA EV-DO Carrier Network ...................................................................................................................................... 119
6.6.3 Connecting to a 4G LTE Carrier Network ..................................................................................................................................................121
6.6.4 Verifying the Cellular Connection ...............................................................................................................................................................122
6.6.7 Multi-carrier Cellular Support ......................................................................................................................................................................125
6.8 Firewalls and Forwarding ....................................................................................................................................................................130
6.8.1 Configuring Network Forwarding and IP Masquerading .......................................................................................................................131
6.8.3 Port and Protocol Forwarding .....................................................................................................................................................................134
6.8.5 Packet State Matching in Firewall Rules ...................................................................................................................................................137
7. SSH TUNNELS AND SDT CONNECTOR ................................................................................................................................... 139
7.1 Configuring for SSH Tunneling to Hosts .............................................................................................................................................14 0
7.2.2 Configuring a New Gateway in the SDT Connector Client .....................................................................................................................142
7.2.3 Auto-configure SDT Connector Client with the User’s Access Privileges ..........................................................................................143
7.2.4 Make an SDT Connection through the Gateway to a Host ................................................................................................................... 144
7.2.5 Manually Add a Host the the SDT Connector Gateway ..........................................................................................................................145
7.2.6 Manually Add New Services to the New Hosts ........................................................................................................................................146
7.2.7 Add a Client Program to be Started for the New Service .......................................................................................................................148
7.3 SDT Connector to Management Console ........................................................................................................................................... 149
7.4 SDT Connector: Telnet or SSH Connect to Serially-Attached Devices ............................................................................................151
7.5 Using SDT Connector for Out-of-Band Connection to the Gateway .................................................................................................152
7.6 Importing and Exporting Preferences ................................................................................................................................................153
7.7 SDT Connector Public Key Authentication .........................................................................................................................................153
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
5
Page 6
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
TABLE OF CONTENTS
7.8 Setting Up SDT for Remote Desktop Access .....................................................................................................................................15 4
7.8.1 Enable Remote Desktop on the Target Windows Computer to be Accessed ....................................................................................15 4
7.8.2 Configure the Remote Desktop Connection Client .................................................................................................................................156
7.9 SDT SSH Tunnel for VNC ......................................................................................................................................................................15 7
7.9.1 Install and Configure the VNC Server on the Computer to be Accessed ............................................................................................157
7.9.2 Install, Configure and Connect the VNC Viewer .......................................................................................................................................158
7.10 Using SDT to IP Connect to Hosts that are Serially Attached to the Gateway ..............................................................................160
7.10.1 Establish a PPP Connection between the Host COM Port and the Console Server ......................................................................16 0
7.10.2 Set Up SDT Serial Ports on the Console Server ..................................................................................................................................... 162
7.10.3 Set Up SDT Connector to SSH Port Forward over the Console Server Serial Port ........................................................................163
7.11 SSH Tunneling Using Other SSH Clients (for example, PuTTY)......................................................................................................164
8.2.2 Alarms and Digital Inputs .............................................................................................................................................................................169
8.2.3 UPS and Power Supply .................................................................................................................................................................................169
8.2.4 UPS Status ......................................................................................................................................................................................................170
8.2.5 Serial Login, Signal or Pattern .....................................................................................................................................................................170
8.2.6 USB Console Status ......................................................................................................................................................................................171
8.2.8 Cellular Data ....................................................................................................................................................................................................172
8.3.4 Run Custom Script .........................................................................................................................................................................................178
8.5 Configure SMTP, SMS, SNMP and Nagios Service for Alert Notifications ..................................................................................... 179
8.6.2 Serial Port Logging ........................................................................................................................................................................................185
8.6.3 Network TCP and UDP Port Logging .........................................................................................................................................................186
8.6.5 Power Device Logging...................................................................................................................................................................................186
9. POWER, ENVIRONMENT AND DIGITAL I/O ............................................................................................................................. 188
9.1 Remote Power Control (RPC) ..............................................................................................................................................................188
9.1.2 RPC Access Privileges and Alerts ...............................................................................................................................................................192
9.1.3 User Power Management .............................................................................................................................................................................192
9.1.4 RPC Status .......................................................................................................................................................................................................193
9.2 Uninterruptible Power Supply (UPS) Control .....................................................................................................................................194
10.1.1 Local Authentication ................................................................................................................................................................................... 207
10.1.5 RADIUS and TACACS User Configuration ...............................................................................................................................................211
10.1.6 Group Support with Remote Authentication...........................................................................................................................................212
10.1.7 Remote Groups with RADIUS Authentication ......................................................................................................................................... 213
10.1.8 Remote Groups with LDAP Authentication .............................................................................................................................................214
10.1.9 Remote Groups with TACACS+ Authentication .....................................................................................................................................216
10.1.10 Idle T i m e o ut .................................................................................................................................................................................................216
11.2.1 Enable Nagios on the Console Server ..................................................................................................................................................... 222
11.2.4 Configure Selected Serial Ports for Nagios Monitoring ...................................................................................................................... 224
11.2.5 Configure Seleced Network Ports for Nagios Monitoring .................................................................................................................. 225
11.2.6 Configure the Upstream Nagios Monitoring Host ............................................................................................................................... 226
11.3.4 Number of Supported Devices ................................................................................................................................................................. 232
12. SYSTEM MANAGEMENT ........................................................................................................................................................ 235
12.1 System Administration and Reset ................................................................................................................................................... 235
12.3 Date and Time Configuration ........................................................................................................................................................... 237
12.6 FIPS Mode ...........................................................................................................................................................................................242
13. STATUS R EPORTS ................................................................................................................................................................... 244
13.1 Port Access and Active Users .......................................................................................................................................................... 244
13.3 Support Reports ................................................................................................................................................................................ 246
13.5.1 Configuring the Dashboard ........................................................................................................................................................................247
13.5.2 Creating Custom Widgets for the Dashboard ....................................................................................................................................... 248
14.2 Port and Host Logs ............................................................................................................ ............................................................... 250
14.3.1 Web Terminal ............................................................................................................................................................................................... 250
14.4 Power Management .......................................................................................................................................................................... 253
8
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
Page 9
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
TABLE OF CONTENTS
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
15. CONFIGURATION FROM THE COMMAND LINE ................................................................................................................... 254
15.1 Accessing Configuration from the Command Line ........................................................................................................................ 254
15.1.1 Serial Port Configuration ............................................................................................................................................................................ 256
15.1.2 Adding and Removing Users ..................................................................................................................................................................... 259
15.1.3 Adding and Removing User Groups ........................................................................................................................................................ 260
15.1.10 Managed D e v i c e s ...................................................................................................................................................................................... 269
15.1.11 Port Lo g ....................................................................................................................................................................................................... 269
15.1.13 SMTP and SMS .......................................................................................................................................................................................... 272
15.1.14 SNM P ........................................................................................................................................................................................................... 273
15.1.16 IP Set t i n g s ....................................................................................................................................................................................................274
15.1.17 Date and Time Settings .............................................................................................................................................................................275
15.1.19 DHCP Server ............................................................................................................................................................................................... 278
16.1.1 Custom Script to Run when Booting........................................................................................................................................................ 283
16.1.2 Running Custom Scripts when Alerts are Triggered ............................................................................................................................ 284
16.1.3 Example Script: Power Cycling on Pattern Match ................................................................................................................................ 285
16.1.4 Example Script: Mulitple email Notifications on Each Alert ............................................................................................................... 285
16.1.5 Deleting Configuration Values from the CLI .......................................................................................................................................... 286
16.1.6 Power Cycle Any Device Upon a Ping Request Failure ........................................................................................................................ 289
16.1.7 Running Custom Scripts When a Configurator is Invoked .................................................................................................................. 290
16.1.8 Backing Up the Configuration and Restoring Using a Local USB Stick ........................................................................................... 291
16.1.9 Backing Up the Configuration Off-Box .................................................................................................................................................... 292
16.2.2 External Scripts and Alerts ....................................................................................................................................................................... 297
16.3 Raw Access to Serial Ports .............................................................................................................................................................. 298
16.3.1 Access to Serial Ports ................................................................................................................................................................................ 298
16.3.2 Accessing the Console Modem Port ...................................................................................................................................................... 298
16.4 IP Filtering ......................................................................................................................................................................................... 299
16.5 SNMP Status Reporting .................................................................................................................................................................... 299
16.5.1 Retrieving Status Information Using SNMP .......................................................................................................................................... 299
16.6.2 Generating Public Keys (Linux) ................................................................................................................................................................ 305
16.6.3 Installing the SSH Public and Private Keys (Clustering) ..................................................................................................................... 306
16.6.4 Installing SSH Public Key Authentication (Linux) ................................................................................................................................. 306
16.6.5 Generating Public and Private Keys for SSH (Windows) .................................................................................................................... 307
16.8.1 Generating an Encryption Key ...................................................................................................................................................................313
16.8.2 Generating a Self-Signed Certificate with OpenSSL ............................................................................................................................313
16.8.3 Installing the Key and Certificate ..............................................................................................................................................................313
16.8.4 Launching the HTTPS Server ....................................................................................................................................................................314
16.9 Power Strip Control ............................................................................................................................................................................ 314
16.9.1 The PowerMan Tool .....................................................................................................................................................................................314
16.9.2 The Pmpower Tool .......................................................................................................................................................................................316
16.9.3 Adding New RPC Devices ...........................................................................................................................................................................317
16.16.2 Example ISC DHCP Server Configuration ............................................................................................................................................ 324
16.16.3 Setup for an Untrusted LAN .................................................................................................................................................................... 324
16.16.4 How it Works .............................................................................................................................................................................................. 324
16.17.1 File System Location of FTP and TFTP Directory .............................................................................................................................. 326
16.17.2 File System Location of Portmanager Logs ........................................................................................................................................ 326
16.17.3 Configuring FTP and TFTP Directory .................................................................................................................................................... 327
16.17.4 Mounting a Preferred USB Disk by Label .............................................................................................................................................. 327
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
APPENDIX A: COMMANDS AND SOURCE CODE ........................................................................................................................ 328
B.2 NOM Statement .................................................................................................................................................................................. 337
APPENDIX C: CONNECTIVITY, TCP PORTS AND SERIAL I/O ................................................................................................... 338
C.1 Serial Port Pinouts .............................................................................................................................................................................. 338
C.2 Local Console Port ............................................................................................................................................................................. 339
C.3 RS-232 Standard Pinouts ................................................................................................................................................................... 339
C.4 Console Server Connector Wiring ..................................................................................................................................................... 340
C.5 TCP and UDP Port Numbers .............................................................................................................................................................. 340
APPENDIX D. GLOSSARY ............................................................................................................................................................. 342
E.2 Trademarks Used in this Manual ....................................................................................................................................................... 345
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
11
Page 12
REVISION HISTORY
REVISION HISTORY
RELEASE: V6.38
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
12
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
Page 13
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 1:HEADLINE
SAFETY PRECAUTIONS
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
SAFETY PRECAUTIONS
Follow the safety precautions below when installing and operating the console server:
Do not remove the metal covers. There are no operator-serviceable components inside. Opening or removing the cover may expose you to
dangerous voltage that may cause fire or electric shock. Refer all service to Black Box-qualified personnel.
To avoid electric shock, the power cord protective grounding conductor must be connected through to ground.
Always pull on the plug, not the cable, when disconnecting the power cord from the socket.
Do not connect or disconnect the console server during an electrical storm.
We recommend that you use a surge suppressor or UPS to protect the equipment from transients.
Proper back-up systems and necessary safety devices should be used to protect against injury, death or property damage due to system
failure. Such protection is the responsibility of the user.
This console server device is not approved for use as a life-support or medical system.
Any changes or modifications made to this console server device without the explicit approval and consent of Black Box will void Black
Box of any liability or responsibility of injury or loss caused by any malfunction.
This equipment is for indoor use only. All the console’s communication wirings are limited to use inside of a building.
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
13
Page 14
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
ABOUT THIS MANUAL
CHAPTER 1:HEADLINE
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
PRODUCTS COVERED
The Black Box User Manual describes the features and capabilities of the following Black Box product products, and provides
instructions to best take advantage of them:
LES1500 Series Console Servers: LES1516A, LES1532A, LES1548A
LES1600 Series Console Servers: LES1604A, LES1604A-V, LES1604A-T, LES1604A-R, LES1608A
LES1700 Series Console Servers: LES1708A, LES1716A, LES1732A, LES1748A
Each of these products is referred to generically in this manual as a console server.
Where appropriate, product groups may be referred to as console servers, gateways or by specific product line name or product
group (for example the LES1500 family).
WHO SHOULD READ THIS USER MANUAL?
You should read this manual if you are responsible for evaluating, installing, operating, or managing a Black Box appliance. This
manual assumes you are familiar with the internal network of your organization, and are familiar with the Internet, IP networks,
HTTP, FTP and basic security operations.
MANUAL ORGANIZATION
The Black Box User Manual is structured as follows:
Safety Precautions
1. Specifications: Technical specifications for the console servers.
2. Overview: An overview of the console server’s features and information regarding this manual.
3. Installation: Physical installation of the console server and the interconnecting of managed devices.
4. System configuration: Initial installation and configuration of the console server and the supported services.
5. Serial port, host, device and user configuration: Configuring serial ports and connected network hosts, and setting up users.
6. Firewall, failover, and OOB access: Set up the firewall and the high availability access features of the console server.
7. SSH tunnels and SDT connector: Secure remote access using SSH and configure for RDP, VNC, HTTP, HTTPS and access to
network- and serially-connected devices.
8. Alerts, auto-response and logging: Set up local and remote event and data logs. Configure auto-responses to trigger events.
9. Power, environment and digital I/O: Manage USB, serial and network attached power strips and UPS supplies. Also EMD
environmental sensor configuration.
10. Authentication: Access to the console server requires authenticated usernames and passwords.
11. Nagios Integration: Set Nagios central management. Configure console server as a distributed Nagios server.
12. System Management: Access to and configuration of services to be run on the console server.
13. Status reports: The dashboard summary and detailed status and logs of serial and network connected devices
(ports, hosts, power and environment).
14. Management: Port controls and user-accessible reports.
15. Configuration from the command line: Command-line installation and configuration using the config command.
16. Advanced Configuration: Advanced command-line configuration activities using Linux commands.
14
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
Page 15
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
ABOUT THIS MANUAL
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
17. Appendixes: Command definitions, specifications, certifications, terminology definitions, licenses, service and warranty details.
The most recent version of this manual is always at www.blackbox.com.
TYPES OF USERS
The console server supports two classes of users:
1. First, there are administrative users, who have unlimited configuration and management privileges over the console server and
all the connected devices.
Administrative users are set up as members of the admin user group. Users in this class are referred to in this manual as
Administrators. An Administrator can access and control the console server using the config utility, the Linux command line or the
browser-based Management Console. By default, the Administrator has access to all services and ports to control all the serial
connected devices and network connected devices (hosts).
2. The second class of users embraces those who have been set up by an Administrator with specific limits of their access and
control authority. These users are set up as members of one of the pre-configured user groups (pptpd, dialin, ftp, pmshell or users)
or another user group an Administrator has added.
They are only authorized to perform specified controls on specific connected devices and are referred to as Users. These Users
(when authorized) can access serial or network connected devices and control these devices using the specified services (eg
Telnet, HHTPS, RDP, IPMI, Serial-over-LAN, Power Control).
An authorized User also has a limited view the Management Console and can only access authorized configured devices and
review port logs.
In this manual, when the term user (lower case) is used, it is referring to both classes of users above. This document also uses the
term remote users to describe users who are not on the same LAN segment as the console server.
These remote users may be users who are on the road connecting to managed devices over the public Internet. They may be an
Administrator in another office connecting to the console server itself over the enterprise VPN. Or the remote user may be in the
same room or the same office but connected on a separate VLAN to the console server.
MANAGEMENT CONSOLE
The features of your console server are configured and monitored using the Black Box Management Console. When you first
browse to the Management Console, you can use the menu displayed on the left side to configure the console server. Once you
have completed the initial configuration, you can continue to use the Management Console. It runs in a browser and provides a view
of the console server and all the connected devices.
Administrators can use the Management Console, either locally or from a remote location, to configure and manage the console
server, users, ports, hosts, power devices and associated logs and alerts.
Users can also use the Management Console, but have limited menu access to control select devices, review their logs, access
them using the Web terminal, or control power to them.
The console server runs an embedded Linux operating system, and experienced Linux and UNIX users may prefer to undertake
configuration at the command line.
You can gain command line access by cellular, dial-in, or by directly connecting to the console server’s serial console port (aka the
console server’s modem port). The shell can also be accessed via ssh or Telnet over a LAN or by connecting with PPTP, IPsec or
OpenVPN.
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
15
Page 16
ABOUT THIS MANUAL
WHERE TO FIND ADDITIONAL INFORMATION
The Quick Start Guide that came with your console server.
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
16
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
Page 17
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 1: SPECIFICATIONS
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
SPECIFICATIONS: LES1500 SERIES CONSOLE SERVERS
Console Specifications
Console PortsLES1516A: (16) RJ-45 RS-232 serial ports with Cisco pinouts;
LES1532A: (32) RJ-45 RS-232 serial ports with Cisco pinouts;
LES1548A: (48) RJ-45 RS-232 serial ports with Cisco pinouts
Interface
Ethernet Ports(2) 10-/100-/1000-Mbps Ethernet RJ-45 ports
Console Port(1) DB9 RS-232 console port
Serial PortsSoftware-selectable, 50 to 230,400 bps
USB(2) USB 2.0 ports for increased storage
Remote AccessDual Ethernet, aggregation and redundancy, remote access automatic network failover, easy browser
UI IPv6
Console ManagementBuilt-in web terminal, SSH direct to consoles, optional console keystroke logging, alert on cable
disconnects, text pattern match and more, inline power control, multiple concurrent sessions
Power Requirements
Power SupplyLES1508A: External AC/DC power supply;
LES1516A, LES1532A, LES1548A: Single AC power supply
Power ConsumptionLess than 30 W
Physical
Dimensions1.75"H x 17"W x 6.9"D (4.5 x 43.2 x 4.5 cm)
Weight9 lb. (4 kg)
Form Factor1 RU
Operating Temperature41 to 122° F (5 to 40° C)
Storage Temperature-20 to +140° F (-30 to +60° C)
Humidity5 to 90%
Security, Encryption and
Authentication
SSH;
FIPS-140-2 compliant;
Open SSL Module;
Strong ciphers—AES encryption;
IPsec;
AAA, TACACS+, RADIUS, Active Directory, OpenLDAP, Kerberos, with local fallback;
Two factor authentication via remote AAA;
Configurable stateful firewall;
OpenVPN
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
17
Page 18
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 1: SPECIFICATIONS
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
SPECIFICATIONS (CONTINUED): LES1500 SERIES CONSOLE SERVERS
Automation and ScalabilityZTP, Virtual Central Management System (VCMS);
RESTful API, programmable and extensible;
Auto-Response, SNMP, LLDP, NTP
Certifications
EmissionsFCC Part 15 Subpart B Class A;
ICES-003 Issue 4 February 2004;
AS/NZS CISPR 22: 2004 Class A;
EN 55022 Emissions Class A (2009) A1 (2010);
EN 61000-3-2 Harmonics Current Emissions (2014);
EN 61000-3-3 Voltage Fluctuation and Flicker (2013)
Operating Temperature-13 to +140° F (-25 to +60° C)
Storage Temperature-40 to +167° F (-40 to +75° C)
Humidity5 to 90%
Security, Encryption
and Authentication
SSH;
FIPS-140-2 compliant Open SSL Module;
Strong ciphers—AES encryption;
Cisco-compatible IPsec;
AAA—TACACS+, RADIUS, Active Directory/OpenLDAP, Kerberos, with local fallback;
Two factor authentication via remote AAA;
Configurable stateful firewall;
OpenVPN
Automation and ScalabilityZTP, Virtual Central Management System (VCMS);
RESTful API, programmable and extensible;
Auto-Response, SNMP, LLDP, NTP
Certifications
EmissionsFCC Part 15 Subpart B:2015;
EN55022:2010;
CISPR 22:2008;
ICES-003 Issue 5 (2014);
AS/NZS CISPR 22: 2009+ A1:2010;
EN 61000-3-2:2006/A2:2009;
EN 61000-3-3:2008
ImmunityEN 55024:2010
CISPR 24:2010;
EN 61000-4-2:2009;
EN 61000-4-3:2006+A2:2010;
EN 61000-4-4:2004+A1:2010;
EN 61000-4-5:2006;
EN 61000-4-6:2009;
EN 61000-4-8:2010;
EN 61000-4-11:2004
Other Agency ApprovalsCE, UL 1950, TUV, C-Tick, RoHS compliant, Security features to support NERC CIP standards,
FIPS 140-2 validated module Certificate #2473, CCC
Ethernet Ports(2) 10-/100-/1000-Mbps Ethernet/SFP fiber ports with 1500 VAC isolation and ESD protection
Console Port(1) RJ-45 RS-232 console port
WiFi802.11 a/b/g/n, AP or Client mode, Infrastructure or AD-hoc,WEP, WPA-PSK, WPA2-PSK, WPA-None,
WPA-PEAP-MSCHAPv2
Encryption: TKIP, AES
PSTN Modem(1) internal V.92 modem with RJ-11 socket
Serial PortsSoftware-selectable, 50 to 230,400 bps
USB(2) USB 3.0 ports for increased storage
Remote AccessIntegrated V.92 PSTN dial-in, dual Ethernet, aggregation and redundancy, remote access automatic
network failover, easy browser UI IPv6
Console ManagementBuilt-in web terminal, SSH direct to consoles, optional console keystroke logging, alert on cable
disconnects, text pattern match and more, inline power control, multiple concurrent sessions
Power Requirements
Dual ACDual socket, universal 100–240 VAC
Power ConsumptionLess than 30 W
Physical
Dimensions1.75"H x 17"W x 10"D (4.5 x 44 x 25.4 cm)
Weight10 lb. (4.5 kg)
Form Factor1 RU
Memory and CPU
CPU1 GHz ARM SoC (Marvell 88F6283)
Memory256 MB DDR2 SDRAM;
64 MB Embedded NOR Flash
Internal Storage16 GB
Environmental
Operating Temperature41 to 122° F (5 to 40° C)
Storage Temperature-20 to +140° F (-30 to +60° C)
Humidity5 to 90%
Environmental MonitoringSerial EMD5000 to support physical, smoke, water leak and vibration sensors
Security, Encryption and
Authentication
SSH;
FIPS-140-2 compliant Open SSL Module;
Strong ciphers—AES encryption;
Cisco-compatible IPsec;
AAA—TACACS+, RADIUS, Active Directory/OpenLDAP, Kerberos, with local fallback;
Two factor authentication via remote AAA;
Configurable stateful firewall;
OpenVPN
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
21
Page 22
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 1: SPECIFICATIONS
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
SPECIFICATIONS (CONTINUED): LES1700 SERIES CONSOLE SERVERS
Automation and ScalabilityZTP, Virtual Central Management System (VCMS);
RESTful API, programmable and extensible;
Auto-Response, SNMP, LLDP, NTP
Cellular
ModulesSierra Wireless
Certifications
EmissionsFCC Part 15 Subpart B Class A;
ICES-003 Issue 4 February 2004;
AS/NZS CISPR 22: 2004 Class A;
EN 55022 Emissions Class A (2009) A1 (2010);
EN 61000-3-2 Harmonics Current Emissions (2014);
EN 61000-3-3 Voltage Fluctuation and Flicker (2013)
Other Agency ApprovalsCE, UL 1950, TUV, C-Tick, RoHS compliant, Security features to support NERC CIP standards,
FIPS 140-2 validated module Certificate #2473, CCC
MTBF150,000 hours
22
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
Page 23
CHAPTER 1:HEADLINE
CHAPTER 2: OVERVIEW
2.1 AVAILABLE MODELS COMPARISON CHARTS
TABLE 2-1. AVAILABLE MODELS COMPARISON CHART
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
PRODUCT CODE
LE S1516A162—
LE S1532A322—
LE S15 4 8A482—
LES160 4A44—
LES160 4A-V44—
LE S1604 A-T44—
LES160 4A-R44—
LES1608A84—
LES1708A8
LES1716A16
LES1732A32
LE S174 8A482
SERIAL
RS-232
USB 2.0USB 3.0
—
—
—
NETWORK
10/100/1000
2
2
2
FLASHRAM
32 MB4 GB—
32 MB4 GB—
32 MB4 GB—
2256/32 MB
2256/32 MB
2256/32 MB
2256/32 MB
2256/32 MB
2
2
2
2256/64 M B
2256/64 M B
2256/64 M B
22256/64 MB
4 GB—
4 GBcellular 4GWiFiSingle AC
4 GBcellular 4GWiFiSingle AC
4 GBcellular 4GWiFiSingle AC
4 GB—
16 GBPOTSWiFiDual AC
16 GBPOTSWiFiDual AC
16 GBPOTSWiFiDual AC
16 GBPOTSWiFiDual AC
INTERNAL
MODEM
WIRELESSPOWER
—
—
—
—
—
TABLE 2-2. SOFTWARE FEATURES SUPPORTED PER MODEL SERIES
SERIES DHCPDDNSMGT L AN
LES160 0yesyesyesyes
LES1700yesyesyesyes
LE S1516/ 32 /4 8yesyesyesnoyesyesyesyesyes
CELL OR
WI-FI
1
1
OOB
yesyesyesyesyes
yesyesyesyesyes
AUTORESPONSE
FLASH
(FTP & TFTP)
FTP S
IPSEC,
PPTP AND
OPENVPN
Single AC
Single AC
Single AC
Single AC
Single AC
1. Selected models have 3G/4G cellular, Wi-Fi Wireless Access Points (WAP) or both.
CAUTION: To avoid physical and electrical hazards, read the Safety Precautions at the beginning of this manual.
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
23
Page 24
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 1:HEADLINE
CHAPTER 2: OVERVIEW
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
2.2 WHAT‘S INCLUDED
Your package should include the following items. If anything is missing or damaged, contact Black Box Technical Support
at 877-877-2269 or info@blackbox.com
2.2.1 LES1516A, LES1532A, LES1548A
(1) Console Server
(2) CAT5 UTP cables
(1) DB9F to RJ-45 straight-through adapter
(1) DB9F to RJ-45 crossover adapter
(1) IEC AC power cord
(1) Quick Start Guide
2.2.2 LES1600 SERIES
(1) Console Server
(1) External rackmount tab
(1) Black terminal block
(1) DB9 F to RJ-45 adapter
(4) rubber feet
(1) Quick Start Guide
2.2.3 LES1700 SERIES
(1) LES1700 Series Remote Console Server
(1) Rackmount kit: (2) brackets, (6) screws
(2) Power cords
(2) 6-ft. (1.8-m) CAT5 patch cables
(1) DB9 F to RJ-45 F straight-through adapter
(1) DB9 F to RJ-45 F crossover adapter
(1) Quick Start Guide
24
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
Page 25
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 1:HEADLINE
CHAPTER 2: OVERVIEW
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
2.3 HARDWARE DESCRIPTION
While we cannot illustrate every possible model of the Console Server in this manual, Sections 2.3.1 through 2.3.3 show one model
from each series.
2.3.1 LES1500 SERIES
Figures 2-1 and 2-2 show the front and back panels of the LES1548A. Table 2-3 describes its components.
1 2 3 4 5 6 7
FIGURE 2-1. LES1548A FRONT PANEL
8
9 10 11 12
FIGURE 2-2. LES1548A BACK PANEL
TABLE 2-3. LES1548A CONSOLE SERVER COMPONENTS
NUMBER IN FIGURE 2-1 OR 2-2 COMPONENTDESCRIPTION
1 (1) PWR LEDLights when power is on
2 (1) H/B LEDUsed for flash firmware updates
3 (1) SER LEDSerial connection indication
4 (1) NET LEDLinks to Network 1
5 (2) USB ports
6 (1) RJ-45 console portLinks to RS-232 console
7 Erase buttonPush to erase settings
8 (1) I/O switchPress to turn power ON or OFF
9 (1) 3-prong power receptacleLinks to power supply
Allow attachment of peripherals such as additional storage and USB
consoles
10 (48) RJ-45 serial portsLinks to devices
11 (1) RJ-45 portNET1
12 (1) RJ-45 portNET2
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
25
Page 26
CHAPTER 1:HEADLINE
CHAPTER 2: OVERVIEW
2.3.2 LES1600 SERIES
Figures 2-3 and 2-4 show the front and back panels of the LES1604A. Table 2-4 describes its components.
4 5 6
1 2 3
FIGURE 2-3. LES1604A FRONT PANEL
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
7 8 9 10
FIGURE 2-4. LES1604A BACK PANEL
TABLE 2-4. LES1604A CONSOLE SERVER COMPONENTS
NUMBER IN FIGURE 2-3 OR 2-4 COMPONENTDESCRIPTION
1 H/B LEDHeartbeat LED, lights when firmware is running
1 Serial LEDActive serial communication
2 (1) RJ-45 portNET1 Ethernet
3 (1) RJ-45 portNET2 Ethernet
4 (1) Power LEDLights when power is on
5, 6 (1) Speed and Activity LEDsIndicates 10/100/1000 Mbps and activity on NET1 and NET2
7 (1) 4-pin power portPower adapter input
8 (4) RJ -45 portsSerial console ports
9 DIO and HVDO portsDIO and HVDO ports
10 (4) USB portsLink to USB consoles
26
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
Page 27
CHAPTER 1:HEADLINE
CHAPTER 2: OVERVIEW
2.3.3 LES1700 SERIES
Figures 2-5 and 2-6 show the front and back panels of the LES1716A. Table 2-5 describes its components.
1 2 3 4 5 6 7 8 9 10 11 12 13 14
FIGURE 2-5. LES1716A FRONT PANEL
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
15 16 17 18 19
FIGURE 2-6. LES1716A BACK PANEL
TABLE 2-5. LES1716A CONSOLE SERVER COMPONENTS
NUMBER IN FIGURE 2-5 OR 2-6 COMPONENTDESCRIPTION
1 LCD screenLCD configuration
2 UP buttonScroll up in the menu
2 DOWN buttonScroll down in the menu
3 OK buttonConfirm selection
3 BACK buttonGo back to previous selection
4 PWR LEDLights when power is on
5 H/B LEDHeartbeat LED, lights when firmware is running
6 Serial LEDActive serial communication
7 NET LEDActive network communication
8 WiFi LEDLights when WiFi is active
9, 10 WiFi antenna connectorsConnects to the main or auxiliary WiFi antenna
10 SD card slotExpand storage
11 (2) USB portsLink to USB consoles
12 V.92 modem portPort for analog dialup
13 RJ-45 console portAttaches to serial console
14 Erase buttonPush to erase settings and configuration
15, 16 (2) 3-prong power receptaclesLink to power supplies
16 (2) I/O switchesTurns power ON or OFF
17 (16) RJ-45 portsLink to serial devices
18, 19 (2) RJ-45/SFP portsLink to Ethernet network ports NET1 and NET2
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
27
Page 28
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 1:HEADLINE
CHAPTER 3: INSTALLATION
Connect the Console Server to the network, to the serial ports of the controlled devices, and to power as outlined below.
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
3.1 POWER CONNECTION
3.1.1 LES1700, LES1516A, LES1532A AND LES1548A MODELS
These standard LES1700 console servers have dual universal AC power supplies with auto failover built in. The power supplies accept AC
input voltage between 100 and 240 VAC with a frequency of 50 or 60 Hz and the total power consumption per console server is less than
30 W. The LES1516A, LES1532A and LES1548A console servers each have one AC power supply.
Two IEC AC power sockets are located at the rear of the metal case, and these IEC power inlets use conventional IEC AC power cords.
Power cords for various regions are available, although the North American power cord is provided by default. There is a warning notice
printed on the back of each unit.
NOTE: To avoid electrical shock, the power cord grounding conductor must be connected to ground.
3.1.2 LES1600 MODELS
LES1600 models are supplied with an external AC-12-VDC wallmount power supply. This comes with a selection of wall socket adapters
for each geographic region (North American, Europe, UK, Japan or Australia). The 12-VDC connector from the power supply unit plugs
into the 12-VDC (PWR) power jack on the side of the console server casing.
Plug in the power supply AC power cable and the DC power cable.
Turn on the AC power and confirm the console server Power LED (PWR) is lit.
The LES1600 models can also be powered from an external +9-VDC to +30-VDC power source by connecting the DC power lines to a
power plug that plugs into the 12-VDC (PWR) jack.
3.2 NETWORK CONNECTION
All Black Box console servers ship with Ethernet ports.
These ports are located on the rear panel of the rackmount LES1516A, LES1532A, LES1548A units, and on the front of the smaller
LES1600 units. All physical connections are made using either industry standard CAT5 cabling and connectors or small form-factor
pluggable transceivers (SFPs).
Make sure you only connect the LAN port to an Ethernet network that supports 10/100/1000 Mbps (LES1700, LES1516A, LES1532A,
LES1548A, LES1600 only).
The LES1700 has four physical input ports which are logically presented as two ports (NET1 and NET2). Each logical port consists of a
copper 10/100/1000 port and a fiber-optic small form-factor pluggable (SFP) module slot.
The LES1604A has six physical input ports: (2) RJ-45 copper ports on the front of the device which are logically paired and marked as
NET1 and NET2; and four RJ-45 ports on the back of the device which constitute an independent Ethernet switch. The LES1608A has ten
physical RJ-45 input ports: two RJ-45 ports on the front of the device and eight RJ-45 ports on the back of the device.
For LES1700 series devices with logically-paired SFP and RJ-45 ports, you can use only one of the two physical ports at a time: either the
SFP module port or the 10/100/1000 port.
For LES1700 console servers with logically-paired SFP and RJ-45 ports, the fiberoptic medium (the SFP module) has priority over the
copper medium (the RJ-45 port). Only if the SFP module is not plugged in does the RJ-45 copper link become active. This applies
regardless of the connection order. If the SFP module is plugged in after the copper medium has established a link, the copper link is
disconnected and the fiberoptic medium becomes active.
For the initial configuration of the console server, you must connect a computer to the console server’s principal network port. This port’s
label varies from model to model but always includes a numeric one (1). Specific labels include NET1, NETWORK1, LAN1, and LAN USB1.
28
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
Page 29
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 1:HEADLINE
CHAPTER 3: INSTALLATION
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
3.3 SERIAL PORT CONNECTION
Console servers all come with four to forty eight serial ports, marked SERIAL or SERIAL PORTS. These ports connect to serially Managed
Devices. Each console server also has either a dedicated Local Console (or modem) port marked LOCAL or CONSOLE, or one of its
SERIAL ports can be software configured in Local Console mode. This Local Console port can be used for local command-line access
(or an external serial modem out-of-band connection).
All console server models except the LES1600 have a dedicated local RS-232 Console port. This is an RJ-45 connector (Cisco Straight)
located on the front of the LES1700, LES1516A, LES1532A and LES1548A models.
LES1600 models have four or eight serial ports presented as RJ-45 ports 1–x. By default, port 1 on all these models is configured in Local
Console mode.
Conventional CAT5 cabling with RJ-45 jacks is generally used for serial connections. Black Box supplies a range of cables and adapters
that may be required to connect to the more popular servers and network appliances.
Before connecting the console port of an external device to the console server serial port, confirm that the device supports the RS-232C
(EIA-232) standard.
The console servers come with four to forty eight serial connectors for the RS-232 serial ports:
The RJ-45 serial ports are located on the rear panel of the LES1600 and on the rear panel of the rackmount LES1700.
The LES1600, LES1516A, LES1532A, and LES1548A models have Cisco Straight serial pinouts on the RJ-45 connectors.
All serial ports on the LES1700 are RJ-45 and are software-selectable for Cisco Straight or Cisco Rolled pinout.
Some console server models support RS-422 and RS-485 as well as RS-232.
The four RJ-45 serial ports on the LES1604A are each RS-232/422/485 software-selectable.
See Appendix C for RS-422/485 pinout and connection details.
TABLE 3-1. SERIAL PORT PINOUTS
PRODUCT FAMILY CONNECTORSERIAL PORTS PINOUTRS -232RS- 422 /485CONSOLE PORT
LES1600 series RJX2 Ciscoyesyesno
LES1700 series RJX2 Ciscoyesnono
LES1500 series RJX2 Ciscoyesnoyes
1
NOTE. The first serial port can be reassigned to be a console port.
1
1
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
29
Page 30
NEED HELP?
RTS
8
CTS
8
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 1:HEADLINE
CHAPTER 3: INSTALLATION
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
3.3.1 CISCO ROLLED RJ-45 PINOUT
The LES1700 console servers can select this pinout. This makes it easy to replace Cyclades products, and is convenient for use with
rolled RJ-45 cable:
TABLE 3-2. CISCO ROLLED RJ-45 PINOUT
DIAGRAM PINSIGNALDEFINITIONDIRECTION
1RTSRequest To SendOutput
1
8
1
DTR
2
3
4
5
6
7
TD
GND
CTS
RD
DCD
DSR
2DTRData Terminal ReadyOutput
3TXDTransmit DataOutput
4GNDSignal Groundn/a
5CTSClear To SendInput
6RXDReceive DataInput
7DCDData Carrier DetectInput
8DSRData Set ReadyInput
3.3.2 CISCO RJ-45 PINOUT
The LES1600, LES1516A, LES1532A and LES1548A models have Cisco serial pinouts on their RJ-45 connectors. The LES1700 console
servers can select this pinout (it is the default). This provides straight-through RJ-45 cable to equipment such as Cisco, Juniper, Sun and
many more:
TABLE 3-3. CISCO RJ-45 PINOUT
DIAGRAM PINSIGNALDEFINITIONDIRECTION
1CTSClear To SendOutput
1
8
1
DTR
2
3
4
5
6
7
RD
GND
GND
TD
DTR
RTS
2DSRData Set ReadyOutput
3RXDReceive DataOutput
4GNDSignal Groundn/a
5GNDSignal GroundInput
6TXDTransmit DataInput
7DTRData Terminal DetectInput
8RTSRequest To SendInput
30
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
Page 31
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 3: INSTALLATION
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
3.4 USB PORT CONNECTION
Most console servers have external USB ports. LES1700 Series Console Servers have USB 3.0 ports. On other models, these ports
are mostly USB 2.0. They can be used for:
connecting to UPS or PDU managed devices (for managing UPS supplies, for example).
connecting an external USB memory stick
connecting to USB Consoles.
The LES1700 series models have two front-facing USB 3.0 ports.
Some console server models also come with internal USB connections to cellular modem and/or flash memory.
The LES1600 models have an internal 4 GB USB flash drive as well as four unallocated external USB 2.0 ports. These four
unallocated USB ports are labelled 1–4 on the device itself and in the Web interface.
3.5 FITTING CELLULAR SIM AND ANTENNAS
The LES1700-V/-T/-R-I models all have an internal 4G LTE cellular modem that requires at least one SIM card to be installed and two
external cellular antennas to be attached.
The LES1700 models also have an internal 802.11 wireless modem that requires at least one external WiFi antenna to be attached.
3.5.1 LES1604A-V/-T/-R MODELS
LES1600s come with internal 4G LTE modems and dual mini-SIM card slots (LES1604A-V, -T, -R).
The -T models work with AT&T USA. The -Vmodels work with Verizon USA and the -R models work with global 4G LTE carriers.
NOTE: Some models are also multi-carrier. The LES1604A-T, for example, works with AT&T USA by default but can be reset to work with
Verizon USA.
Whichever carrier you choose, their SIM card activates the data plan and must be installed before powering on the device.
Dual-SIM models use a SIM cradle. The cradle holds the SIM card or cards and slides into the dual-SIM-card slot on the front of the
device. The bottom slot is the default slot. If you have a dual-SIM LES1600 and only one SIM card, insert the card into the bottom slot of
the SIM cradle. No matter the specific configuration, SIM cards go into the cradle with the contacts upwards and the notch inward and
adjacent to the longer cradle arm.
LES1600 models also come with two external 7-band cellular antennas. Screw the provided antennas on to the main Cell (M) and
diversity Cell (A) SMA connectors on the rear panel. An external GPS passive antenna with magnetic base, SMA connector and 2 meter
cable is available (not included). Screw it on to the GPS SMA connector on the rear panel.
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
31
Page 32
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 3: INSTALLATION
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
3.5.2 ALL LES1700 MODELS
The LES1700 models have an internal 802.11 WiFi adapter and come with an external WiFi antenna.
Before powering on the LES1700:
Screw wireless antenna on to the WIFI (MAIN) SMA connector.
The LES1700 has a second WiFi antenna connector. This WIFI (AUX) connector can be used for diversity and requires an external antenna
(not included).
32
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
Page 33
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 4: SYSTEM CONFIGURATION
This page provides an overview of the current users. Currently the only way to login as another user on the web server is to close
and This chapter provides step-by-step instructions for the initial configuration of your console server, and connecting it to the
Management or Operational LAN. This involves the Administrator:
activating the Management Console.
changing the Administrator password.
setting the IP address console server’s principal LAN port.
selecting the services to be enabled and access privileges.
This chapter also discusses the communications software tools that the Administrator may use in accessing the console server,
and the configuration of the additional LAN ports.
NOTE: For guidance on configuring large numbers of Black Box appliances and/or automating provisioning, consult Section 4.7:
Configuration over DHCP (ZTP) and Section 16.15: Bulk Provisioning.
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
4.1 MANAGEMENT CONSOLE CONNECTION
Your console server comes configured with the following default IP address and subnet mask:
IP address: 192.168.0.1
Subnet mask: 255.255.255.0
For initial configuration, we recommend that you connect the console server directly to a single computer.
If you choose to connect the console server and computer to a LAN before completing the initial setup steps, the following
conditions must be met:
there must be no other devices on the LAN at IP address 192.168.0.1.
the console server and the computer must be on the same LAN segment, with no interposed router appliances.
4.1.1 CONNECTED COMPUTER SETUP
To configure the console server with a browser, the connected PC/workstation should have an IP address in the same range as the
console server (for example, 192.168.0.100):
To configure the IP address of a computer running Linux, macOS, or Unix:
run ifconfig.
To configure the IP address of a computer running Windows:
Click Start -> (Settings ->) Click Start -> Control Panel -> Network and Sharing Center -> Change Adapter Settings.
Right-click on Local Area Connection and select Properties.
Select Internet Protocol (TCP/IP) and click Properties.
Select Use the following IP address and enter the following details:
IP address: 192.168.0.100
Subnet mask: 255.255.255.0
If you want to retain your existing IP settings for this network connection, click Advanced and add the above details as a secondary
IP connection.
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
33
Page 34
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 4: SYSTEM CONFIGURATION
If it is not convenient to change your computer’s network address, you can use the ARP-Ping command to reset the console
server’s IP address. To do this from a computer running Windows:
Click Start -> Run (or select All Programs > Accessories > Run).
Type cmd and click OK to bring up the cmd.exe shell prompt.
Type arp –d to flush the ARP cache.
Type arp –a to view the current ARP cache (this should be empty).
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
FIGURE 4-1. CMD.EXE SHELL PROMPT
Now add a static entry to the ARP table and ping the console server to assign the IP address to the console server.
In the example below, a console server has the MAC Address 00:13:C6:00:02:0F (designated on the label on the bottom of the unit)
and its IP address is set to 192.168.100.23.
NOTE: The computer issuing the arp command must be on the same network segment as the console server (that is, have an IP
address of 192.168.100.xxx).
On Windows: type arp -s 192.168.100.23 00-13-C6-00-02-0F
On Linux, macOS or Unix: type arp -s 192.168.100.23 00:13:C6:00:02:0F
Type ping -t 192.18.100.23 to start a continuous ping to the new IP Address.
Turn on the console server and wait for it to configure itself with the new IP address. It will start replying to the ping at this point.
Type arp –d to flush the ARP cache again.
34
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
Page 35
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 4: SYSTEM CONFIGURATION
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
4.1.2 BROWSER CONNECTION
Launch or switch to your preferred browser on the connected computer and enter https://192.168.0.1.
NOTE: Console servers ship with a self-signed SSL certificate and are factory configured with HTTPS access enabled and HTTP
access disabled.
The Management Console supports all current versions of the popular browsers: Internet Explorer, Firefox, Chrome, Safari and
more.
You will be prompted to log in.
Enter the default administration username and administration password:
Username: root
Password: default
FIGURE 4-2. SYSTEM: LOGIN SCREEN
A Welcome page, which lists initial configuration steps, will display.
FIGURE 4-3. WELCOME SCREEN
These steps are:
Change default administration password (Users page, see Section 4.2.)
Configure the local network settings (System/IP page, see Section 4.3.)
Configure serial ports settings (Serial & Network/Serial Port page, see Chapter 5.)
Configure user port access (Serial & Network/Users page, see Chapter 5.)
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
35
Page 36
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 4: SYSTEM CONFIGURATION
If your system has a cellular modem, steps to configure the cellular router features will also present:
Configure the cellular modem connection (System/Dial page, see Chapter 6.)
Allow forwarding to the cellular destination network (System/Firewall page, see Chapter 6.)
Enable IP masquerading for cellular connection (System/Firewall page, see Chapter 6.)
After completing each of the above steps, return to the configuration list by clicking the Black Box logo in the top left corner
of the page.
NOTE: If you are not able to connect to the Management Console at 192.168.0.1 or if the default Username and Password were not
accepted, reset your console server (see Chapter 12).
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
4.2 ADMINISTRATOR SETUP
4.2.1 CHANGE DEFAULT ROOT SYSTEM PASSWORD
For security reasons, only the administrative user named root can initially log into a console server. So only those people who know
the root password can access and reconfigure the console server itself.
The corollary is that anyone who correctly guesses the root password can gain access and control of a console server. The initial
root password is default. It is essential, therefore, to enter and confirm a new password before giving the console server any
access to, or control of, other computers and network appliances.
Select Change default administration password from the Welcome page.
The Serial & Network > Users & Groups page loads. From here a new, confirmed password for the root user can be set.
NOTE: There are no character restrictions in a console server user’s password. And passwords can be up to 254 characters long.
36
FIGURE 4-4. SERIAL & NETWORK: USERS & GROUPS SCREEN
If the console server has flash memory (such as the LES1700) you will be given the option to Save Password across firmware
erases.
Checking this will save the password hash in the non-volatile configuration partition, which does not get erased on firmware reset. If
this password is lost, the affected console server will need to be firmware recovered.
Click Apply.
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
Page 37
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 4: SYSTEM CONFIGURATION
Since the root password has changed, a new log-in prompt will present. This time, use the new password.
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
4.2.2 SET UP A NEW ADMINISTRATOR
A new Administrator user should be set up and this new user should be used for ongoing console server administration, rather than
relying on the root user.
This new user can be configured in the admin group with full access privileges by selecting Serial & Network >
Users & Groups >Add a New User.
FIGURE 4-5. ADD A NEW USER SCREEN
4.2.3 NAME THE SYSTEM
Select System > Administration.
Enter a System Name and System Description for the console server to give it a unique ID and make it simple to identify.
FIGURE 4-6. NAME THE SYSTEM SCREEN
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
37
Page 38
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 4: SYSTEM CONFIGURATION
NOTE: The System Name can contain from 1 to 64 alphanumeric characters as well as the following special characters . - _. There
are no restrictions on the characters that can be used in the System Description, which can contain up to 254 characters.
Optional: text entered in the MOTD Banner field is displayed to users when the log-in to the console server.
Click Apply.
NOTE: If you are not confident your console server has been supplied with the current release of firmware, you can upgrade it. (See
Chapter 12 for details.)
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
4.3 NETWORK CONFIGURATION
The next step is to enter an IP address for the principal Ethernet (LAN/Network/Network1) port on the console server; or enable its
DHCP client so that it automatically obtains an IP address from a DHCP server on the network it is to be connected to.
On the System > IP menu, select the Network Interface page then check DHCP or Static for the Configuration Method.
FIGURE 4-7. NETWORK INTERFACE PAGE
If you selected Static, you must manually enter the new IP Address, Subnet Mask, Gateway and DNS server details. This selection
automatically disables the DHCP client.
By default, the console server LAN port auto detects the Ethernet connection speed. To lock the Ethernet port to 10 Mbps or 100
Mbps and to Full Duplex (FD) or Half Duplex (HD), select a speed and duplex setting from the Media pop-up menu.
If you encounter packet loss or poor network performance with the default auto-negotiation setting, try manually setting the Media
settings on both the console server and the device it is connected to. In most cases, select 100BASE-TX-FD (100 megabits, full
duplex). Make sure both sides are set identically.
If you selected DHCP, the console server will look for configuration details from a DHCP server. This selection automatically disables
any static address. The console server’s MAC address can be found on a label on the base plate.
In its factory default state (with no Configuration Method selected), the console server has its DHCP client enabled, so it
automatically accepts any network IP address assigned by a DHCP server on your network. In this initial state, the console server
will then respond to both its Static address (192.168.0.1) and its newly assigned DHCP address.
You may also enter a secondary address or comma-separated list of addresses in CIDR notation as an IP Alias.
38
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
Page 39
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 4: SYSTEM CONFIGURATION
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
For example: 19 2 .168.1.1/24.
NOTE: If you changed the console server’s IP address, you may need to reconfigure your computer so it has an IP address
that is in the same network range as this new address (as detailed earlier in this chapter).
Click Apply.
Reconnect the browser on the computer that is connected to the console server by entering https://new-ip-address-here/.
4.3.1 IPV6 CONFIGURATION
By default, the console server Ethernet interfaces support IPv4. They can also be configured for IPv6 operation.
Select System > IP.
Click the General Settings tab.
FIGURE 4-8. SYSTEM > IP, GENERAL SETTINGS TAB
Check the Enable IPv6 check box.
FIGURE 4-9. ENABLE IPV6
Click the Network Interface to access the IPv6 settings section.
Configure the IPv6 settings.
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
39
Page 40
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 4: SYSTEM CONFIGURATION
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
4.3.2 DYNAMIC DNS (DDNS) CONFIGURATION
With Dynamic DNS (DDNS), a console server with its IP address dynamically assigned (and that may change from time to time) can
be located using a fixed host or domain name.
The first step in enabling DDNS is to create an account with the supported DDNS service provider of your choice. Supported DDNS
providers are listed in the following table.
TABLE 4-1. SUPPORTED DDNS SERVICE PROVIDERS
SERVICE PROVIDER URLDESCRIPTION
DyNS http://dyns.cx/
Dyn https://dyn.com/Formerly DynDNS
GNUDip http://freecode.com/projects/gnudipAn open-source DDNS tool for use by ISPs. Check if your ISP supports GNUDip.
Pubyun http://pubyun.com/Chinese DDNS provider. Formerly operated as 3322.org.
NOTE: Two previously supported DDNS providers are ODS, which is no longer operating, and TZO, which was bought by Dyn and is no
longer operating independently.
Upon registering with the DDNS service provider, select a username and password, as well as a hostname that you will use as the DNS
name (to allow external access to your machine using a URL).
Dynamic DNS service providers allow the user to choose a hostname URL and set an initial IP address to correspond to that hostname
URL. Many Dynamic DNS providers offer a selection of URL hostnames available for free use with their service. However, with a paid plan,
any URL hostname (including your own registered domain name) can be used.
You can now enable and configure DDNS on any of the Ethernet or cellular network connections on the console server (by default DDNS
is disabled on all ports):
Select the DDNS service provider from the drop down Dynamic DNS list on the System > IP or System > Dial menu.
40
FIGURE 4-10. DROP-DOWN DYNAMIC DNS LIST
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
Page 41
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 4: SYSTEM CONFIGURATION
In DDNS Hostname, enter the fully qualified DNS hostname for your console server (for example, your-hostname.dyndns.org).
•Enter the DDNS Username and DDNS Password for the DDNS service provider account.
Specify the Maximum interval between updates in days. A DDNS update will be sent even if the address has not changed.
Specify the Minimum interval between checks for changed addresses in seconds. Updates will still only be sent if the address has
changed.
Specify the Maximum attempts per update (that is, the number of times to attempt an update before giving up). By default this is set
to 3.
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
4.4 SERVICES AND SERVICE ACCESS
The Administrator can access the console server, connected serial ports, and managed devices using a range of access protocols
and services. For each such access:
the particular service must first be configured and enabled to run on the console server.
then access through the firewall must be enabled for each network connection.
To enable and configure a service:
Navigate to System > Services.
Select the Service Settings tab.
FIGURE 4-11. SYSTEM > SERVICES SCREEN
NOTE: With firmware releases prior to version 3.5.3, services are enabled and configured using the Service Access tab on the
System > Firewall page.
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
41
Page 42
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 4: SYSTEM CONFIGURATION
Enable and configure basic services.
HTTP: By default the HTTP service is running and it cannot be fully disabled. However by default HTTP access is disabled on all
interfaces and it is recommended this access remains disabled, if the console server is to be remotely accessed over the Internet.
Alternate HTTP also enables you to configure an alternate HTTP port to listen on. However the HTTP service will continue internally listening
on TCP port 80 (for CMS and sdt-connector communications) but will be inaccessible through the firewall.
HTTPS: By default, the HTTPS service is running and this service is enabled on all network interfaces. We recommend that
only HTTPS access be used if the console server is to be managed over any public network (e.g. the Internet). This ensures the
Administrator has secure browser access to all the menus on the console server. It also allows appropriately configured Users
secure browser access to selected Manage menus. For information on certificate and user client software configuration, see Chapter
10, Authentication. The HTTPS service can be completely disabled (or re-enabled) by checking HTTPS Web Management and an
alternate port specified (default port is 443).
Telnet: By default, the Telnet service is running. However, by default, the service is disabled on all network interfaces.
Telnet can be used to give the Administrator access to the system command line shell. While this may be suitable for a local direct
connection over a management LAN, we recommend that this service be disabled if the console server is to be remotely administered. This
service may also be useful for local Administrator and the User access to selected serial consoles.
The Enable telnet command shell checkbox will completely enable or disable the telnet service. An alternate telnet port to listen on can be
specified in Alternate Telnet Port (default port is 23).
SSH: This service provides secure SSH access to the console server and attached devices —and by default the SSH service is running
and enabled on all interfaces. We recommend that you choose SSH as the protocol where the Administrator connects to the console
server over the Internet or any other public network. This will provide authenticated communications between the SSH client program
on the remote computer and the SSH sever in the console server. For more information on SSH configuration, see Chapter 10,
Authentication.
The Enable SSH command shell checkbox will completely enable or disable this service. An alternate SSH port to listen on can be specified
in SSH command shell port (default port is 22).
Enable and configure other services.
TFTP/FTP: If a USB flash card or internal flash is detected on a console server (for example, an LES1200, LES1508A, LES1600,
LES1516A, LES1532A, LES1548A, LES1700 or LES1400) then checking Enable TFTP (FTP) service will enable this service and set up
the default tftp and ftp server on the USB flash.
These servers are used to store config files, maintain access and transaction logs, etc. Files transferred using tftp and ftp will be stored under
/var/mnt/storage.usb/tftpboot/ (or /var/mnt/storage.nvlog/tftpboot/ on LES1600-series devices).
Unchecking Enable TFTP (FTP) service will completely disable the TFTP (FTP) service.
DNS Relay: Checking Enable DNS Server/Relay will enable the DNS relay feature so clients can be configured with the console server’s
IP for their DNS server setting, and the console server will forward the DNS queries to the real DNS server.
Web Terminal: Checking Enable Web Terminal will allow web browser access to the system command line shell via Manage >
Terminal.
Specify alternate port numbers for Raw TCP, direct Telnet/SSH and unauthenticated Telnet/SSH services.
The console server uses specific default ranges for the TCP/IP ports for the various access services that Users and Administrators can use
to access devices attached to serial ports (see Chapter 5: Serial Port, Host, Device and User Configuration). The Administrator can also set
alternate ranges for these services, and these secondary ports will then be used in addition to the defaults.
The default TCP/IP base port address for telnet access is 2000, and the range for telnet is IP Address: Port (2000 + serial port #), that is,
ports 2001–2048.
For example, if the Administrator sets 8000 as a secondary base for telnet, then serial port #2 on the console server can be accessed via
telnet at IP Address:2002 and at IP Address:8002.
The default base for SSH is 3000; for Raw TCP the default base is 4000; and for RFC2217 it is 5000.
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
42
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
Page 43
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 4: SYSTEM CONFIGURATION
A number of other services can be enabled and configured indirectly from this menu by selecting Click here to configure:
Nagios: Access to the Nagios NRPE monitoring daemons (see Chapter 11).
NUT: Access to the NUT UPS monitoring daemon (see Chapter 12).
SNMP: This will enable netsnmp in the console server. SNMP is disabled by default (see Chapter 8 and Section 16.5).
NTP: See Chapter 12.
Click Apply. As you apply your services selections, the screen will be updated with a confirmation message: Message Changes to
configuration succeeded.
The Services Access settings can now be set to allow or block access.
This specifies which (enabled) services the Administrator can use over each network interface to connect to the console server and,
through the console server, to attached serial and network connected devices.
Navigate to System > Services.
Select the Service Access tab.
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
FIGURE 4-12. SERVICE ACCESS TAB
NOTE: With firmware releases pre 3.5.3 the Service Access tab is found at System > Firewall.
The services currently enabled for the console server’s network interfaces present. Depending on the particular console server
model, the interfaces displayed may include:
Network interface: for the principal Ethernet connection
Management LAN/OOB Failover: second Ethernet connections
Dialout/Cellular: V90 and 3G modem
Dial-in: internal or external V90 modem
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
43
Page 44
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 4: SYSTEM CONFIGURATION
Wi-Fi: 802.11 wireless.
VPN: IPsec or Open VPN connection over any network interface.
Check or uncheck for each network which service access is to be enabled or disabled.
In the example shown below, local administrators on the local Management LAN have telnet access direct to the console server (and
attached serial ports), while remote administrators using Dial-In or Cellular have no telnet access (unless they set up a VPN).
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
FIGURE 4-13.. SERVICE ACCESS EXAMPLE
The Respond to ICMP echos (that is ping) service access options can be configured at this stage.
This allows the console server to respond to incoming ICMP echo requests. ping is enabled by default. For security reasons, however, this
service should generally be disabled post initial configuration.
You can also configure to allow serial port devices to be accessed from nominated network interfaces using Raw TCP, direct Telnet/
SSH, unauthenticated Telnet/SSH services, etc.
Click Apply to apply your services access selections.
44
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
Page 45
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 4: SYSTEM CONFIGURATION
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
BRUTE FORCE PROTECTION
Brute force protection (Micro Fail2ban) temporarily blocks source IPs that show malicious signs, such as too many password
failures.
FIGURE 4-14. BRUTE FORCE PROTECTION SCREEN
This may help mitigate scenarios where the Black Box device’s network services are exposed to an untrusted network such as the
public WAN, and scripted attacks or software worms are attempting to guess (brute force) user credentials and gain unauthorized
access.
Brute force protection may be enabled for the listed services.
Once protection is enabled, 3 or more failed connection attempts within 60 seconds from a specific source IP trigger it to be
banned from connecting for the next 60 seconds. Active Bans are also listed and may be refreshed by reloading the page.
NOTE: When a Black Box device is running on an untrusted network, we recommend that you use a variety of strategies to lock
down remote access. This includes strong passwords (or even better, SSH public key authentication), VPN, and using
Firewall Rules to whitelist remote access from trusted source networks only.
4.5 COMMUNICATIONS SOFTWARE
You have configured access protocols for the Administrator client to use when connecting to the console server. User clients (which
may be set up later) will also use these protocols when accessing console server serial attached devices and network attached
hosts.
You will need to have appropriate communications software tools set up on the Administrator (and User) client’s computer. Black
Box provides the SDT Connector as the recommended client software tool. Other generic tools such as PuTTY and SSHTerm may
be used and these are all described next.
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
45
Page 46
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 4: SYSTEM CONFIGURATION
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
4.5.1 SDT CONNECTOR
SDT Connector is a lightweight tool that enables Users and Administrators to securely access the Console server, and the various
computers, network devices and appliances that may be serially or network connected to the console server.
SDT connector (RDP/VNC/
Telnet/HTTP client)
SDT encyrpte d
tunnel
LAN
Applications and
database servers
Web server
Desktop PCs
RDP/V NC/Telnet/ HTTP sessions are
forwarded to device/computers/service
processors on the LAN
Network appliance
FIGURE 4-15. SDT CONNECTOR APPLICATION EXAMPLE
SDT Connector is a Java client program that couples the trusted SSH tunneling protocol with popular access tools such as Telnet,
SSH, HTTP, HTTPS, VNC, and RDP to provide point-and-click secure remote management access to all the managed systems and
devices.
Information on using SDT Connector for browser access to the console server’s Management Console, Telnet/SSH access to the
console server command line, and TCP/UDP connecting to hosts that are network connected to the console server can be found in
Chapter 7, SSH Tunnels and SDT Connector.
SDT Connector can be installed on computers running Windows or macOS and on most Linux, UNIX and Solaris systems.
46
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
Page 47
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 4: SYSTEM CONFIGURATION
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
4.5.2 PUTTY
Communications packages like PuTTY can be also used to connect to the Console server command line (and to connect serially
attached devices as covered in Chapter 5). PuTTY is a freeware implementation of Telnet and SSH for Win32 and UNIX platforms.
It runs as an executable application without needing to be installed onto your system. PuTTY (the Telnet and SSH client itself) can
be downloaded from http://putty.org/.
FIGURE 4-16. PUTTY
To use PuTTY for an SSH terminal session from a Windows client, you enter the console server’s IP address as the Host Name (or
IP address).
To access the console server command line, you select SSH as the protocol and use the default IP Port 22.
Click Open and you will be presented with the console server login prompt. (You may also receive a Security Alert that the host’s
key is not cached, you will need to choose yes to continue.)
Using the Telnet protocol is similarly simple, except you use the default telnet port: port 23.
4.5.3 SSHTERM
Another communications package that may be useful is SSHTerm, an open source package that can be downloaded from http://
sourceforge.net/projects/sshtools.
To use SSHTerm for an SSH terminal session from a Windows client, Select File > New Connection.
A dialog box appears for your Connection Profile.
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
47
Page 48
CHAPTER 4: SYSTEM CONFIGURATION
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
FIGURE 4-17. SSHTERM DIALOG BOX
Enter the host name or IP address for the console server you are connecting to and the TCP port that the SSH session will use
(port 22).
Enter your username, choose password authentication, and click Connect.
If you receive a message about the host key fingerprint, select Yes or Always to continue.
The remote system will prompt you for a username and password. Enter these to login to the console server.
4.6 MANAGEMENT NETWORK CONFIGURATION
The LES1700, LES1516A, LES1532A, LES1548A, LES1508A, and LES1600 console servers have additional network ports that can
be configured to provide management LAN access and/or failover or out-of-band access.
4.6.1 ENABLE THE MANAGEMENT LAN
The LES1700, LES1516A, LES1532A, LES1548A, and LES1600 console servers can be configured so the second Ethernet port
provides a management LAN gateway. The gateway has firewall, router and DHCP server features. You need to connect an external
LAN switch to Network/LAN 2 to attach hosts to this management LAN.
48
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
Page 49
CHAPTER 4: SYSTEM CONFIGURATION
Gateway to the
Management LAN
Operations
network
Serially connected
consoles
NETWORK 2
Management
network
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
FIGURE 4-18. MANAGEMENT LAN ENABLED
NOTE: The second ethernet port (Network/LAN2) on the LES1700, LES1516A, LES1532A, LES1548A, or LES1600 can be configured
as either a Management LAN gateway port or it can be configured as an OOB/Failover port. It cannot be both. Do not allocate
Network/LAN 2 as the Failover Interface when you configured the principal Network connection on the System > IP menu.
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
49
Page 50
CHAPTER 4: SYSTEM CONFIGURATION
Console Server
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
NET WORK 1
(Operations network)
NET WORK 2
(OOB or Failover)
Eth. 1–32 or 2–4
(Management LAN)
FIGURE 4-19. CONFIGURE AS MANAGEMENT LAN OR OOB/FAILOVER PORT
Serially connected
consoles
Management LAN features are disabled by default. To configure a Management LAN gateway:
Navigate to System > IP.
Select the Management LAN Interface tab.
Uncheck Disable.
Set the IP Address and Subnet Mask for the Management LAN. Leave the DNS fields blank.
50
FIGURE 4-20. MANAGEMENT LAN TAB
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
Page 51
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 4: SYSTEM CONFIGURATION
Click Apply.
The management gateway function is now enabled with default firewall and router rules. By default, these rules are configured so
the Management LAN can only be accessible by SSH port forwarding. This ensures the remote and local connections to Managed
Devices on the Management LAN are secure.
The LAN ports can also be configured in bridged or bonded mode (as described later in this chapter) or they can be manually
configured from the command line.
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
4.6.2 CONFIGURE THE DHCP SERVER
All LES1700 and LES1500 family devices host a DHCP server. It is disabled by default. The DHCP server enables the automatic
distribution of IP addresses to devices on the Management LAN that are running DHCP clients. To enable the DHCP server:
Navigate to System > IP.
Select the Management LAN Interface tab.
Check the Enable DHCP Server checkbox.
Enter the Gateway address to be issued to DHCP clients. If left blank, the console server’s IP address is used.
Enter the Primary DNS and Secondary DNS address to be issued to DHCP clients. Again if this field is left blank, the console server’s
IP address is used. For automatic DNS server assignment, leave this field blank.
Enter a Domain Name suffix to issue DHCP clients. This is an optional value and step.
FIGURE 4-21. ENTER DOMAIN NAME SUFFIX (OPTIONAL)
Enter the Default Lease time and Maximum Lease time in seconds. The lease time is the time that a dynamically assigned IP address
is valid before the client must request it again.
Click Apply.
The DHCP server sequentially issues IP addresses from the specified address pool or pools:
Click Add in the Dynamic Address Allocation Pools field.
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
51
Page 52
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 4: SYSTEM CONFIGURATION
Enter the DHCP Pool Start Address and End Address.
Click Apply.
The DHCP server also supports pre-assigning IP addresses to be allocated only to specific MAC addresses and reserving IP
addresses to be used by connected hosts with fixed IP addresses. To reserve an IP addresses for a particular host:
Click Add in the Reserved Addresses field.
Enter the Hostname, the Hardware Address (MAC) and the Statically Reserved IP address for the DHCP client.
Click Apply.
When DHCP has initially allocated hosts addresses, we recommend that you copy these into the pre-assigned list so the same IP
address will be reallocated in the event of a reboot.
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
FIGURE 4-22. PRE-ASSIGN IP ADDRESSES
4.6.3 SELECT FAILOVER OR BROADBAND OOB
The LES1700, LES1516A, LES1532A, LES1548A, and LES1600 console servers provide a failover option, so if there is a problem
using the main LAN connection for accessing the console server; an alternate access path is used.
By default, the failover is not enabled. To enable:
Navigate to System > IP.
Select the Network tab.
Select the Failover Interface to be used if there is a main network outage. This can be:
- an alternate broadband Ethernet connection (for example, the Network/LAN2 port on most models) or
- the LES1700 family internal modem or
- an external serial modem device connected to the LES1700 Console port (for dialing out to an ISP or the remote management
office).
52
FIGURE 4-23. SELECT FAILOVER INTERFACE
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
Page 53
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 4: SYSTEM CONFIGURATION
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
Click Apply.
NOTE: The failover method is not active until the external sites to be probed to trigger failover are specified and the failover ports
themselves are set-up. This is covered in Chapter 6.
NOTE: On the LES1700, LES1516A, LES1532A, LES1548A, and LES1600 models, the second Ethernet port can be configured as either a
gateway port or as an OOB/Failover port, but not both.
FIGURE 4-24. MANAGEMENT LAN TAB
4.6.4 AGGREGATING THE NETWORK PORTS
By default, the console server's Management LAN network ports can only be accessed using SSH tunneling/port forwarding or by
establishing an IPsec VPN tunnel to the console server.
All the wired network ports on the console servers can be aggregated by being bridged or bonded.
Navigate to System > IP.
Click the General Settings tab.
Click the Bridge Interfaces or Bond Interfaces radio button to enable wired Ethernet interface aggregation.
When bridging is enabled, network traffic is forwarded across all Ethernet ports with no firewall restrictions. All Ethernet ports are
transparently connected at the data link layer (layer 2) so they do retain their unique MAC addresses.
With bonding, the network traffic is carried between the ports but they present with one MAC address.
Both modes remove all the Management LAN Interface and Out-of-Band/Failover Interface functions and disable the DHCP Server.
NOTE: In aggregation mode, all the Ethernet ports are configured collectively via the System > IP > Network Interface tab.
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
53
Page 54
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 4: SYSTEM CONFIGURATION
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
4.6.5 WI-FI WIRELESS LAN
All LES1700 models have an internal 802.11 Wi-Fi adapter and come with an external Wi-Fi antenna. The Wi-Fi can be configured
as a Wi-Fi Wireless Access Point (WAP) or as a Wi-Fi client.
The built-in Wi-Fi is inactive by default. If you wish to use the Wi-Fi facility, you will need to attach the Wi-Fi antenna (and any auxiliary WiFi antenna you may have ordered). To activate and configure the Wireless Access Point functionality:
Navigate to System > IP.
Click the Wireless Network Interface tab.
Uncheck the Disable check-box.
Select the device’s operating mode: Wireless Client or Wireless AP (for Access Point).
If Wireless AP is checked, the Wireless AP Settings section becomes visible.
Set the IP Address, and the netmask in the IP Settings for the Wireless Network.
Generally, if the device is being used as a Wireless AP, a static address is set here. For example, you can use 192.168.10.1.
In this example, you can set the netmask ito 255.255.255.0 to give 254 unique network addresses in the subnet.
Do not fill in the Gateway, Primary DNS and Secondary DNS values. These settings are used if the interface is to be the primary
network link to the outside world, or if it will be used for failover.
Select the correct country from the Country list.
If the correct country is not listed, select the World Regulatory Domain.
Select an SSID for the network. This should be unique.
Check the Broadcast SSID check box. This should, in general, be done. Not broadcasting a wireless network’s SSID is not a
meaningful security measure.
Select the Network Channel. The most commonly used channel is 6.
NOTE: If the unit is being deployed in an environment containing multiple Wireless APs (for example, a multi-floor office building), a site
survey to establish what channels are locally unused is recommended.
Select the unit’s Hardware Mode. The unit supports 802.11b, 802.11g, and single band 802.11n. In most cases, selecting 802.11b/g/n
will provide for the best interoperability with other hardware.
Select the Supported Authentication Methods. WPA/WPA2 with AES encryption is recommended. WEP and WPA with TKIP
have been proven vulnerable to cryptanalysis attack. Only select these latter authentication methods if you must support client
equipment that does not support WPA/WPA2 with AES.
If WPA/WPA2 is the selected Supported Authentication Method:
Select one or both of TKIP and AES in WPA/WPA2 Encryption Methods. As noted above, AES is more secure. It is also required for a
Wireless AP to advertise itself as 802.11n if that is the selected Hardware Mode.
If WEP is the selected Supported Authentication Method:
Select either Open System or Shared System in the WEP Mode.
NOTE: While Open System is more secure than Shared System (due to the way encryption keys are used), known vulnerabilities
mean WEP cannot be considered secure in any sense.
click Apply and wait for the page to refresh.
54
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
Page 55
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 4: SYSTEM CONFIGURATION
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
The next step is to set up a DHCP server for the wireless clients. Click the link next to DHCP Server in the IP settings section, or go
to System > DHCP Server. More information on configuring DHCP can be found in Section 4.6.2.
If Wireless Client is checked, the Wireless Client Settings section becomes visible.
Select DHCP or Static for the Configuration Method.
- If Static is selected, manually enter the new IP Address, Subnet Mask, Gateway and DNS server details. This selection
automatically disables the DHCP client.
- If DHCP is selected, the device will look for configuration details from a DHCP server on your management LAN. This selection
automatically disables any static address.
NOTE: The device’s MAC address can be found on a label on the base plate.
Configure the Wireless client to select the local wireless network that will serve as the main network connection to the console
server.
Select the correct country from the Country list. If the correct country is not listed, select the World Regulatory Domain.
Enter the SSID (Set Service Identifier) of the wireless access point the Wireless Client will connect to.
Select the Wireless Network Type. Select Infrastructure to connect to a Wireless AP device. Select Ad-hoc to connect directly to a
compu ter.
Select the Wireless Security mode of the wireless network (WEP, WPA, etc)
Enter the required authentication strings.
When enabled in client mode, the wireless LAN will operate as the main network connection to the device so failover is available
(though it not enabled by default).
Use Failover Interface to select the device to failover to in case of wireless outage and specify Probe Addresses of the peers to
probed for connectivity detection.
NOTE: The Wireless screen in Status > Statistics will display all the locally accessible wireless LANs (with SSID and Encryption/
Authentication settings). You can also use this screen to confirm you have successfully connected to the selected access
point. See Chapter 13 for more information.
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
55
Page 56
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 4: SYSTEM CONFIGURATION
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
4.6.6 STATIC ROUT ES
Firmware 3.4 and later support static routes that provide a quick way to route data from one subnet to different subnet. You can hardcode a path that specifies the console server or router to get to a certain subnet by using a certain path. This may be useful for remotely
accessing various subnets at a remote site when being accessed using the cellular OOB connection.
To add a static route to the route table of the system:
Navigate to System > IP > General Settings.
Select the Route Settings tab.
FIGURE 4-25. ROUTE SETTINGS SCREEN
Enter a meaningful Route Name for the route.
In the Destination Network/Host field, enter the IP address of the destination network or host that the route provides access to.
Enter a value in the Destination netmask field that identifies the destination network or host. Any number between 0 and 32. A
subnet mask of 32 identifies a host route.
Fill the Route Gateway field with the IP address of a router that will route packets to the destination network. This field may be left
blank, depending on your network configuration.
Select the Interface to use to reach the destination This field may be left as None.
Enter a value in the Metric field that represents the metric of this connection. This generally only has to be set if two or more routes
conflict or have overlapping targets. Any number equal to or greater than 0.
Click Apply.
NOTE: The route details page provides a list of network interfaces and modems to which a route can be bound. In the case of a
modem, the route will be attached to any dialup session that is established via that device. A route can be specified with
a gateway, an interface or both. If the specified interface is not active for whatever reason, then routes configured for that
interface will not be active.
56
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
Page 57
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 4: SYSTEM CONFIGURATION
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
4.7 CONFIGURATION OVER DHCP (ZTP)
Config-over-DHCP is available for all Black Box console managers running firmware release 3.16 or later. Using this feature, Black Box
devices can be provisioned during their initial boot from a DHCP server. Provisioning on untrusted networks can be facilitated by providing
keys on a USB flash drive.
The typical steps for configuration over a trusted network are:
Manually configure a same-model Black Box device.
Save its configuration as an Black Box backup (.opg) file.
Select System > Configuration Backup > Remote Backup.
Click Save Backup.
A backup configuration file — model-name_iso-format-date_config.opg —is downloaded from the Black Box device to the local system.
Alternatively, you can save the configuration as an xml file:
Select System > Configuration Backup > XML Configuration. An editable field containing the configuration file in XML format is
presented.
Click into the field to make it active.
If you are running any browser on Windows or Linux, right-click and choose Select All from the contextual menu or press Control-A.
Then right-click and choose Copy from the contextual menu or press Control-C.
If you are using any browser on macOS, choose Edit > Select All or press Command-A. Then choose Edit > Copy or press
Command-C.
In your preferred text-editor, create a new empty document, paste the copied data into the empty document and save the file.
Whatever file-name you choose, it must include the.xml filename suffix.
Copy the saved .opg or .xml file to a public-facing directory on a file server serving at least one of the following protocols: HTTPS,
HTTP, FTP or TFTP.
NOTE: Only HTTPS can be used if the connection between the file server and a to-be-configured Black Box device travels over an untrusted
network.
Configure your DHCP server to include a vendor specific option for Black Box devices. (This will be done in a DHCP server-specific
way.) The vendor specific option should be set to a string containing the URL of the published .opg or .xml file in the step above. The
option string must not exceed 250 characters and it must end in either .opg or .xml.
Connect a new Black Box device (either factory-reset or Config-Erased) to the network and apply power.
NOTE: It may take up to 5 minutes for the device to find the .opg or .xml file via DHCP, download and install the file, and then reboot itself.
4.7.1 ENSURING THE CONSOLE SERVER IS UNCONFIGURED
Console servers exist in two states: configured or unconfigured. For ZTP via Config-over-DHCP to work, a target console server must be
in an unconfigured state.
Console servers ship unconfigured from the factory: assuming a compatible configuration file is to hand (see below), a newly-unboxed
console server can be configured using ZTP.
To return an already-configured console server to its unconfigured state do ether of the following:
While the console server is powered-on, press the recessed Erase button twice. This button is found on the rear or side of every
console server.
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
57
Page 58
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 4: SYSTEM CONFIGURATION
Alternatively:
Navigate to System > Administration.
Check the Config Erase checkbox.
Check the Reboot checkbox.
Click Apply.
NOTE: If ZTP is being used to update a working console server’s firmware, the extant configuration must be backed-up before the
console server is unconfigured.
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
4.7.2 EXAMPLE ISC DHCP (DHCPD) SERVER CONFIGURATION
The following is an example DHCP server configuration fragment for serving an .opg configuration image via the ISC DHCP server,
dhcpd:
option space Black Box code width 1 length width 1;
option Black Box.config-url code 1 = text;
class "Black Box-config-over-dhcp-test" {
match if option vendor-class-identifier ~~ "^Black Box/";
vendor-option-space Black Box;
option Black Box.config-url
"https://example.com/opg/${class}.opg";
}
4.7.3 SETUP WHEN THE LAN IS UNTRUSTED
If the connection between the file server and a to-be-configured Black Box device includes an untrusted network, a two-handed
approach can mitigate the issue.
NOTE: This approach introduces two physical steps where trust can be difficult, if not impossible, to establish completely. First, the
custody chain from the creation of the data-carrying USB flash drive to its deployment. Second, the hands connecting the
USB flash drive to the Black Box device.
Generate an X.509 certificate for the Black Box device.
Concatenate the certificate and its private key into a single file named client.pem.
Copy client.pem onto a USB flash drive.
Set up an HTTPS server so that access to the .opg or .xml file is restricted to clients that can provide the X.509 client certificate
generated above.
Put a copy of the CA cert that signed the HTTP server’s certificate—ca-bundle.crt—onto the USB flash drive bearing client.pem.
Insert the USB flash drive into the Black Box device before attaching power or network.
Continue the procedure from ‘Copy the saved .opg or .xml file to a public-facing directory on a file server’ above using the HTTPS
protocol between the client and server.
58
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
Page 59
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 4: SYSTEM CONFIGURATION
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
4.7.4 PREPARE A USB DRIVE AND CREATE THE X.509 CERTIFICATE AND PRIVATE KEY
Generate the CA certificate so the client and server Certificate Signing Requests (CSRs) can be signed.
Format a USB flash drive as a single FAT32 volume.
Move the client.pem and ca-bundle.crt files onto the flash drive’s root directory.
4.7.5 WHAT AN UNCONFIGURED CONSOLE SERVER DOES ON FIRST BOOT
When an unconfigured console server boots the following steps occur:
the console server starts the udhcpc process (via conman).
udhcpc transmits a DHCP DISCOVER request to the primary Network Interface.
This request includes a Vendor Class Indentifier in the following form:
Black Box/model-name
For example:
Black Box/LES1203A-M
NOTE: In unconfigured console servers, the network interface mode is unset and the DHCP DISCOVER request, therefore, includes
a parameter request for Vendor-Specific Information (option 43). Configured console servers have a config.interfaces.wan.
mode with configuration information included. Consequently, the DHCP DISCOVER packet sent from such servers does not
include an option 43 request.
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
59
Page 60
CHAPTER 4: SYSTEM CONFIGURATION
the DHCP server sends a DHCP OFFER in reply.
The console server uses the information in the DHCP OFFER to
assign itself the supplied IPv4 address.
add a default route.
prepare its DNS resolver.
If the DHCP OFFER also includes an option 43 with sub-option 1, the console server:
reads the contents of sub-option1 as a white-space delimited list of URLs.
interprets the URLs as locations for configuration files to use as to configure itself.
temporarily stores the URLs for later use.
If the DHCP OFFER also includes an option 43 with sub-option 2, the console server:
reads the contents of sub-option2 as a white-space delimited list of URLs.
interprets the URLs as locations for firmware images to use to flash the firmware on itself.
temporarily stores the URLs for later use.
If the DHCP OFFER also includes a URL to an NTP server, the console server:
syncronizes its system clock to the referenced NTP server.
see etc/scripts/udhcpc.script for details.
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
4.7.6 USING UNCONFIGURED CONSOLE SERVER ON FIRST BOOT TO UPDATE FIRMWARE
This process requires three things:
a console server running firmware 3.16.6 or later.
a file containing the current configuration of the console server to be updated available at a working URL that is declared in option
43, sub-option 1 of your DHCP server’s DHCP OFFER.
the firmware image to be applied available at a working URL that is declared in option 43, sub-option 2 of your DHCP server’s DHCP
OFFER.
The working URLs can be offered over ftp, tftp, http, and https. However, for https to work, the console server must be in secure
recovery mode. See Section 4.7.9 for secure recovery mode requirements.
When the console server having its firmware updated is unconfigured and restarted, it:
runs /etc/scripts/backup-url\ loadimage for each URL included in option 43 sub-option 2 of the DHCP OFFER.
On the first URL to return a firmware image, the console server:
runs curl to download the firmware image.
passes the image to netflash as standard input.
netflash then:
checksums and flashes the passed-in image.
reboots the console server.
NOTE: netflash will not reboot the console server unless the image passes the checksum.
Upon rebooting, the console server:
runs etc/config/.init to process the firmware image.
60
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
Page 61
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 4: SYSTEM CONFIGURATION
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
runs etc/scripts/backup-url to restore the backed-up configuration using the file declared in option 43, sub-option 1 of the DHCP
OFFER. (The script’s name is historical: it is based on configuration backup and restore logic.)
4.7.7 THE URLS IN DCHP OFFER, OPTION 43, SUB-OPTION 1
URLs offered in DCHP OFFER, option 43, sub-option 1 are parsed by /etc/scripts/backup-url using substrings in the configuration
backup’s filename to determine the choice order. The order is as follows.
TABLE 4-2. CHOICE ORDER FOR URLS
SUB-STRING REPLACED BYEXAMPLE
${mac} the device’s 12-digit MAC address, in lowercase0013b600b669
${model} the device’s full model name, in lowercaseles170 8a
${class} the firmware’s hardware classles1700
${version} the firmware’s version number4.1.0u3
Once downloaded, a configuration file is checked:
if it is a .opg file, its header is checked for compatibility with the current device.
if it is a .xml file, a parse check is made.
In both cases, if the check fails, the downloaded file is abandoned and the next URL is tried.
4.7.8 IMPORTING THE CONFIGURATION FILE
Once a downloaded configuration file passes the appropriate check, the console server:
imports the downloaded and checked configuration file.
checks the configuration file for a hostname to set itself to.
If no hostname can be set, the console server defaults to
${model}-${mac}
(That is, it sets its hostname to the device’s full model name, followed by a hyphen, followed by the device’s MAC address.)
checks that it is still unconfigured.
sets the network interface mode to DHCP.
This, in effect, forces the console server into a configured state, preventing a reboot loop from occurring.
returns a reboot-necessary flag.
This last action ensures the now configured console server reboots.
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
61
Page 62
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 4: SYSTEM CONFIGURATION
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
4.7.9 RUNNING A RESTORE OR UPDATE IN SECURE RECOVERY MODE
For a firmware update to run in secure mode (that is, to run over the https protocol) /etc/scripts/backup-url must find two
certificate files in an attached USB storage device.
The first required file is ca-bundle.crt. The second required file is whichever one of the following files is found first:
client-AABBCCDDEEFF.pem
AABBCCDDEEFF is the MAC address of the console server’s primary network interface.
client-MODEL.pem
MODEL is the (vendor class) model name in lowercase, truncated to before the first hyphen.
lient.pem
See Section 4.7.4 for how to create these files.
NOTE: If both ca-bundle.crt and a suitable *.pem file are found, URLs offered by insecure protocols (such as http, ftp, tftp and ftps)
are skipped. Once an unconfigured console server is in secure recovery mode, the firmware and configuration files needed
to return it to operational status must be offered via https.
62
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
Page 63
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG
The console server enables access and control of serially-attached devices and network-attached devices (hosts). The
Administrator must configure access privileges for each of these devices, and specify the services that can be used to control the
devices. The Administrator can also set up new users and specify each user’s individual access and control privileges.
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
Network
connected
(HTTP, HTTPS, IPM I,
ALOM, SQL, V NC, RDP,
SSH, X, Telnet)
Serial
connected
Linux, Solaris, Windows,
UNIX , BSD servers
VoIP PBX Switch , Router,
Firewa ll, Power stri p, UPS
FIGURE 5-1.
This chapter covers each of the steps in configuring network-connected and serially-attached devices.
TABLE 5-1. STEPS SUMMARY
STEPNOTES
Serial portsSetting up serially connected device protocols
Users & GroupsSetting up and defining user access permissions
AuthenticationAlso covered in more detail in Chapter 10
Network hostsConfiguring access to network-connected hosts
Configuring trusted networksNominate IP addresses trusted users access from
Serial console port cascading and redirection—
Power (UPS, PDU and IPMI)—
Environmental Monitoring Devices (EMD)—
Serial port redirectionThe PortShare client on Windows and Linux
Managed devicesThe consolidated view of all the connections
IPSecEnabling VPN connections
OpenVPN—
PPTP—
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
63
Page 64
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
5.1 CONFIGURE SERIAL PORTS
The first step in configuring a serial port is to set the Common Settings such as the protocols and the RS-232 parameters that are
to be used for the data connection to that port (for example, baud rate).
Then you select what mode the port is to operate in. Each port can be set to support one of the operating modes in the next table.
TABLE 5-2. OPERATING MODES
MODENOTES
DisabledThe serial port is inactive
Console serverEnables general access to serial console port on the serially attached devices
Device
SDTEnables graphical console access (with RDP, VNC, HTTPS etc.) to hosts that are serially connected
Terminal serverSets the serial port to await an incoming terminal login session
Serial bridgeEnables the transparent interconnection of two serial port devices over a network
Sets the serial port up to communicate with an intelligent serial controlled PDU, UPS or Environmental Monitor
Devices (EMD)
FIGURE 5-2. SERIAL & NETWORK: SERIAL PORT SCREEN
Navigate to Serial & Network > Serial Port. Details of the currently setup serial ports presents. By default, each serial port is set in
console server mode.
Click Edit to reconfigure a given serial port.
Reconfigure the common settings (Section 5.1.1) and the mode Sections 5.1.2–5.1.6) for each port as needed.
Set up any remote syslog (Section 5.1.7).
Click Apply.
NOTE: To set the same protocol options for multiple serial ports at once click Edit Multiple Ports and select which ports you wish to
configure as a group.
If the console server has been configured with distributed Nagios monitoring enabled, then you will also be presented with Nagios
Settings options to enable nominated services on the host to be monitored (see Chapter 11).
64
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
Page 65
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
5.1.1 COMMON SETTINGS
There are a number of common settings that can be set for each serial port. These are independent of the mode in which the port is
being used. These serial port parameters must be set so they match the serial port parameters on the device you attach to that port.
FIGURE 5-3.
Specify a Label for the port.
Select the appropriate Baud Rate, Parity, Data Bits, Stop Bits and Flow Control for each port.
Set the Signaling Protocol. This menu item only presents in ports with RS-422/485 options (all ports on LES1204A-2-I, LES1508A-I,
ACM5504-5-LA/LR/LV-I and ACM5504-5-G-I). The options available are RS-232, RS-422, RS-485 and RS-485 Echo mode.
Set the Port Pinout. This menu item only presents for LES1700 ports where pinout for each RJ-45 serial port can be set as either X2
(Cisco Straight) or X1 (Cisco Rolled).
Before proceeding with further serial port configuration, you should connect the ports to the serial devices they will be controlling, and
ensure they have matching settings.
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
65
Page 66
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
5.1.2 CONSOLE SERVER MODE
Select Console Server Mode to enable remote management access to the serial console that is attached to this serial port.
FIGURE 5-4. CONSOLE SERVER SETUP SCREEN
Set the desired Logging Level. This specifies the level of information to be logged and monitored (see Chapter 8).
Enable or disable Telnet access.
When the Telnet service is enabled on the console server, a Telnet client on a User’s or Administrator’s computer can connect to a
serial device attached to this serial port on the console server. Telnet communications are unencrypted so this protocol is generally
recommended only for local or VPN-tunneled connections.
Windows 2000, Windows XP and Windows NT can run telnet from the cmd.exe command prompt.
Windows Vista and later ship with a Telnet client but it is not enabled by default. You can install it as follows.
Click the Start button.
Click Control Panel.
Click Programs.
Click Turn Windows features on or off.
66
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
Page 67
CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
FIGURE 5-5. TURN WINDOWS FEATURES ON OR OFF
If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
In the Windows Features dialog box, select the Telnet Client check box.
Click OK.
The installation may take several minutes.
If remote communications are being tunneled with SDT Connector, then Telnet can be used for securely accessing these attached
devices.
NOTE: In Console Server mode, Users and Administrators can use SDT Connector to set up secure Telnet connections that are SSH
tunneled from their client computers to the serial port on the console server. SDT Connector can be installed on Windows PCs
and on most Linux platforms and it enables secure Telnet connections to be selected with a simple point-and-click. To use
SDT Connector to access consoles on the console server serial ports, you configure SDT Connector with the console server as
a gateway, then as a host, and you enable Telnet service on Port 2000 + serial port # (that is Ports 2001–2048). See Chapter 7
for more details on using SDT Connector for Telnet and SSH access to devices that are attached to the console server serial
ports.
You can also use communications packages like PuTTY to set a direct Telnet (or SSH) connection to the serial ports.
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
67
Page 68
CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
FIGURE 5-6. PUTTY CONFIGURATION SCREEN
NOTE: PuTTY supports Telnet (and SSH). Enter the console server’s IP address as the Host Name (or IP address). Select Telnet as
the protocol and set the TCP port to 2000 plus the physical serial port number (that is a port between 2001 and 2048). Click
the Open button. You may receive a Security Alert that the host’s key is not cached: choose yes to continue. The login prompt
of the remote system connected to the serial port chosen on the console server will now present. You can login as normal and
use the host serial console screen.
Putty can be downloaded from http://putty.org/.
NOTE: In Console Server mode, when you connect to a serial port you connect via pmshell. To generate a BREAK on the serial port
type the character sequence ~b. If you’re doing this over OpenSSH type ~~b.
Enable or disable SSH access.
We recommend that you use SSH as the protocol where the User or Administrator connects to the console server (or connects
through the console server to the attached serial consoles) over the Internet or any other public network. This will provide
authenticated SSH communications between the SSH client program on the remote user’s computer and the console server, so the
user’s communication with the serial device attached to the console server is secure.
For SSH access to the consoles on devices attached to the console server serial ports, you can use SDT Connector. You configure
SDT Connector with the console server as a gateway, then as a host, and you enable SSH service on Port 3000 + serial port #. (That is
ports 3001 – 3048). See Chapter 7 for more information on using SDT Connector for SSH access to devices that are attached to the
console server serial ports.
Also you can use common communications packages, like PuTTY or SSHTerm to SSH connect directly to port address IP
Address:Port 3000 + serial port #. (That is ports 3001 – 3048).
Alternately, SSH connections can be configured using the standard SSH port 22. The serial port being accessed is then identified by
appending a descriptor to the username. This syntax supports any of the following descriptors:
<username>:<portXX>
<username>:<port-label>
<username>:<ttySX>
<username>:<serial>
68
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
Page 69
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG
For example, if a User named fred wants to access serial port 2, when setting up SSHTerm or the PuTTY SSH client, instead of typing
username = fred
ssh port = 3002
type
username = fred:port02
or
username = fred:ttyS1
and
ssh port = 22.
Alternatively, by typing
username=fred:serial
and
ssh port = 22
the User is presented with a port selection option
This syntax enables Users to set up SSH tunnels to all serial ports with only a single IP port 22 having to be opened in their firewall or
gateway.
NOTE: In Console Server mode, when you connect to a serial port, you connect via pmshell. To generate a BREAK on the serial port
type the character sequence ~b. If you’re doing this over OpenSSH, type ~~b.
Enable or disable Raw TCP access.
RAW TCP allows connections directly to a TCP socket. Communications programs like PuTTY support RAW TCP. This protocol,
however, would usually be used by a custom application.
For RAW TCP, the default port address is IP Address:Port 4000 + serial port # (That is, ports 4001 – 4048).
RAW TCP also enables the serial port to be tunneled to a remote console server, so two serial port devices can be transparently
interconnect over a network (see Section 5.1.6).
Enable or disable RFC 2217 access.
Enabling RFC 2217 access enables serial port redirection on that port. For RFC 2217, the default port address is IP Address:Port 5000
+ serial port # (that is Port #s 5001 – 5048).
Special client software is available for Windows UNIX and Linux that supports RFC 2217 virtual com ports, so a remote host can
monitor and manage remote serially attached devices, as though they were connected to the local serial port (see Section 5.6 for
details).
RFC 2217 also enables the serial port to be tunneled to a remote console server, so two serial port devices can be transparently
interconnect over a network (see Section 5.1.6).
Enable or disable Unauthenticated Telnet.
Enabling Unauthenticated Telnet enables telnet access to the serial port without authentication credentials. When a user accesses
the console server to telnet to a serial port, they are normally given a login prompt. With unauthenticated telnet, they connect directly
through to the port without any console server login challenge. (If a telnet client does prompt for authentication, any entered data will
allow connection.)
This mode is mainly used when you have an external system (such as conserver) managing user authentication and access privileges
at the serial device level.
NOTE: Only the connection to the console server is unauthenticated. Logging into a device connected to the console server may still
require authentication.
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
69
Page 70
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG
For Unauthenticated Telnet the default port address is IP Address:Port 6000 + serial port # (that is Port #s 6001 – 6048).
Enable or disable Web Terminal.
Enabling Web Terminal enables web browser access to the serial port via Manage > Devices > Serial using the Management Console’s
built in AJAX terminal.
Web Terminal connects as the currently authenticated Management Console user and does not re-authenticate. See Section 14.3 for
more details.
Enter an IP Alias (for the Network Interface, Management LAN or Out-of-Band/Failover).
A working IP Alias enables access to the serial port using a specific IP address, specified in CIDR format. Each serial port can be
assigned one or more IP aliases, configured on a per-network-interface basis.
A serial port can, for example, be made accessible at both 192.168.0.148 (as part of the internal network) and 10.10.10.148 (as part
of the Management LAN). It is also possible to make a serial port available on two IP addresses on the same network (for example,
192 .168.0.148 and 19 2.168.0.24 8).
These IP addresses can only be used to access the specific serial port, accessible using the standard protocol TCP port numbers of
the console server services. For example, SSH on serial port 3 would be accessible on port 22 of a serial port IP alias (whereas on the
console server’s primary address, it is available on port 2003).
This feature can also be configured via the multiple port edit page. In this case, the IP addresses are applied sequentially, with the first
selected port getting the IP entered and subsequent ones getting incremented, with numbers being skipped for any unselected ports.
For example if ports 2, 3 and 5 are selected and the IP alias 10.0.0.1/24 is entered for the Network Interface, the following addresses
will be assigned:
Port 2: 10.0.0.1/24
Port 3: 10.0.0.2/24
Port 5: 10.0.0.4/24
Enable or disable Encrypt Traffic and enable or disable Authenticate. (These options should be either enabled or disabled as a pair.)
Enabling these two options turns on trivial encryption and authentication of RFC2217 serial communications using Portshare. For
strong encryption, use VPN.
Set an Accumulation Period.
Once a connection has been established for a particular serial port (such as a RFC2217 redirection or Telnet connection to a remote
computer) any incoming characters on that port are forwarded over the network on a character by character basis. The accumulation
period changes this by specifying a period of time that incoming characters will be collected before then being sent as a packet over
the network.
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
70
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
Page 71
CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
FIGURE 5-7.
Set a custom Escape Character. This enables you to change the character used for sending escape characters. The default is ~.
Enable or disable the Power Menu.
5.1.3 SDT MODE
This Secure Tunneling setting allows port forwarding of RDP, VNC, HTPP, HTTPS, SSH, Telnet and other LAN protocols through to
computers which are locally connected to the console server by their serial COM port. However such port forwarding requires a PPP
link to be set up over this serial port.
For configuration details, refer to Section 7.6.
FIGURE 5-8. SDT SETTINGS SCREEN
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
71
Page 72
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
5.1.4 DEVICE (RPC, UPS, EMD) MODE
This mode configures the selected serial port to communicate with a serial controlled Uninterruptable Power Supply (UPS), Remote
Power Controller / Power Distribution Units (RPC) or Environmental Monitoring Device (EMD).
FIGURE 5-9. DEVICE SETTINGS SCREEN
Select the desired Device Type (UPS, RPC or EMD).
Proceed to the appropriate device configuration page: Serial & Network > UPS Connections, RPC Connection or Environmental) as
detailed in Chapter 9.
5.1.5 TERMINAL SERVER MODE
Enable Terminal Server Mode and set the Terminal Type (vt220, vt102, vt100, Linux or ANSI) to enable a getty on the selected serial
port.
FIGURE 5-10. TERMINAL SERVER SETTINGS SCREEN
The getty will then configure the port and wait for a connection to be made. An active connection on a serial device is usually
indicated by the Data Carrier Detect (DCD) pin on the serial device being raised. When a connection is detected, the getty program
issues a login: prompt, and then invokes the login program to handle the actual system login.
NOTE Selecting Terminal Server mode will disable Port Manager for that serial port, so data is no longer logged for alerts etc.
5.1.6 SERIAL BRIDGING MODE
72
FIGURE 5-11. TERMINAL SERVER SETTINGS SCREEN
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
Page 73
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG
With serial bridging, the serial data on a nominated serial port on one console server is encapsulated into network packets and
then transported over a network to a second console server where is then represented as serial data. So the two console servers
effectively act as a virtual serial cable over an IP network.
FIGURE 5-12.
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
One console server is configured to be the Server. The Server serial port to be bridged is set in Console Server mode with either
RFC2217 or RAW enabled (as described in Section 5.1.2).
Local Ethernet LAN
Serially connected device
(e.g., securit y appliance)
COM port connected
control PC
FIGURE 5-13.
For the Client console server, the serial port to be bridged must be set in Bridging Mode.
Enable Serial Bridging Mode and specify the IP address of the Server console server and the TCP port address of the remote serial
port (for RFC2217 bridging this will be 5001-5048).
By default the bridging client will use RAW TCP so you must select RFC2217 if this is the console Server mode you have specified
on the server console server.
You may secure the communications over the local Ethernet by enabling SSH however you will need to generate and upload keys
(see Chapter 16).
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
73
Page 74
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
5.1.7 SY S LO G
In addition to built-in logging and monitoring (which can be applied to serial-attached and network-attached management
accesses, as covered in Chapter 8), the console server can also be configured to support the remote syslog protocol on a per serial
port basis.
Select the Syslog Facility and Syslog Priority fields to enable logging of traffic on the selected serial port to a syslog server and to
appropriately sort and action those logged messages (for example, redirect them or send an alert email).
For example, if the computer attached to serial port 3 should never send anything out on its serial console port, the Administrator
can set the Syslog Facility for that port to local0 (local0 – local7 are meant for site local values), and the Syslog Priority to critical.
At this priority, if the console server syslog server does receive a message, it will automatically raise an alert. See Chapter 8 for
more.
5.1.8 NMEA STREAMING
The LES1600 can provide GPS NMEA data streaming from the internal GPS /cellular modem. This data stream presents as a serial
data stream on port 5 on the ACM models.
The Common Settings (baud rate, etc.) are ignored when configuring the NMEA serial port. You can specify the Fix Frequency (i.e.
this GPS fix ratedetermines how often GPS fixes are obtained). You can also apply all the Console Server Mode, Syslog and Serial
Bridging settings to this port.
NOTE: TheNMEA Streamingmenu item should display on theSerial & Network > Serial Portmenu.
setfset -rlists all of the current feature set variables.
You look for thefactory_optsvariable, and then add 3g-gps to it.
For example,factory_opts=rs485,3g,ind.
To update it to 3g-gps, you do the following:
setfset -u factory_opts=rs485,3g-gps,ind.
Then runsetfset -ragain, and make sure you can see the update.
You can use pmshell, webshell, SSH, RFC2217 or RawTCP to get at the stream.
74
FIGURE 5-14.
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
Page 75
CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG
For example, using the Web Terminal:
FIGURE 5-15. MANAGE TERMINAL SCREEN
5.1.9 USB PORTS
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
Black Box LES1600, LES1516A, LES1532A, LES1548A and LES1700 family console servers running firmware 3.16.5 or later support
USB console connections to devices from a wide range of vendors, including Cisco, HP, Dell and Brocade. Moreover, and aside
from their utility as USB connections, all the USB ports on these console servers can function as plain RS-232 serial ports when a
USB-to-serial adapter is connected.
These USB ports are available as regular portmanager ports and are presented numerically in the web UI after all RJ-45 serial
ports.
The LES1608A, for example, has eight RJ-45 serial ports on the rear of the console server and four USB ports on the front. In Serial
& Network > Serial Port these are listed in the table below.
TABLE 5-3. RJ-45 AND USB PORTS ON THE LES1608A
PORT NUMBERCONNECTOR
1RJ-45
2RJ-45
3RJ-45
4RJ-45
5RJ-45
6RJ-45
7RJ-45
8RJ-45
9USB
10USB
11USB
12USB
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
75
Page 76
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG
The common settings (baud rate etc.) are used when configuring the ports, but some operations (for example, sending serial
breaks) may not work depending on the implementation of the underlying USB serial chip.
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
5.1.10 LINK LAYER DISCOVERY PROTOCOL (LLDP)
The Link Layer Discovery Protocol (LLDP) is a protocol that allows system administrators to glean information about devices
physically connected to managed switches. It is available for use on LES1700, LES1516A, LES1532A, LES1548A and LES1600
devices.
The LLDP service is enabled through the System > Services page. When the service is enabled, the lldpd daemon is loaded and
runs. The Service Access tab controls which network interfaces are monitored by the lldpd daemon.
When LLDP is granted access to an interface, it will use that interface even if the interface has been disabled via System > IP.
LLDP neighbors are visible through the Status > LLDP Neighbors page. This page shows neighbors heard, and also indicates the
information that the console manager is sending.
NOTE: Although the LLDP service can be granted access to non-Ethernet interfaces (for example, G3, G4 and PSTN dial-up
interfaces), it currently ignores non-Ethernet interfaces.
The lldpcli shell client interacts with and configures the running LLDP service.
Persistent custom configuration changes can be added to the system through configuration files placed in /etc/config/lldpd.d/.
Custom configuration files—which must have filenames ending with .conf—will be read and executed by lldpcli when the LLDP
service starts.
The /etc/ directory is read-only on Black Box hardware. Most default configuration files otherwise stored in /etc/ are, on Black Box
hardware, in /etc/config/, which is writeable.
The default lldpd configuration file—lldpd.conf—is stored in /etc/config/ on Black Box hardware. It is not safe as a store of custom
configuration details. There are circumstances in which this file is regenerated automatically, in which case all customizations will
be lost.
The etc/config/lldpd.d/ directory, which is also writable and which is created on first boot, is safe to write to. Any Custom LLDP
configurations must be stored as *.conf files in this directory.
When enabled, LLDP frames issued by an Black Box Console Manager will reveal sensitive information such as hostname, and
firmware version.
LLDP frames are not passed through by 802.3ab compliant switches, and Black Box Console Managers have the LLDP service
disabled by default.
Both lldpd and lldpcli have standard man pages but, because of space concerns, these pages are not shipped with Black Box
hardware.
Both man pages are available on the lldpd project web-site, but: man lldpd is at https://vincentbernat.github.io/lldpd/usage.
html#lldpd8; and man lldpcli is at https://vincentbernat.github.io/lldpd/usage.html#lldpcli8.
NOTE: Black Box uses lldpd 0.9.2.
76
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
Page 77
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
5.2 ADD AND EDIT USERS
The Administrator uses this menu selection to set up, edit and delete users and to define the access permissions for each of these
users.
Users can be authorized to access specified services, serial ports, power devices and specified network-attached hosts. These
users can also be given full Administrator status (with full configuration and management and access privileges).
To simplify user set up, they can be configured as members of Groups. With firmware V3.5.2 and later, there are six Groups set up
by default (earlier versions only had admin and user by default).
TABLE 5-4. USER GROUPS
GROUPDESCRIPTION
adminProvides users with unlimited configuration and management privileges.
pptpdGroup to allow access to the PPTP VPN server. Users in this group will have their password stored in clear text.
dialinGroup to allow access to the dialin server. Users in this group will have their password stored in clear text.
ftpGroup to allow ftp access and file access to storage devices.
pmshellGroup to set default shell to pmshell.
usersProvides users with basic management privileges.
Membership of the admin group provides the user with full Administrator privileges. The admin user (Administrator) can access the
console server using any of the services that have been enabled in System: Services, e.g., if only HTTPS has been enabled, then the
Administrator can only access the console server using HTTPS. Once logged in, they can reconfigure the console server settings
(e.g., to enabled HTTP/Telnet for future access). They can also access any of the connected Hosts or serial port devices using any
of the services that have been enabled for these connections. But again the Administrator can reconfigure the access services for
any Host or serial port. So only trusted users should have Administrator access.
Membership of the user group provides the user with limited access to the console server and connected Hosts and serial devices.
These Users can access only the Management section of the Management Console menu and they have no command line access
to the console server. They also can only access those Hosts and serial devices that have been checked for them, using services
that have been enabled.
If a user is set up with pptd, dialin, ftp or pmshell group membership, he will have restricted user shell access to the nominated
managed devices but will not have any direct access to the console server itself. To add this, the user must also be a member of
the "users" or "admin" groups.
The Administrator can also set up additional Groups with specific power device, serial port and host access permissions. Users in
these additional groups don’t have any access to the Management Console menu nor do they have any command line access to the
console server itself.
The Administrator can also set up users with specific power device, serial port and host access permissions, who are not a
member of any Groups. Similarly, these users don’t have any access to the Management Console menu, nor do they have any
command line access to the console server itself.
For convenience, the SDT Connector “Retrieve Hosts” function retrieves and auto-configures checked serial ports and checked
hosts only, even for admin group users.
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
77
Page 78
CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG
5.2.1 SETUP NEW GROUPS
To set up new Groups and new users, and to classify users as members of particular Groups:
Select Serial & Network > Users & Groups to display the configured Groups and Users.
Click Add Group to add a new Group.
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
FIGURE 5-16. ADD NEW GROUP SCREEN
Add a Group name and Description for each new Group, then nominate the Accessible Hosts, Accessible Ports and Accessible RPC
Outlet(s) that you wish any users in this new Group to be able to access.
Click Apply.
The Administrator can Edit or Delete any added group.
5.2.2 SETUP NEW USERS
To set up new users, and to classify users as members of particular Groups:
Select Serial & Network > Users & Groups to display the configured Groups and Users.
Click Add User to add a new user.
Add a Username for each new user. You may also include information related to the user (e.g. contact details) in the Description field.
NOTE: The User Name can contain from 1 to 127 alphanumeric characters as well as the following characters: - _ .
(hyphen, underscore, and full-stop or period).
78
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
Page 79
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG
Specify which Group (or Groups) you wish the user to be a member of.
Add a confirmed Password for each new user.
NOTE: A user’s Password can contain up to 254 characters. There are no restrictions on what characters are allowed in a
password.
SSH pass-key authentication can be used. This is more secure than password-based authentication. Paste the public keys of
authorized public/private keypairs for this user in the Authorized SSH Keys field
Check Disable Password Authentication if you wish to only allow public key authentication for this user when using SSH.
Check Enable Dial-Back in the Dial-in Options menu to allow an out-going dial-back connection to be triggered by logging into this
port.
Enter the Dial-Back Phone Number to call-back when the user logs in.
Check specific Accessible Hosts and Accessible Ports to nominate the serial ports and network connected hosts you wish the user
to have access privileges to.
If there are configured RPCs, you can check Accessible RPC Outlets to specify which outlets the user is able to control (that is,
power on and off).
Click Apply.
The new user will now be able to access the Network Devices, Ports and RPC Outlets you nominated as accessible plus, if the user
is a Group member they can also access any other device/port/outlet that was set up as accessible to the Group
NOTE: There are no specific limits on user number; nor on the number of users per serial port or host. So multiple users (Users
and Administrators) can control or monitor a port or host. Similarly, there are no specific limits on the group number and
users can be a member of a number of Groups (and gain the cumulative access privileges of each Group). A user does not
have to be a member of any Groups (but if the User is not even a member of the default user group then cannot use the
Management Console to manage ports).
NOTE: While there are no specific limits, the time to re-configure does increase as the number and complexity increases. The
aggregate number of users and groups should be kept under 250.
The Administrator can also edit the access settings for any existing users:
Select Serial & Network > Users & Groups and click Edit to modify User access privileges.
Alternatively click Delete to remove the user or Disable to temporarily block access.
NOTE: For more on enabling the SDT Connector so each user has secure tunneled remote RPD/VNC/Telnet/HHTP/HTTPS/SoL
access to the network connected hosts, see Chapter 7.
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
5.3 AUTHENTICATION
See Chapter 10 for authentication configuration details.
5.4 NETWORK HOSTS
To monitor and remotely access a locally networked computer or device (referred to as a Host) identify the Host and specify the
TCP or UDP ports/services used to control that Host.
Select Serial & Network > Network Hosts.
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
79
Page 80
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG
All network-connected Hosts that have been enabled for access present as well as the related access TCP ports/services.
Click Add Host to enable a new Host or select Edit to update an extant Host’s settings.
Enter the IP Address or the DNS Name and Host Name (up to 254 alphanumeric characters) for the new network connected Host.
Enter a Description (this is an optional step).
Add or edit the Permitted Services (or TCP/UDP port numbers) that are authorized to be used in controlling this host.
Only these permitted services will be forwarded through by SDT to the Host. All other services (TCP/UDP ports) will be blocked.
Set the Logging Level.
This specifies the level of information to be logged and monitored for each Host access. See Chapter 8 for more information.
If the Host is a PDU or UPS power device or a server with IPMI power control, specify RPC (for IPMI and PDU) or UPS and the Device
Type.
The Administrator can configure these devices and enable which users have permissions to remotely cycle power etc. (see Chapter
9). Otherwise, leave the Device Type set to None.
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
FIGURE 5-17. ENTER DEVICE TYPE
If the console server has been configured with distributed Nagios monitoring enabled then you will also be presented with Nagios
Settings options to enable nominated services on the Host to be monitored. See Chapter 11 for more information.
Click Apply.
This will create the new Host and also create a new Managed Device (with the same name).
5.5 TRUSTED NETWORKS
The Trusted Networks facility allows you an nominate specific IP addresses where users (Administrators and Users) must be
located, to have access to console server serial ports:
Select Serial & Network > Trusted Networks.
Click Add Rule to add a new trusted network.
80
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
Page 81
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG
FIGURE 5-18. SERIAL & NETWORK: TRUSTED NETWORKS SCREEN, ADD RULE
NOTE: In the absence of Rules, there are no access limitations as to the IP address where Users or Administrators can be located.
Select the Accessible Port(s) that the new rule is to be applied to.
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
FIGURE 5-19. SERIAL & NETWORK: TRUSTED NETWORKS SCREEN
Enter the Network Address of the subnet to be permitted access.
Specify the range of addresses that are to be permitted by entering a Network Mask for that permitted IP range.
For example, to permit all users located in the 204.15.5.0 Class C network to connect to the nominated port, would add the following
Trusted Network rule:
Network IP address: 204.15.5.0
Subnet Mask: 255.255.255.0
To permit only the user located at a specific IP address (in this case 204.15.5.13) to connect:
Network IP address: 204.15.5.13
Subnet Mask: 255.255.255.255
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
81
Page 82
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG
To allow all users operating from within a specific range of IP addresses (in this case the 30 addresses from 204.15.5.129 to
204.15.5.158) to be permitted connection to the nominated port:
Network IP address: 204.15.5.128
Subnet Mask: 255.255.255.224
Click Apply.
NOTE: The above Trusted Networks will limit access by Users and Administrators to the console serial ports. They do not restrict
access by the Administrator to the console server itself or to attached hosts. To change the default settings for this access,
you will to need to edit the IPtables rules as described in Chapter 16.
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
5.6 SERIAL PORT CASCADING
Cascaded Ports enables you to cluster distributed console servers so up to 1000 serial ports can be configured and accessed
through one IP address and managed through the one Management Console. One console server, the Master, controls other
console servers as Slave units and all the serial ports on the Slave units appear as if they are part of the Master.
Black Box’s clustering connects each Slave to the Master with an SSH connection. This is done using public key authentication
so the Master can access each Slave using the SSH key pair (rather than using passwords). This ensures secure authenticated
communications between Master and Slaves enabling the Slave console server units to be distributed locally on a LAN or remotely
around the world.
5.6.1 AUTOMATICALLY GENERATE AND UPLOAD SSH KEYS
To set up public key authentication, first generate an RSA or DSA key pair and upload them into the master and slave console
servers. This can be done automatically from the Master.
Select System > Administration on the master’s Management Console.
Check Generate SSH keys automatically.
Click Apply.
Next, select whether to generate keys using RSA and/or DSA (if unsure, select only RSA).
82
FIGURE 5-20. SSH KEYS SCREEN
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
Page 83
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
Generating each set of keys will require approximately two minutes and the new keys will destroy any old keys of that type that may
previously been uploaded. Also, while the new generation is underway on the master, functions relying on SSH keys (e.g. cascading)
may stop functioning until they are updated with the new set of keys. To generate keys:
Check RSA Keys, DSA Keys, or both.
Click Apply.
Once the new keys have been generated, Click here to return and the keys will automatically be uploaded to the master and connected
slaves.
5.6.2 MANUALLY GENERATE AND UPLOAD SSH KEYS
To manually upload the key public and private key pair to the Master console server:
Select System > Administration on the master’s Management Console.
Browse to the location you have stored RSA (or DSA) Public Key and upload it to SSH RSA (DSA) Public Key.
Browse to the stored RSA (or DSA) Private Key and upload it to SSH RSA (DSA) Private Key.
Click Apply.
Next, you must register the Public Key as an Authorized Key on the slave. In the simple case with only one master with multiple
slaves, you need only upload the one RSA or DSA public key for each slave.
NOTE: The use of key pairs can be confusing as in many cases one file (Public Key) fulfills two roles—Public Key and Authorized Key.
For a more detailed explanation see Authorized in Section 16.6. Also refer to this chapter if you need to use more than one set
of Authorized Keys in the slave.
Select System > Administration on the slave’s Management Console.
FIGURE 5-21. SYSTEM ADMINISTRATION SCREEN
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
83
Page 84
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG
Browse again to the stored RSA (or DSA) Public Key and upload it to Slave’s SSH Authorized Key.
Click Apply.
The next step is to Fingerprint each new slave-master connection. This once-off step will validate that you are establishing an SSH
session to who you think you are. On the first connection the Slave will receive a fingerprint from the Master which will be used on all
future connections.
Log in to the master console server as root.
Establish an SSH connection to the remote slave host:
# ssh remote-host-name
Once the SSH connection has been established, you will be asked to accept the key. Answer yes and the fingerprint will be added to
the list of known hosts. For more details on Fingerprinting see Section 16.6.
NOTE: If you are asked to supply a password, then there is a problem with uploading keys. The keys should remove any need to
supply a password.
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
5.6.3 CONFIGURE THE SLAVES AND THEIR SERIAL PORTS
You can now begin setting up the slaves and configuring slave serial ports from the master console server.
Select Serial & Network > Cascaded Ports on the master’s Management Console.
FIGURE 5-22. SERIAL & NETWORK: CASCADED PORTS SCREEN
Click Add Slave to add clustering support.
NOTE: You cannot add any slaves until you have automatically or manually generated SSH keys.
To define and configure a slave:
Enter the remote IP Address (or DNS Name) for the Slave console server.
Enter a brief Description and a short Label for the slave.
Use a convention here that enables effective management of large networks of clustered console servers and the connected devices.
Enter the full number of serial ports on the slave unit in Number of Ports.
Click Apply.
This will establish the SSH tunnel between the master and the new slave.
The Serial & Network > Cascaded Ports menu displays all the slaves and the port numbers that have been allocated on the master. If the
master console server has 16 ports of its own, then ports 1–16 are pre-allocated to the master, so the first slave added will be assigned port
number 17 onwards.
84
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
Page 85
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG
Once you have added all the slave console servers, the slave serial ports and the connected devices are configurable and accessible from
the master’s Management Console menu and accessible through the Master’s IP address.
Select the appropriate Serial & Network > Serial Port and Edit to configure the serial ports on the slave.
Select the appropriate Serial & Network > Users & Groups to add new users with access privileges to the slave serial ports (or to
extend existing users access privileges).
Select the appropriate Serial & Network > Trusted Networks to specify network addresses that can access nominated slave serial
ports.
Select the appropriate Alerts & Logging > Alerts to configure slave port Connection, State Change or Pattern Match alerts.
Click Apply.
The configuration changes made on the master are propagated out to all the Slaves.
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
5.6.4 MANAGING THE SLAVES
PortShare
Clients
Console
Servers
Serial Port
Devices
FIGURE 5-23. SLAVE CONFIGURATION
The master is in control of the slave serial ports. So, for example, if you change a User access privileges or edit any serial port
setting on the master, the updated configuration files will be sent out to each slave in parallel. Each slave will then automatically
make changes to their local configurations (and only make those changes that relate to its particular serial ports).
You can still use the local slave Management Console to change the settings on any slave serial port (such as alter the baud rates).
These changes will be overwritten the next time the master sends out a configuration file update.
While the master is in control of all slave serial port related functions, it is not master over the slave network host connections or
over the slave console server system itself.
So, slave functions such as IP, SMTP & SNMP Settings, Date &Time, DHCP server must be managed by accessing each slave
directly and these functions are not overwritten when configuration changes are propagated from the master. Similarly, the slaves
Network Host and IPMI settings have to be configured at each slave.
The master’s Management Console provides a consolidated view of the settings for its own and the entire slave’s serial ports, but
the master does not provide a fully consolidated view. For example if you want to find out who's logged in to cascaded serial ports
from the master, you’ll see that Status > Active Users only displays those users active on the master’s ports, so you may need to
write custom scripts to provide this view. This is covered in Chapter 12.
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
85
Page 86
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
5.7 SERIAL PORT REDIRECTION (PORTSHARE)
PortShare software delivers the virtual serial port technology your Windows and Linux applications need to open remote serial ports and
read the data from serial devices that are connected to your console server.
PortShare is supplied free with each console server and you are licensed to install PortShare on one or more computers for accessing
any serial device connected to a console server port.
PortShare for Windows
The portshare_setup.exe program is included on the CD supplied with your console server. A copy can be freely downloaded from the ftp
site. Refer to the PortShare User Manual and Quick Start for details on installation and operation.
PortShare for Linux
The PortShare driver for Linux maps the console server serial port to a host tty port. Black Box has released the portshare-serial-client as
an open source utility for Linux, AIX, HPUX, SCO, Solaris and UnixWare. This utility can be freely downloaded from the ftp site.
The PortShare serial port redirector allows you to use a serial device connected to the remote console server as if it were connected to
your local serial port. The portshare-serial-client creates a pseudo tty port, connects the serial application to the pseudo tty port, receives
data from the pseudo tty port, transmits it to the console server through network and receives data from the console server through
network and transmits it to the pseudo-tty port.
The .tar file can be freely downloaded from the ftp site. Refer to the PortShare User Manual and Quick Start for details on installation and
operation.
5.8 MANAGED DEVICES
Managed Devices presents a consolidated view of all the connections to a device that can be accessed and monitored through the
console server. To view the connections to the devices:
Select Serial & Network > Managed Devices.
This screen displays all the Managed Device with their Description, Notes and lists of all the configured Connections.
- Serial Port #: if serially connected.
- USB: if USB connected.
- IP Address: if network connected.
- Power PDU/outlet: if applicable.
- UPS connections: if applicable.
Devices such as servers will commonly have more than one power connection and more than one network connection
(for example, for BMC/service processor).
All users can view (but not edit) these Managed Device connections by selecting Manage > Devices. The Administrator can edit,
add to and delete Managed Devices and connections.
To edit an existing device and add a new connection:
Select Serial & Network > Managed Devices.
Click Edit.
Click Add Connection.
Select the connection type for the new connection (Serial, Network Host, UPS or RPC).
Select the specific connection from the presented list of configured unallocated hosts/ports/outlets.
86
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
Page 87
CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG
FIGURE 5-24. EDIT AN EXISTING DEVICE SCREEN
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
To add a new network connected Managed Device:
The Administrator adds a new network connected Managed Device using Add Host on the Serial & Network > Network Host menu.
This automatically creates a corresponding new Managed Device (as covered in Section 5.4).
When adding a new network connected RPC or UPS power device, you set up a Network Host, designate it as RPC or UPS, then go to
RPC Connections (or UPS Connections) to configure the relevant connection.
A corresponding new Managed Device (with the same Name and Description as the RPC/UPS Host) is not created until this
connection step is completed (see Chapter 10).
NOTE: The outlet names on a newly created PDU will, by default, be “Outlet 1” and “Outlet 2.” When you connect a particular Managed
Device (that draws power from the outlet) the outlet will take up the name of the powered Managed Device.
To add a new serially connected Managed Device:
Configure the serial port using the Serial & Network > Serial Port menu (see Section 5.1).
Select Serial & Network > Managed Devices.
Click Add Device.
Enter a Device Name and Description for the Managed Device.
Click Add Connection and select Serial and the Port that connects to the Managed Device.
Click Add Connection to add a UPS/RPC power connection or network connection or another serial connection.
Click Apply.
NOTE: To set up a new serially connected RPC UPS or EMD device, you configure the serial port, designate it as a Device then enter a Name
and Description for that device in the Serial & Network: RPC Connections (or UPS Connections or Environmental). When applied,
this will automatically create a corresponding new Managed Device with the same Name and Description as the RPC/UPS Host
(see Chapter 9).
NOTE: The outlet names on the PDU will, by default, be “Outlet 1” and “Outlet 2.” When you connect a particular Managed Device
(that draws power from the outlet) the outlet will take up the name of the powered Managed Device.
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
87
Page 88
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
5.9 IPSEC VLAN
The LES1600, LES1516A, LES1532A, LES1548A, and LES1700 family of advanced console servers include a Linux implementation of the
IPsec (IP Security) protocols, which can be used to configure a Virtual Private Network (VPN). The VPN allows multiple sites or remote
administrators to access the Black Box advanced console server (and Managed Devices) securely over the Internet.
The administrator can establish encrypted authenticated VPN connections between advanced console servers distributed at remote
sites and a VPN gateway (such as Cisco router running IOS IPsec) on their central office network.
Users and administrators at the central office can then securely access the remote console servers and connected serial console
devices and machines on the Management LAN subnet at the remote location as though they were local.
With serial bridging, serial data from controller at the central office machine can be securely connected to the serially controlled devices
at the remote sites (see Section 5.1).
The road warrior administrator can use a VPN IPsec software client such as TheGreenBow (https://thegreenbow.com/) or Shrew Soft
(https://shrew.net/) to remotely access the advanced console server and every machine on the Management LAN subnet at the remote
location.
Configuration of IPsec is quite complex so Black Box provides a simple GUI interface for basic set up as described below.
ENABLE THE VPN GATEWAY
Select Serial & Networks > IPsec VPN.
Click Add.
Complete the Add IPsec Tunnel screen.
Enter a descriptive name to identify the added IPsec Tunnel. For example West-St-Outlet.
Select the Authentication Method: either RSA digital signatures or a Shared secret (PSK).
If you select RSA, you will asked to click here to generate keys. This will generate an RSA public key for the console server (the
Left Public Key). You will need to find out the key to be used on the remote gateway, then cut and paste it into the Right Public
Key.
If you select Shared secret, you will need to enter a Pre-shared secret (PSK). The PSK must match the PSK configured at the
other end of the tunnel.
In Authentication Protocol, select the authentication protocol to be used. Either authenticate as part of ESP (Encapsulating
Security Payload) encryption or separately using the AH (Authentication Header) protocol.
Enter a Left ID and Right ID. This is the identifier that the Local host/gateway and remote host/gateway use for IPsec negotiation
and authentication.
Each ID must include an @ and can include a fully qualified domain name preceded by @ (for example, left@example.com).
88
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
Page 89
CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG
FIGURE 5-25. ADD IPSEC TUNNEL SCREEN
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
Enter the public IP or DNS address of this Black Box VPN gateway as the Left Address. You can leave this blank to use the interface
of the default route.
In Right Address, if the remote end has a static or dyndns address, enter the public IP or DNS address of the remote end of the tunnel.
Otherwise, leave this blank.
If the Black Box VPN gateway serves as a VPN gateway to a local subnet (e.g., the console server has a Management LAN configured)
enter the private subnet details in Left Subnet.
Use the CIDR notation, where the IP address number is followed by a slash and the number of ‘one’ bits in the binary notation of the
netmask.
For example 192.168.0.0/24 indicates an IP address where the first 24 bits are used as the network address. This is the same as
255.255.255.0.
If the VPN access is only to the console server itself and to its attached serial console devices then leave Left Subnet blank.
If there is a VPN gateway at the remote end, enter the private subnet details in Right Subnet.
Again use CIDR notation and leave blank if there is only a remote host.
Select Initiate Tunnel if the tunnel connection is to be initiated from the Left console server end.
This can only be initiated from the VPN gateway (Left) if the remote end was configured with a static (or dyndns) IP address.
Click Apply to save changes.
NOTE: It is essential the configuration details set up on the advanced console server (referred to as the Left or Local host) exactly
matches the set up entered when configuring the Remote (Right) host/gateway or software client.
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
89
Page 90
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
5.10 OPENVPN
The LES1600, LES1516A, LES1532A, LES1548A, and LES1700 family of advanced console servers with Firmware v3.2 and later, include
OpenVPN. OpenVPN uses the OpenSSL library for encryption, authentication, and certification, which means it uses SSL/TSL (Secure
Socket Layer/Transport Layer Security) for key exchange and can encrypt both data and control channels. Using OpenVPN allows
for the building of cross-platform, point-to-point VPNs using either X.509 PKI (Public Key Infrastructure) or custom configuration files.
FIGURE 5-26. OPENVPN SCREEN
OpenVPN allows secure tunneling of data through a single TCP/UDP port over an unsecured network, thus providing secure access
to multiple sites and secure remote administration to a console server over the Internet.
OpenVPN also allows the use of Dynamic IP addresses by both the server and client thus providing client mobility. For example, an
OpenVPN tunnel may be established between a roaming windows client and an Black Box advanced console server within a data
center.
Configuration of OpenVPN can be complex so Black Box provides a simple GUI interface for basic set up as described next.
5.10.1 ENABLE THE OPENVPN
Select Serial & Networks > OpenVPN.
Click Add.
Fill-out the required fields on the Add OpenVPN Tunnel screen.
Enter a descriptive name to identify the added IPsec Tunnel. For example West-St-Outlet.
Select the authentication method to be used.
To authenticate using certificates, select PKI (X.509 Certificates).
To authenticate using a custom configuration, select Custom Configuration to upload custom configuration files.
NOTE: Custom configurations must be stored in /etc/config.
If you select PKI (public key infrastructure), you will need to establish:
a separate certificate (also known as a public key).
This Certificate File will be a *.crt file type.
90
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
Page 91
CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG
a Private Key for the server and each client.
This Private Key File will be a *.key file type.
A master Certificate Authority (CA) certificate and key which is used to sign each of the server and client certificates.
This Root CA Certificate will be a *.crt file type.
For a server, you may also need dh1024.pem (Diffie Hellman parameters).
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
FIGURE 5-27. SERVER DETAILS SCREEN
See http://openvpn.net/easyrsa.html for a guide to basic RSA key management. For alternative authentication methods see http://
openvpn.net/index.php/documentation/howto.html#auth. For more information also see http://openvpn.net/howto.html.
Select the Device Driver to be used, either Tun-IP or Tap-Ethernet.
The TUN (network tunnel) and TAP (network tap) drivers are virtual network drivers that support IP tunneling and Ethernet tunneling,
respectively. TUN and TAP are part of the Linux kernel.
Select either UDP or TCP as the Protocol.
UDP is the default and preferred protocol for OpenVPN.
In Tunnel Mode, nominate whether this is the Client or Server end of the tunnel.
When running as a server, the advanced console server supports multiple clients connecting to the VPN server over the same port.
Check or uncheck the Compression button to enable or disable compression.
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
91
Page 92
CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG
5.10.2 CONFIGURE AS SERVER OR CLIENT
Complete the Client Details or Server Details depending on the Tunnel Mode selected.
If Client is selected, the Primary Server Address will be the address of the OpenVPN Server.
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
FIGURE 5-28. CLIENT DETAILS SCREEN
If Server is selected, enter the IP Pool Network address and the IP Pool Network mask for the IP Pool. The IP Pool Network provides
addresses for connecting clients.
Click Apply.
To enter authentication certificates and files, Edit the OpenVPN tunnel.
FIGURE 5-29. MANAGE OPENVPN FILES SCREEN
Select the Manage OpenVPN Files tab. Upload or browse to relevant authentication certificates and files.
Click Apply.
Saved files will be displayed in red to the right-hand side of the Upload button.
92
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
Page 93
CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG
FIGURE 5-30. SAVED FILES DISPLAYED ON SCREEN
To enable OpenVPN, Edit the OpenVPN tunnel.
Check the Enabled checkbox.
Click Apply.
Select Status > Statistics to verify that the tunnel is operational.
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
FIGURE 5-31. STATISTICS
NOTE: The console server system time must be correct, otherwise, authentication issues can arise.
5.10.3 WINDOWS OPENVPN CLIENT AND SERVER SETUP
Windows does not come standard with any OpenVPN server or client. This section outlines the installation and configuration of a
Windows OpenVPN client or a Windows OpenVPN server and setting up a VPN connection to a console server.
Console servers with firmware V3.5.2 and later will generate Windows client config automatically from the GUI for Pre-shared
Secret (Static Key File) configurations.
Alternately,OpenVPN GUI for Windowssoftware (which includes the standard OpenVPN package plus a Windows GUI) can be
downloaded from https://openvpn.net/.
Once installed on the Windows machine, an OpenVPN icon will present in the Notification Area located in the right side of the
task bar.
Right click on this icon to start (and stop) VPN connections, and to edit configurations and view logs.
When the OpenVPN software is started, the C:\Program Files\OpenVPN\config folder will be scanned for .opvn files. This folder is
rechecked for new configuration files whenever the OpenVPN GUI icon is right-clicked.
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
93
Page 94
CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG
FIGURE 5-32. OPENVPN GUI ICON
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
So once the OpenVPN client is installed, a configuration file will need to be created.
Using a text editor, create an xxxx.ovpn file and save in C:\Program Files\OpenVPN\config\. For example, C:\Program Files\
OpenVPN\config\client.ovpn.
An example OpenVPN Windows client configuration file:
# description: LES1416A_client
client
proto udp
verb 3
dev tun
remote 192.168.250.15 2
port 1194
ca c:\\openvpnkeys\\ca.crt
cert c:\\openvpnkeys\\client.crt
key c:\\openvpnkeys\\client.key
nobind
persist-key
persist-tun
comp-lzo
An example OpenVPN Windows server configuration file:
server 10.100.10.0 255.255.255.0
port 1194
keepalive 10 120
proto udp
mssfix 1400
persist-key
persist-tun
94
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
Page 95
CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG
dev tun
ca c:\\openvpnkeys\\ca.crt
cert c:\\openvpnkeys\\server.crt
key c:\\openvpnkeys\\server.key
dh c:\\openvpnkeys\\dh.pem
comp-lzo
verb 1
syslog LES1416A_OpenVPN_Server
The Windows client/server configuration file options are listed in the next table:
TABLE 5-5. WINDOWS CLIENT/SERVER CONFIGURATION FILE OPTIONS
OPTIONDESCRIPTION
# comments and notesLines beginning with # are ignored by OpenVPN.
client or server
proto [udp | tcp]Set the protocol. Client and server must be the same.
mssfix sizeSet a packet’s maximum size. Only useful for UDP if problems occur.
verb level
dev [tun | tap]
remote host
PortThe UDP or TCP port of the OpenVPN server.
Keepalive ping-value down-value
ca file-name
Specify whether this will be a client or server configuration file. In the server configuration file, define the IP
address pool and netmask. For example: server 10.100.10.0 255.255.255.0
Set log-file verbosity. Values range from 0–15.
0 = silent except for fatal errors.
3 = medium output logging. Good for general use.
5 = helps with debugging connection problems.
9 = extremely verbose. Excellent for troubleshooting.
Set dev tun to create a routed IP tunnel.
Set dev tup to create an Ethernet tunnel.
Client and server must be the same.
Set the hostname or IP address of the OpenVPN server.
Mandatory but a client-only setting.
Uses ping to keep the OpenVPN session alive.
For example:
Keepalive 10 120
pings the server every ten seconds and assumes the remote peer is down if no ping is received after 120
seconds (two minutes).
Enter the CA certificate file name and location
The same CA certificate can be used by the server and all clients.
Ensure each \ in the directory path is escaped.
For example:
c:\openvpnkeys\ca.crt
must be entered as:
c:\\openvpnkeys\\ca.crt
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
95
Page 96
CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG
TABLE 5-5 (CONTINUED). WINDOWS CLIENT/SERVER CONFIGURATION FILE OPTIONS
OPTIONDESCRIPTION
Enter the client’s or server’s certificate file name and location
cert file-name
key file-name
dh file-nameEnter the path to the key with the Diffie-Hellman parameters. A server-only setting.
Nobind
persist-keyPrevents the reloading of keys across restarts.
persist-tunPrevents the closing and reopening of TUN/TAP devices across restarts.
Each client should have its own certificate and key files.
As above, each \ in the directory path must be escaped.
Enter the client’s or server’s key file name and location
Each client should have its own certificate and key files.
As above, each \ in the directory path must be escaped.
Used when clients do not need to bind to a local address or specific local port number.
This is the case in most client configurations.
Sets the cryptographic cipher.
BF-CBC Blowfish is the default if no cipher is explicitly set.
The client and server must use the same settings.
Enables compression on the OpenVPN link.
If enabled, it must be set on the client and the server.
Located in syslog on Linux or Unix.
Located in \Program Files\OpenVPN\log\ if running as a service on Windows.
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
To initiate the OpenVPN tunnel following the creation of the client/server configuration files:
Right click on the OpenVPN icon in the Notification Area.
Select the newly created client or server configuration.
Click Connect in the presented sub-menu.
The log file will display as the connection is established.
Once established, the OpenVPN icon will display a message notifying of the successful connection and assigned IP.
This information, as well as the time the connection was established, is available anytime by scrolling over the OpenVPN icon.
NOTE: An alternate, open-source OpenVPN Windows client can be downloaded from https://openvpn.net/index.php/open-source/
downloads.html. See https://openvpn.net/index.php/access-server/docs for help.
96
FIGURE 5-33. OPENVPN WINDOWS CLIENT
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
Page 97
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
5.11 PPTP VPN
The LES1600, LES1516A, LES1532A, LES1548A, and LES1700 family of advanced console servers with firmware v3.5.2 and later,
include a PPTP (Point-to-Point Tunneling Protocol) server.
PPTP is typically used for communications over a physical or virtual serial link. The PPP endpoints define a virtual IP address to
themselves. Routes to networks can then be defined with these IP addresses as the gateway, which results in traffic being sent
across the tunnel. PPTP establishes a tunnel between the physical PPP endpoints and securely transports data across the tunnel.
Internet
FIGURE 5-34. PPTP VPN
The strength of PPTP is its ease of configuration and integration into existing Microsoft infrastructure. It is generally used for
connecting single remote Windows clients.
If you take your portable computer on a business trip, you can dial a local number to connect to your Internet access service
provider (ISP) and then create a second connection (tunnel) into your office network across the Internet and have the same access
to your corporate network as if you were connected directly from your office. Similarly, telecommuters can also set up a VPN tunnel
over their cable modem or DSL links to their local ISP.
To set up a PPTP connection from a remote Windows client to your Black Box appliance and local network:
Enable and configure the PPTP VPN server on your Black Box appliance.
Set up VPN user accounts on the Black Box appliance and enable the appropriate authentication.
Configure the VPN clients at the remote sites. The client does not require special software as the PPTP Server supports the
standard PPTP client software included with Windows NT and later.
Connect to the remote VPN.
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
97
Page 98
CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG
5.11.1 ENABLE THE PPTP VPN SERVER
Select PPTP VPN on the Serial & Networks menu.
Click the Enable check box to enable the PPTP Server.
Select the Minimum Authentication Required.
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
FIGURE 5-35. SERIAL & NETWORK: PPTP VPN SCREEN
Access is denied to remote users attempting to connect using an authentication scheme weaker than the selected scheme. From
strongest to weakest, the schemes are:
- Encrypted Authentication (MS-CHAP v2). The strongest and recommended authentication option.
- Weakly Encrypted Authentication (CHAP). This is the weakest type of encrypted password authentication to use. It is not
recommended that clients connect using this as it provides very little password protection. Also note that clients connecting using
CHAP are unable to encrypt traffic.
- Unencrypted Authentication (PAP). This is plain text password authentication. When using this type of authentication, the client
password is transmitted unencrypted.
- None. No encryption at all.
Select the Required Encryption Level.
Access is denied to remote users attempting to connect not using this encryption level. 40-bit or 128-bit encryption is
recommended.
In Local Address enter the IP address to assign to the server’s end of the VPN connection.
In Remote Addresses enter the pool of IP addresses to assign to the incoming client’s VPN connections (for example, 192.168.1.10-
20).
These must be free IP addresses, from the network (typically the LAN) that remote users are assigned while connected to the Black
Box appliance.
Enter the desired value of the Maximum Transmission Unit (MTU) for the PPTP interfaces into the MTU field (defaults to 1400).
In the DNS Server field, enter the IP address of the DNS server that assigns IP addresses to connecting PPTP clients.
98
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
Page 99
CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG
In the WINS Server field, enter the IP address of the WINS server that assigns IP addresses to connecting PPTP client.
Enable Verbose Logging to assist in debugging connection problems.
Click Apply.
5.11.2 ADD A PPTP USER
Navigate to Serial & Networks > Users & Groups.
Complete the fields as covered in Section 5.2.
Ensure the pptpd Group has been checked, to allow access to the PPTP VPN server.
NOTE: Users in this group will have their password stored in clear text.
Note the username and password for when you connect to the VPN connection.
Click Apply.
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
5.11.3 SETUP A REMOTE PPTP CLIENT
Ensure the remote VPN client PC has Internet connectivity. To create a VPN connection across the Internet, you must set up two
networking connections. One connection is for the ISP, and the other connection is for the VPN tunnel to the Black Box appliance.
NOTE: This procedure sets up a PPTP client under Windows 7 Professional. The steps may vary slightly depending on your network
access or if you are using a different version of Windows.
Login to your Windows system with administrator privileges.
FIGURE 5-36. CHOOSE A CONNECTION OPTION SCREEN
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
99
Page 100
NEED HELP?
LEAV E THE TEC H TO US
LIVE 24/7
CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG
From the Network & Sharing Center in the Control Panel select Network Connections and create a new connection.
Select Use My Internet Connection (VPN) and enter the IP Address of the Black Box appliance.
NOTE: To connect remote VPN clients to the local network, you need to know the user name and password for the PPTP account
you added, as well as the Internet IP address of the Black Box appliance. If your ISP has not allocated you a static IP
address, consider using a dynamic DNS service. Otherwise, you must modify the PPTP client configuration each time your
Internet IP address changes.
TECHNICAL
SUPPORT
1. 8 7 7. 87 7. 2 269
5.12 CALL HOME
Console servers with firmware v3.2 and later include Call Home. Call Home sets up an SSH tunnel from the console server to a
central Virtual Central Management System (VCMS) server (referred to herein as VCMS). The console server then registers as a
candidate on the VCMS. Once accepted it becomes a Managed Console Server.
The VCMS will then monitor the Managed Console Server, and administrators can access the remote Managed Console Server,
through the VCMS. This access is available even when the remote console server is behind a third party firewall or has a private IP
addresses (which is often the case when the console server is connected via a cellular modem connection).
VCMS maintains public key authenticated SSH connections to each Managed Console Server. These connections are used for
monitoring, commanding and accessing the Managed Console Servers and the Managed Devices connected to the Managed
Console Server.
To manage Local Console Servers, or console servers that are reachable from the VCMS, the SSH connections are initiated by
VCMS. To manage Remote Console Servers, or console servers that are firewalled, not routable, or otherwise unreachable from the
VCMS, the SSH connections are initiated by the Managed Console Server via an initial Call Home connection.
This ensures secure, authenticated communications and enables Managed Console Servers units to be distributed locally on a
LAN, or remotely around the world.
5.12.1 SET UP CALL HOME CANDIDATE
To set up the console server as a Call Home management candidate on the VCMS:
Select Call Home on the Serial & Network menu.
FIGURE 5-37. SERIAL AND NETWORK: CALL HOME SCREEN
If you have not already generated or uploaded an SSH key pair for this console server, you will need to do so before proceeding
(see Chapter 3).
Click Add.
100
1. 87 7.8 7 7. 2 26 9BLACKBOX.COM
Loading...
+ hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.