Opengear User Manual
Contents
1. NRPE Group Group to run as Defaults te nobody gt Select System Nagios and check NRPE Enabled gt Enter the details the user connection to the upstream Nagios monitoring server and again refer the sample Nagios configuration example below for details of configuring specific NRPE checks By default the console server will accept a connection between the upstream Nagios monitoring server and the NRPE server with SSL encryption without SSL or tunneled through SSH The security for the connection is configured at the Nagios server 10 3 3 Enable NSCA monitoring Nagios Remote Monitoring Host Console Server Remote NSCA is the mechanism that allows you to send passive check results from the remote console server to the Nagios daemon running on the monitoring server To enable NSCA 214 Console Server amp RMM Gateway User Manual NSCA NSCA Enabled NSCA Encryption NSCA Secret NSCA Confirm NSCA Interval NSCA Port NSCA User NSCA Group Schedule check ins with the NSCA server None v Type of encryption Password for NSCA Re enter password for NSCA 4354 Check in frequency in minutes Port to connect to Defaults to 5667 User to run as Defaults to nsca Group to run as Defaults to nobody gt Select System Nagios and check NSCA Enabled gt Select the Encryption to be used from the drop down menu then enter a Secret password and specify a check2. inet addr 192 168 254 137 Bcast 192 168 254 255 Mask 255 255 255 0 IP UP BROADCAST RUNNING MULTICAST MTU 1500 Metric 1 Date amp Time Interrupt 12 Memory 1 fff8000 1fff80ff a Ml gt Select Status Support Report and you will be presented with a status snapshot gt Save the file as a text file and attach it to your support email 12 4 Syslog The Linux System Logger in the console server maintains a record of all system messages and errors gt Select Status Syslog The syslog record can be redirected to a remote Syslog Server gt Enter the remote Syslog Server Address and Syslog Server Port details and click Apply The console maintains a local Syslog To view the local Syslog file gt Select Status Syslog System Name acm5003 m Model ACM5003 M Firmware 3 3 2 Aa O opengear Uptime 1 days 1 hours 12 mins 37 secs Current User root Backup Log Out Status Syslog Serial amp Network Serial Port Users amp Groups Syslog Server Address Authentication Network Hosts Specify the address of the remote Syslog Server to use Trusted Networks IPsec VPN Syslog Server Port OpenVPN Call Home Specify which port the remote Syslog Server is serving on Cascaded Ports UPS Connections RPC Connections Remote System Logging Environmental Managed Devices Local System Logging Alerts amp Logging r Match Pattern Port Log A regular expression to match
3. gt Toaddanew EMD click Add and configure an external EMD enter a Name and optionally a Description and select the pre configured serial port that the EMD will be Connected Via 186 Console Server amp RMM Gateway User Manual User Manual System Name cm4001 Model CM4001 Firmware 3 1 0b1 ha opengear Uptime 6 days 6 hours 44 mins 37 secs Current User root Backup Log Out Serial amp Network Environmental Serial amp Network Serial Port Add Environmental Monitor Users amp Groups Authentication Name Network Hosts A descriptive name for the environmental monitor Trusted Networks Cascaded Ports Connected Via Serial Port 1 Port1 UPS Connections RPC Connections Environmental D ipti Managed Devices p Specify the connection port for the environmental monitor A brief description for the environmental monitor Alerts amp Logging Temperature Port Log Offset Alerts Fine tuning adjustment for the temperature sensor SMTP amp SMS SNMP Humidity Offset Fine tuning adjustment for the humidity sensor Administration Leet gt rein SSL Certificates anren Indicates if the temperature is reported in Fahrenheit rather than Celcius Configuration Backup Firmware Alarm 1 Label gt IP x Date amp Time A label for this alarm sensor e g Door Open or Smoke Alarm Dia Alarm 2 Label A label for this alarm sens
4. id_rsa pub ssh rsa AAAAB3NzaC1 yc2Efg4 tGHIAAA name client1 If the Opengear device selected to be the server will only have one client device then the authorized_keys file is simply a copy of the public key for that device If one or more devices will be clients of the server then the authorized_keys file will contain a copy of all of the public keys RSA and DSA keys may be freely mixed in the authorized_keys file For example assume we already have one server called bridge_server and two sets of keys for the control_room and the plant_entrance Is home user keys control_room control_room pub plant_entrance plant_entrance pub cat home user keys control_room pub home user keys plant_entrance pub gt home user keys authorized_keys_bridge_server 288 Console Server amp RMM Gateway User Manual Master a authorized_keys ssh rsa AAAAB3NzaC1yc2Efg4 tGHl AAA name client1 id dsa ssh dss AAAAB3NzaZr OV01C8gdgz BEGIN DSA XDg name client2 PRIVATE KEY MilIBugIBAAKBgQCR kixjJOSKuiIREXTM xOPFp9HqBvEg 7Ww9 oynY4QNiXj1 YU7T 87ITLQiAhn3yp7ZWy BEGIN RSA PRIVATE KEY MIIEogIBAAKCAQEA nujXXPGiQGyD3b79 KZg3UZ4MjzI525sCy opv4TJTvTK6e8Qlyt GYTByUdl 7Z5C3sLF8046Go ssh rsa AAAAB3NzaC1 yc2Efg4 tG HIAAA name client1 ssh dss AAAAB3NzaZr OV01 C8gdgz XDg name client2 id_dsa pub id_rsa pub More documentation on OpenSSH can be found at htto opens
5. pa Connect to a Workplace Type your user name and password User name Password Show characters L Remember this password Domain optional Connect Console Server amp RMM Gateway User Manual 87 Chapter 4 Serial Port Device and User Configuration 4 12 Call Home All console servers with Firmware V3 2 and later include the Call Home feature which initiates the setup of a secure SSH tunnel from the console server to a centralized CMS6100 or VCMS server referred to herein as CMS The console server then registers as a candidate on the CMS and once accepted there it becomes a Managed Console Server The CMS will then monitor the Managed Console Server and administrators can access the remote Managed Console Server through the CMS This access is available even when the remote console server is behind a third party firewall or has a private non routable IP addresses which is often the case when the console server is connected via a cellular modem connection Note CMS maintains public key authenticated SSH connections to each of its Managed Console Servers These connections are used for monitoring commanding and accessing the Managed Console Servers and the Managed Devices connected to the Managed Console Server To manage Local Console Servers or console servers that are reachable from the CMS the SSH connections are initiated by CMS To manage Remote Console Servers or console servers that are
6. Nagios Configure Dashboard Port Access Active Users Statistics Support Report Syslog UPS Status RPC Status Environmental Status Dashboard Manage Devices Port Logs Host Logs 7 2 9 SMS Command Name Reset Timeout Repeat Trigger Actions Check Conditions Environmental Alarms Digital Inputs UPS Power Supply UPS Status Serial Login Logout Serial Signal Serial Pattern ICMP Ping Cellular Data Custom Check SMS Command System Name img4004 5 Model IMG4004 5 Firmware 3 5 1b1 Uptime 0 days 2 hours 37 mins 42 secs Current User root a Backup Log Out Alerts amp Logging Auto Response Auto Response Settings Browser check script Unique Name for this AutoResponse 0 Time in seconds after resolution to delay before this AutoResponse can be triggered again Repeat Trigger actions until the check is resolved Custom Check Script Executable Script to execute when this action is triggered Frequency Time in seconds between checks Script Timeout 0 Maximum run time for this script Leave as 0 for unlimited Successful 0 Return Code Trigger if the return code is not this value Argument 1 Argument to pass to the script Argument 2 Argument to pass to the script Argument 3 Argument to pass to the script Argument 4 Argument to pass to the script Argument 5 Argument to pass to the script Save Auto Respo
7. Network Hosts Trusted Networks Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices If you are connecting to the RPC by a serial port you will be presented with all the serial RPC types System Name img4004 5 Model IMG4004 5 Firmware 2 7 0p1 Uptime 0 days 1 hours 19 mins 40 secs Current User root Serial amp Network RPC Connections A descriptive name for the power device A brief description for the power device Network 192 168 0 54 PDU R3C Specify the serial port or network host address for the power device None v IPMI 1 5 1 outlets IPMI 2 0 1 outlets SNMP Controlled Baytech Variable outlets SNMP Controlled Eaton Aphel Revelation Variable outlets SNMP Controlled Leviton Variable outlets SNMP Controlled Metered PDU 8 outlets SNMP Controlled Servertech Variable outlets SNMP Controlled Tripplite Variable outlets currently supported by the embedded PowerMan and Opengear s power manager Serial Port Users amp Groups Authentication Network Hosts Trusted Networks Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices Port Log gt Enter the Username and Password used to login into the RPC Note that these login credentials are not related the Users and access privileges you will have configured in Serial amp Networks Users amp Groups gt
8. config s contig alerts alert2 ups 1 UPSname hostname Example1 To configure a temperature sensor alert for a sensor called SensorlnRoom42 config s config alerts alert2 sensor temp contig s contig alerts alert2 enviro high critical 60 contig s contig alerts alert2 enviro high warning 50 config s config alerts alert2 enviro hysteresis 2 config s config alerts alert2 enviro low critical 5 contig s contig alerts alert2 enviro low warning 10 contig s contig alerts alert2 enviro1 SensorilnRoom42 config s contig alerts alert2 signal DSR contig s contig alerts alert2 type enviro Example2 To configure a load sensor alert for outlets 2 and 4 for an RPC called RPCInRoom20 config s config alerts alert2 outlet1 RPCname outlet2 config s contig alerts alert2 outlet2 RPCname outlet4 contig s contig alerts alert2 enviro high critical 300 contig s contig alerts alert2 enviro high warning 280 contig s contig alerts alert2 enviro hysteresis 20 config s config alerts alert2 enviro low critical 50 contig s contig alerts alert2 enviro low warning 70 config s config alerts alert2 roc1 RPCInRoom20 config s contig alerts alert2 sensor load config s config alerts alert2 signal DSR contig s contig alerts alert2 type enviro Alarm Sensor Alert To set an alert for doorAlarm and windowAlarm which are two alarms connected to an environmental sensor called SensorInRooms
9. 4 4 Network Hosts gt When adding a new network connected RPC or UPS power device you set up a Network Host designate it as RPC or UPS then go to RPC Connections or UPS Connections to configure the relevant connection Again corresponding new Managed Device with the same Name Description as the RPC UPS Host is not created until this connection step is completed refer Chapter8 Power and Environment Note The outlet names on this newly created PDU will by default be Outlet 1 Outlet 2 When you connect an particular Managed Device that draws power from the outlet they the outlet will then take up the name of the powered Managed Device To add a new serially connected Managed Device gt Configure the serial port using the Serial amp Network Serial Port menu refer Section 4 1 Configure Serial Port gt Select Serial amp Network Managed Devices and click Add Device gt Enter a Device Name and Description for the Managed Device opengear System Name img4004 5 Model IMG4004 5 Firmware 2 7 0p1 Uptime 2 days 1 hours 29 mins 38 secs Current User admin Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices Alerts amp Logging Port Log Alerts SMTP amp SMS SNMP Add a New Device Device Name Description
10. Console Server amp RMM Gateway User Manual 165 Chapter 7 Alerts and Logging gt Click Apply Note Acache of the most recent 8K of logged data per serial port is maintained locally in addition to the Logs which are transmitted for remote USB flash storage To view the local cache of logged serial port data select Manage Port Logs 7 6 3 Network TCP and UDP port logging The console server support optional logging of access to and communications with network attached Hosts gt For each Host when you set up the Permitted Services which are authorized to be used you also must set up the level of logging that is to be maintained for each service System Name im4216 Model IM4216 Firmware 2 5 0 opengear Uptime 0 days 0 hours 8 mins 46 secs Current User root Serial amp Network Network Hosts Serial Port Users amp Groups Authentication IP Address DNS 192 168 254 11 Network Hosts Name The hosts IP Address or DNS name Trusted Networks are Cascaded Ports Description Mail Server Edit an Existing Host A brief description of the host Alerts amp Logging Port Log Permitted 22 tcp ssh 0 Alerts 23 tcp telnet 0 SMTP 80 tcp http 0 SNMP 443 tcp https 0 1494 tcp ica 0 3389 tcp rdp 0 Administration 5900 tcp vnc 0 IP TCP Em Date amp Time OuDP Port Dial level 2 Input Output logging on servic
11. Example To run a chat script via the portmanager pmchat v f etc config scripts oort08 chat lt dev port08 For more information on using chat and pmchat you should consult the UNIX man pages htto techopubs sgi com library tol cgibin getdoc cgi coll linux amp db man amp tname usr share catman man amp s chat 8 html pmusers The pmusers command is used to query the portmanager for active user sessions Example To detect which users are currently active on which serial ports pmusers This command will output nothing if there are no active users currently connected to any ports otherwise it will respond with a sorted list of usernames per active port Port 1 user 214 Console Server amp RMM Gateway User Manual user2 Port 2 user Port 8 user2 The above output indicates that a user named user is actively connected to ports 1 and 2 while user2 is connected to both ports 1 and 8 portmanager daemon There is normally no need to stop and restart the daemon To restart the daemon normally just run the command portmanager Supported command line options are Force portmanager to run in the foreground nodaemon Set the level of debug logging loglevel debug info warn error alert Change which configuration file it uses c etc config portmanager conf Signals Sending a SIGHUP signal to the portmanager will cause it to re read its configuration file 15 2 2 External Scripts and Alerts
12. Similarly the Master does maintain a view of the status of the slaves Select Status Support Report Scroll down to Processes Look for bin ssh MN o ControlPath var run cascade h slavename These are the slaves that are connected Note the end of the Slaves names will be truncated so the first 5 characters must be unique Alternatively you can write a custom CGI script as described above The currently connected Slaves can be determined by running s var run cascade and the configured slaves can be displayed by running config g config cascade slaves Console Server amp Router User Manual 301 Chapter 16 KCS Client Configuration 15 13 SMS Server Tools Firmware releases V3 1 and later include the SMS Server Tools software which provides an SMS Gateway which can send and receive short messages through GSM modems and mobile phones You can send short messages by simply storing text files into a special spool directory The program monitors this directory and sends new files automatically It also stores received short messages into another directory as text files Binary messages including Unicode text are also supported for example ring tone messages It s also possible to senda WAP Push message to the WAP MMS capable mobile phone The program can be run as a SMS daemon which can be started automatically when the operating system starts High availability can be ensured by using multiple GSM devices currently up
13. This enables the console server to function as an Internet or external network gateway via cellular connections e g ACM5004 Gx cellular routers or other IM400 ACM5500 or ACM5000 model with external cellular modem or via other Ethernet networks on two Ethernet port models IM42xx 2 and ACM500x 2 console servers 5 8 1 Network Forwarding allows the network packets on one network interface i e LAN1 eth0 to be forwarded to another network interface i e LAN2 eth1 or dial out cellular So locally networked devices can IP connect through the console server to devices on remote networks IP Masquerading is used to allow all the devices on your local private network to hide behind and share the one public IP address when connecting to a public network This type of translation is only used for connections originating within the private network destined for the outside public network and each outbound connection is maintained by using a different source IP port number When using IP Masquerading devices on the external network cannot initiate connections to devices on the internal network Port Forwards allows external users to connect to a specific port on the external interface of the console server cellular router and be redirected to a specified internal address for a device on the internal network With Firewall Rules packet filtering inspects each packet passing through the firewall and accepts or rejects it based on user defined rul
14. gt Enter the RADIUS Authentication and Authorization Server Address and Server Password gt Click Apply RADIUS Authentication and Authorisation Server Address 152 16S Pe 40 Comma parae list of remote neran and niala servers Domma sparis list of remote scooting seraers Puneet Merian and Aioria Server Access willl b wesc Serer Password The shared samet allowing access i ie suena server Cai Pes Reenter he above peeved for confinnaiion gt Edit the Radius users file to include group information and restart the Radius server When using RADIUS authentication group names are provided to the console server using the Framed Filter ld attribute This is a standard RADIUS attribute and may be used by other devices that authenticate via RADIUS To interoperate with other devices using this field the group names can be added to the end of any existing content in the attribute in the following format group_name testgroup1 users The above example sets the remote user as a member of testgroup1 and users if groups with those names exist on the console server Any groups which do not exist on the console server are ignored When setting the Framed Filter Ild the system may also remove the leading colon for an empty field To work around this add some dummy text to the start of the string For example dummy group_name testgroup1 users gt If no group is specified for a user for example AmandaJones then the user will have no
15. o Select the Wireless Security mode of the wireless network WEP WPA etc and enter the required Key Authentication Encryption settings Wireless Client Settings SSID SSID of the wireless access point to connect to Wireless Network Type Infrastructure Ad hoc Select infrastructure to connect to an access point ad hoc to connect directly to a computer Wireless Security None WEP D WPA PSK WPA2 PSK WPA None The security mode of the wireless network Data Encryption TKIP AES The encryption method of the wireless network Network Key The key required to connect to the wireless network Note The Wireless screen in Status Statistics will display all the locally accessible wireless LANs with SSID and Encryption Authentication settings You can also use this screen to confirm you have successfully connected to the selected access point refer Chapter 12 3 6 6 Static routes Firmware 3 4 and later support static routes which provide a very quick way to route data from one subnet to different subnet So you can hard code a path that specifies to the console server router to get to a certain subnet by using a certain path This may be useful for remotely accessing various subnets at a remote site when being accessed using the cellular OoB connection System Name im4216 Model IM4216 Firmware 3 5 2u1 Ra O opPengear Uptime 6 days 23 hours 50 mins 14 secs Current User root Backup Log Out System IP Serial
16. All console servers allow remote authentication via RADIUS LDAP and TACACS With Firmware V3 2 and later RADIUS and LDAP can provide additional restrictions on user access based on group information or membership For example with remote group support RADIUS and LDAP users can belong to a local group that has been setup to have restricted access to serial ports network hosts and managed devices Remote authentication with group support works by matching a local group name with a remote group name provided by the authentication service If the list of remote group names returned by the authentication service matches any local group names the user is given permissions as configured in the local groups To enable group support to be used by remote authentication services gt Select Serial amp Network Authentication gt Select the relevant Authentication Method gt Check the Use Remote Groups button 196 Console Server amp RMM Gateway User Manual User Manual Serial amp Network Authentication Authentication Method O Local LocalTACACS TACACS TACACSLocal TACACSDownLocal LocalRADIUS RADIUS RADIUSLocal RADIUSDownLocal LocalLDAP O LDAP LDAPLocal LDAPDownLocal Use Remote Groups Use group membership information provided by remote authentication services Session lifetime Session lifetime in minutes The default setting is 20 minutes 9 1 7 Remote groups with RADIUS authentication
17. Also some clients are launched in a command line or terminal window The Telnet client is an example of this so the Path to client executable file is telnet and the Command line format for client executable is cmd c start path host port G Opengear SDTConnector File Edit Help Client name Telnet client Path to client executable file telnet Command line format for client executable cmd c start path host port OK HK cance gt Click OK 6 2 8 Dial in configuration If the client PC is dialing into Local Console port on the console server you will need to set up a dial in PPP link gt Configure the console server for dial in access following the steps in the Configuring for Dial In PPP Access section in Chapter 5 Configuring Dial In Access gt Setup the PPP client software at the remote User PC following the Set up the remote Client section in Chapter 5 Once you have a dial in PPP connection established you then can set up the secure SSH tunnel from the remote Client PC to the console server Console Server amp RMM Gateway User Manual 129 6 3 Chapter 6 Secure SSH Tunneling amp SDT Connector SDT Connector to Management Console SDT Connector can also be configured for browser access the gateway s Management Console and for Telnet or SSH access to the gateway command line For these connections to the gateway itself you must configur
18. Both alarms are disabled on Mondays from 8 15am to 2 30pm contig s contig alerts alert2 alarm1 Sensorl nRoom3 alarm1 doorAlarm config s config alerts alert2 alarm1 SensorlnRooms3 alarm2 windowAlarm config s config alerts alert2 alarmrange mon from hour 8 config s contig alerts alert2 alarmrange mon from min 15 contig s contig alerts alert2 alarmrange mon until hour 14 contig s contig alerts alert2 alarmrange mon until min 30 config s contig alerts alert2 description description contig s conftig alerts alert2 sensor temp config s config alerts alert2 signal DSR config s config alerts alert2 tyoe alarm To enable an alarm for the entire day Console Server amp Router User Manual 259 Chapter 14 Command Line Configuration contig s contig alerts alert2 alarmrange mon from hour 0 contig s contig alerts alert2 alarmrange mon from min 0 contig s contig alerts alert2 alarmrange mon until hour 0 contig s contig alerts alert2 alarmrange mon until min 0 The following command will synchronize the live system with the new configuration contig r alerts 14 1 14 SMTP amp SMS To set up an SMTP mail or SMS server with the following details Outgoing server address mail opengear com Secure connection type SSL Sender John opengear com server username john Server password secret Subject line SMTP alerts contig s contig system smtp server mail opengear com config s config
19. Console Server amp Router User Manual 233 Chapter 12 Status Reports STATUS REPORTS This chapter describes the dashboard feature and the status reports that are available Port Access and Active Users Statistics Support Reports Syslog Dashboard Other status reports that are covered elsewhere include UPS Status Chapter 8 2 RPC Status Chapter 8 7 Environmental Status Chapter 8 3 12 1 Port Access and Active Users The Administrator can see which Users have access privileges with which serial ports gt Select the Status Port Access System Name acm5003 m Model ACM5003 M Firmware 3 3 2 Uptime 1 days 0 hours 55 mins 23 secs Current User root opengear O Backup Log Out Status Port Access Serial Port Users amp Groups Authentication Network Hosts Trusted Networks IPsec VPN OpenVPN Call Home Cascaded Ports UPS Connections User From 1 2 3 Radmin Anywhere Y 1 Y Legend Anywhere Accessible from any IP address Anyone No username is required for access The Administrator can also see the current status as to Users who have active sessions on those ports gt Select the Status Active Users 12 2 Statistics The Statistics report provides a snapshot of the status current traffic and other activities and operations of your console server gt Select the Status Statistics 234 Console Server amp RMM Gateway User Manual
20. Inprs jobspec or job kill S sigspec n signum si let arg arg Console Server amp Router User Manual 309 APPENDIX B FEATURE Dimensions Weight Ambient operating temperature Non operating storage temp Humidity Power ower Consumption Memory USB ports 310 Serial Connectors Hardware Specification VALUE ACM5002 3 4 2 M W G 4 1x3 4x1 1 in 10 3 x 8 7 x 2 8 cm ACM5504 8 2 5 M G l 6 5 x 4 x 1 4 in 16 6 x 10 2 x 2 8 cm IM4208 16 32 48 17 x 12 x 1 75 in 43 2 x 31 3 x 4 5 cm IM4216 34 17 x 12 x 1 75 in 43 2 x 31 3 x 4 5 cm IM4004 5 8 2 x 4 9 x 1 2 in 20 8 x 12 6 x 4 5 cm CM4116 48 17 x 8 5 x 1 75 in 43 2 x 21 x 4 5 cm CM4008 8 2 x 4 9 x 1 2 in 20 8 x 12 6 x 4 5 cm CM4001 3 9 x 2 8 x 1 0 in 10 x 7 2 x 2 5 cm ACM5002 3 4 M W G 2 1 0 kg 2 2 Ibs ACM5002 3 4 2 M W G 1 8 kg 4 Ibs IM4208 16 32 48 5 4 kg 11 8 lbs IM4216 34 5 4 kg 11 8 Ibs IM4004 5 1 7 kg 3 7 Ibs CM4116 48 3 9 kg 8 5 Ibs CM4008 1 7 kg 3 7 Ibs CM4001 1 1 ee eg 5 a 2 5 Ibs 5 C to 50 C Acerc dho pa F to 122 F 30 C to 60 C 30 C to 60 C 20 F to 140 F st lt is sSCSCidS 20 F to 140 F 5 to 90 Refer Chapter 2 for various models All less than 30W ACM5002 3 4 M W G 2 Micrel KSZ8692 ARM9 Others Micrel KS8695P controller ACM5002 3 4 M W G 2 32MB SDRAM 16MB Flash ACM5504 8 2 5 M G I 64MB SDRAM 16MB Flash 4GB USB Flash IM4208 16 32 48
21. Serial amp Network Authentication Serial amp Network Serial Port Authentication Configuration Authentication Testing Users amp Groups Authentication Authentication Configuration Network Hosts Trusted Networks Authentication Method Local IPsec VPN OpenVPN LocalTACACS PPTP VPN TACACS Call rer TACACSLocal Cascaded Ports UPS Connections TACACSDownLocal RPC Connections LocalRADIUS Environmental RADIUS Managed Devices RADIUSLocal RADIUSDownLocal LocalLDAP LDAP LDAPLocal 5 LDAPDownLocal LocalKerberos Kerberos KerberosLocal KerberosDownLocal Authentication Method to use for Web Console Telnet SSH and FTP Use Remote Groups T Use group membership information provided by remote authentication services Any authentication method that is configured will be used for authentication of any user who attempts to log in through Telnet SSH or the Web Manager to the console server and any connected serial port or network host devices The console server can be configured to the default Local or an alternate authentication method TACACS RADIUS LDAP or Kerberos with the option of a selected order in which local and remote authentication is to be used Local TACACS RADIUS LDAP Kerberos Tries local authentication first falling back to remote if local fails TACACS RADIUS LDAP Kerberos Local Tries remote authentication first falling back to local if remote fails TACA
22. User Manual Note Ultra VNC Win32 Viewer 1 0 1 Release WNC Server 192 169 0 1 7901 v hostdisplay or host port Quick Options O AUTO Auto select best settings O ULTRA gt hi bits Experimental C LAN gt TMbit s Max Colors O MEDIUM 128 256k bit s 256 Colors MODEM 19 128K bits 64 Colors SLOW lt 15kKbit s amp Colors View Only Auto Scaling C Use DSMPlugin Mo Plugin detected Ww Prosp Repeater Save connection settings as default Delete saved settings gt You can then establish the VNC connection by simply activating the VNC Viewer software on the Viewer PC and entering the password imi Authentication For general background reading on Remote Desktop and VNC access we recommend the following The Microsoft Remote Desktop How To http www microsoft com windowsxp using mobility getstarted remoteintro mspx The Illustrated Network Remote Desktop help page http theillustratednetwork mvps org RemoteDesktop RemoteDesktopSetupandT roubleshooting htm What is Remote Desktop in Windows XP and Windows Server 2003 by Daniel Petri http www petri co il what s_remote_desktop htm Frequently Asked Questions about Remote Desktop http www microsoft com windowsxp using mobility rdfaq mspx Secure remote access of a home network using SSH Remote Desktop and VNC for the home user http theillustratednetwork mvps org RemoteDesktop SSH RDP VNC RemoteDesktop
23. Users amp Groups rarer ater An ID for this device Network Hosts System Trusted Networks Toei IPsec VPN The physical location of this device System ll Eee Password Cascaded Ports The secret used to gain administration access to this device UPS Connections RPC Connections Confirm usses Environmental System Managed Devices Password Re enter the above password for confirmation Alerts amp Logging ee Port Log Auto Response Message of the day text banner to display to authenticating users SMTP amp SMS SNMP Delayed Config Commits Config changes are queued and must be explicitly applied Administration TT SSL Certificates Apply A User can also use the Management Console but has limited menu access to control select devices review their logs and access them using the in built Web terminal or control power to them Console Server amp RMM Gateway User Manual 13 Introduction System Name ima4004 5 Model IMG4004 5 Firmware 2 7 0p1 opengear Uptime 2 days 22 hours 18 mins 26 secs Current User user 13 Manage Devices Manage Devices All Network Serial Power Port Logs Host Logs Type Device Actions Power Terminal a 192 168 0 44 Asterisk PBX 5 192 168 0 70 Dell mail server The console server runs an embedded Linux operating system and experienced Linux and UNIX users may prefer to undertake configuration at the command line You can co
24. Verify cellular connection Out of band access is enabled by default so the cellular modem connection should now be on gt You can verify the connection status from the Status Statistics o Select the Cellular tab and in Service Availability verify Mode is set to Online o Select Failover amp Out of Band and the Connection Status reads Connected o You can check your allocated P address Console Server amp RMM Gateway User Manual 105 Chapter 5 Firewall Failover and Out of Band System Name acm5004 Model AcM5004 Firmware 3 2 0 re O opengedrs Uptime 0 days O hours 34 mins 54 secs Current User root Backup Log Out R Status Statistics Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks IPsec VPN OpenvPN Call Home Failover Cascaded Ports UPS Connections Failover is not configured RPC Connections Environmental Managed Devices Failover amp Interfaces Routes Serial Ports IP ICMP TCP UDP Out of Cellular Band Always on Out of Band Internal Cellular Modem cellmodem Alerts amp Logging Port Log Connection Status Connected Alerts IP Address 59 167 15 3 SMTP amp SMS SNMP gt You can measure the received signal strength from the Cellular Statistics page on the Status Statistics screen This will display the current state of the cellular modem including the Received Signal Strength
25. authentication modules to be attached to them at run time in order to work Which authentication module is to be attached is dependent upon the local system setup and is at the discretion of the local Administrator The console server family supports PAM to which we have added the following modules for remote authentication RADIUS pam_radius_auth http www freeradius org pam_radius_auth TACACS pam_tacplus http echelon pl pubs pam_tacplus html LDAP pam_lIdap http www padl com OSS pam_lIdap html Further modules can be added as required Changes may be made to files in etc config oam d which will persist even if the authentication configurator is run gt Users added on demand Console Server amp RMM Gateway User Manual 201 Chapter 9 Authentication When a user attempts to log in but does not already have an account on the console server a new user account will be created This account will have no rights and no password set They will not appear in the Opengear configuration tools Automatically added accounts will not be able to log in if the remote servers are unavailable RADIUS users are currently assumed to have access to all resources so will only be authorized to log in to the console server RADIUS users will be authorized each time they access a new resource gt Admin rights granted over AAA Users may be granted Administrator rights via networked AAA For TACACS a priv lvl of 12 of above indicat
26. config s config ups monitors monitor1 password secret contig s contfig ups monitors monitor1 sdorder 2 contig s contfig ups monitors monitor1 driver genericups contig s contig ups monitors monitor1 options option1 opt option config s config ups monitors monitor1 options option1 arg argument contig s contig ups monitors monitor1 options total 1 contig s contig ups monitors monitor1 log enabled on contig s contig ups monitors monitor1 log interval 2 config s config ups monitors monitor1 script enabled on Make sure to increment the total monitors contig s contig ups monitors total 1 The 5 commands below will add the UPS to Managed devices Assuming there are already 2 managed devices configured contig s config devices device3 connections connection1 name My UPS contig s config devices device3 connections connection1 type UPS Unit config s config devices device3 name My UPS config s config devices device3 description UPS in toom 5 contig s config devices total 3 To delete this managed UPS config d contig ups monitors monitor1 Decrement monitors total when deleting a managed UPS Remote UPSes 204 Console Server amp RMM Gateway User Manual To add a remote UPS with the following details assuming this is our first remote UPS UPS name oldUPS Description UPS in room 2 Address 192 168 50 50 Log status Disabled Log rate 240 seconds Run shutdown script Enabled c
27. gt Select the gateway and click Out Of Band The status bar will change color to indicate this gateway is now being access using the OoB link rather than the primary link fa Opengear SDTConnector File Edit Help aag 4S 208 64 91 182 Gateway Actions Ce Remote IMG4004 Retrieve Hosts Out of band enabled for Remote IMG4004 When you connect to a service on a host behind the gateway or to the console server gateway itself SDT Connector will initiate the OoB connection using the provided Start Command The OoB connection isn t stopped using the provided Stop Command until Out Of Band under Gateway Actions is clicked off at which point the status bar will return to its normal color 6 6 Importing and exporting preferences To enable the distribution of pre configured client config files SDT Connector has an Export Import facility ai Opengear DTConnector File Edit Help CE Mew Gateway LI Mew Host Import Preferences h Ea Export Preferences 6 Exit I gt To save a configuration xml file for backup or for importing into other SDT Connector clients select File Export Preferences and select the location to save the configuration file gt To import a configuration select File Import Preferences and select the xml configuration file to be installed Console Server amp RMM Gateway User Manual 133 Chapter 6 Secure SSH Tunneling amp SDT Connector 6 7 SDT Connect
28. opengear User Manual ACM5000 amp ACM5500 RMM Gateways IM4000 amp IM4200 Infrastructure Managers CM4000 Console Servers SD4000 Secure Device Server Rev 4 4 February 8 2012 Console Server amp RMM Gateway User Manual 1 safety Please take care to follow the safety precautions below when installing and operating the console server Do not remove the metal covers There are no operator serviceable components inside Opening or removing the cover may expose you to dangerous voltage which may cause fire or electric shock Refer all service to Opengear qualified personnel To avoid electric shock the power cord protective grounding conductor must be connected through to ground Always pull on the plug not the cable when disconnecting the power cord from the socket Do not connect or disconnect the console server during an electrical storm Also it is recommended you use a surge suppressor or UPS to protect the equipment from transients FCC Warning Statement This device complies with Part 15 of the FCC rules Operation of this device is subject to the following conditions 1 This device may not cause harmful interference and 2 this device must accept any interference that may cause undesired operation Table of Contents TABLE OF CONTENTS THIS MANUAL INSTALLATION 2 1 Models 2 1 1 IM4208 2 IM4216 2 IM4232 2 IM4248 2 and IM4216 34 kit components 2 1 2 IM4004 5 kit components 2 1 3 CM4116 CM4132 and
29. system topology or access method It is a standard method for local and remote management of server hardware using out of band communication SMTP Simple Mail Transfer Protocol console server includes SMTPclient a minimal SMTP client that takes an email message body and passes it on to a SMTP server default is the MTA on the local host SOL serial Over LAN SOL enables servers to transparently redirect the serial character stream from the baseboard universal asynchronous receiver transmitter UART to and from the remote client system over a LAN With SOL support and BIOS redirection to serial remote managers can view the BIOS POST output during power on and reconfigured SSH secure Shell is secure transport protocol based on public key cryptography SSL secure Sockets Layer is a protocol that provides authentication and encryption services between a web server and a web browser TACACS The Terminal Access Controller Access Control System TACACS security protocol is a more recent protocol developed by Cisco It provides detailed accounting information and flexible administrative control over the authentication and authorization processes TACACS allows for a single access control server the TACACS daemon to provide authentication authorization and accounting services independently Each service can be tied into its own database to take advantage of other services available on that server or on the network depending on the
30. 14 11 12 Port Log 14 1 13 Alerts 14 1 14 SMTP amp SMS 14 1 15 SNMP 14 1 16 Administration 14 1 17 IP settings 14 1 18 Date amp Time settings 14 1 19 Dial in settings 14 1 20 DHCP server 14 1 21 Services 8 Console Server amp RMM Gateway User Manual Table of Contents 214 214 215 216 217 217 217 220 220 222 223 226 226 227 228 229 231 232 234 234 234 235 236 236 237 238 240 240 240 240 241 242 243 244 244 246 249 250 251 251 253 253 254 255 256 256 257 237 260 260 261 261 262 262 263 264 15 1 15 2 15 3 15 4 15 5 15 6 15 7 15 8 15 9 15 10 User Manual 14 1 22 NAGIOS 1d 15 1 2 15 1 3 15 1 4 1D de 15 1 6 yey NA 15 1 8 LIY Jd 1322 IJd 1 2 oye i eo 15 5 3 15 5 4 i ones 15 6 1 15 6 2 15 6 3 15 6 4 15 6 5 15 6 6 15 6 7 15 6 8 15 8 1 15 8 2 15 8 3 15 8 4 15 9 1 139 2 15 9 3 ADVANCED CONFIGURATION Custom Scripting Custom script to run when booting Running custom scripts when alerts are triggered Example script Power cycling on pattern match Example script Multiple email notifications on each alert Deleting configuration values from the CLI Power cycle any device upon a ping request failure Running custom scripts when a configurator is invoked Backing up the configuration and restoring using a local USB stick Backing up the configuration off box Advanced Portmanager Portmanager commands Externa
31. 194 195 196 197 198 200 200 201 201 202 206 206 207 208 208 210 211 212 213 10 3 2 Enable NRPE monitoring 10 3 3 Enable NSCA monitoring 10 3 4 Configure selected Serial Ports for Nagios monitoring 10 3 5 Configure selected Network Hosts for Nagios monitoring 10 3 6 Configure the upstream Nagios monitoring host 10 4 Advanced Distributed Monitoring Configuration 10 4 1 Sample Nagios configuration 10 4 2 Basic Nagios plug ins 10 4 3 Additional plug ins 10 4 44 Number of supported devices 10 4 5 Distributed Monitoring Usage Scenarios SYSTEM MANAGEMENT 11 1 System Administration and Reset 11 2 Upgrade Firmware 11 3 Configure Date and Time 11 4 Configuration Backup 11 5 Delayed Configuration Commit 11 6 FIPS Mode STATUS REPORTS 12 1 Port Access and Active Users 12 2 Statistics 12 3 Support Reports 12 4 Syslog 12 5 Dashboard 12 5 1 Configuring the Dashboard 12 5 2 Creating custom widgets for the Dashboard MANAGEMENT 13 1 Device Management 13 2 Port and Host Logs 13 3 Terminal Connection 13 3 1 Web Terminal 13 3 2 SDT Connector access 13 4 Power Management CONFIGURATION FROM THE COMMAND LINE 14 1 Accessing config from the command line 14 1 1 Serial Port configuration 14 1 2 Adding and removing Users 14 1 3 Adding and removing user Groups 14 1 4 Authentication 14 1 5 Network Hosts 14 1 6 Trusted Networks 14 1 7 Cascaded Ports 14 1 8 UPS Connections 14 1 9 RPC Connections 14 1 10 Environmental 14 1 11 Managed Devices
32. 64MB SDRAM 16MB Flash 16GB USB Flash IM4216 34 64MB SDRAM 16MB Flash 16GB USB Flash IM4004 5 64MB SDRAM 16MB Flash 4G USB Flash CM4116 48 64MB SDRAM 16MB Flash CM4008 16MB SDRAM 8MB Flash CM4001 16MB SDRAM 8MB Flash ACM5002 3 4 M W G 2 2 internal external ACM5504 8 2 5 M G l 2 2xternal IM4208 16 32 48 amp IM4216 34 3 external IM4004 5 2 external ACM5002 2 RJ 45 RS 232 serial ports ACM5003 M W 3 RJ 45 RS 232 serial ports ACM5004 G 2 4 RJ 45 RS 232 serial ports ACM5004 2 G I 4 RJ 45 selectable RS 232 422 485 serial ports ACM5504 2 5 G 1 P 4 RJ 45 RS 232 serial ports ACM5508 2 M 8 RJ 45 selectable RS 232 422 485 serial ports IM4208 2 8 RJ 45 RS 232 serial ports IM4216 2 amp IM4216 34 16 RJ 45 RS 232 serial ports IM4232 2 32 RJ 45 RS 232 serial ports IM4248 2 48 RJ 45 RS 232 serial ports IM4004 5 4 RJ 45 RS 232 serial ports CM4116 16 RJ 45 RS 232 serial ports Console Server amp RMM Gateway User Manual CM4148 48 RJ 45 RS 232 serial ports CM4008 8 RJ 45 RS 232 serial ports D4002 CM4001 2 DB 9 RS 232 serial port SD4001 1 DB 9 selectable RS 232 422 485 serial port models also have 1 DB 9 RS 232 console modem serial port DB9 port 2400 to 115 200 bps Ethernet Connectors ACM5002 3 4 M W G One RJ 45 10 100Base T Ethernet ports ACM5004 2 ACM5504 2 and ACM5508 2 Two RJ 45 10 100Base T Ethernet ports IM4208 16 32 48 2 Two RJ 45 10 100Base T Ethernet por
33. 7 2 1 Environmental 7 2 2 Alarms and Digital Inputs 7 2 3 UPS Power Supply 7 2 4 UPS Status 7 2 Serial Login Logout 7 2 6 ICMP Ping 7 2 7 Cellular Data 7 2 8 Custom Check 7 2 9 SMS Command 7 3 Trigger Actions 7 3 1 Send Email 7 3 2 Send SMS 7 35 3 Perform RPC Action 7 3 4 Run Custom Script 7 3 5 Send SNMP Trap 7 3 6 Send Nagios Event 7 4 Resolve Actions 7 5 Configure SMTP SMS SNMP and or Nagios service for alert notifications 7 5 1 Send Email alerts 6 Console Server amp RMM Gateway User Manual Table of Contents 109 109 110 11l 113 115 116 120 121 121 121 122 124 124 125 126 128 129 130 131 132 133 134 134 134 136 138 138 140 141 142 144 145 145 150 150 152 152 153 153 154 154 155 156 156 157 158 158 158 159 159 159 159 160 160 160 User Manual J E 7 5 4 7 6 7 6 1 7 6 2 7 0 3 7 6 4 7 6 5 Send SMS alerts Send SNMP Trap alerts Send Nagios Event alerts Logging Log storage Serial port logging Network TCP and UDP port logging Auto Response event logging Power device logging POWER ENVIRONMENT amp DIGITAL I O 8 1 Remote Power Control RPC 8 1 1 RPC connection 8 1 2 RPC access privileges and alerts 6 1 3 User power management 6 1 4 RPC status 8 2 Uninterruptible Power Supply Control UPS 8 2 1 Managed UPS connections 8 2 2 Remote UPS management 8 2 3 Controlling UPS powered computers 8 2 4 UPS alerts 8 2 5 UPS status 8 2 6 Overview of Netw
34. Click Apply Console Server amp RMM Gateway User Manual Nagios Settings Enable Nagios Switch Nagios on for this hast Hast Mame Name of host in Nagios Generated using fost description if unspecified Nagios ieee 1 Check NRPE E Override Default rgs 4dd to default args o tC OA AS Hew Check Clear check host alive 10 3 6 Configure the upstream Nagios monitoring host Refer to the Nagios documentation http www nagios org docs for configuring the upstream server gt The section entitled Distributed Monitoring steps through what you need to do to configure NSCA on the upstream server under Central Server Configuration gt NRPE Documentation has recently been added which steps through configuring NRPE on the upstream server http nagios sourceforge net docs nrpe NRPE pdf At this stage Nagios at the upstream monitoring server has been configured and individual serial port and network host connections on the console server configured for Nagios monitoring If NSCA is enabled each selected check will be executed once over the period of the check interval If NRPE is enabled then the upstream server will be able to request status updates under its own scheduling 10 4 Advanced Distributed Monitoring Configuration 10 4 1 Sample Nagios configuration An example configuration for Nagios is listed below It shows how to set up a remote Console server to monitor a single host with both networ
35. Download Installation Configuration Note For all PPP clients Set the PPP link up with TCP IP as the only protocol enabled Specify that the Server will assign IP address and do DNS Do not set up the console server PPP link as the default for Internet connection 5 3 Dial Out Access The internal or externally attached modem on the console server can be set up either in Failover mode where a dial out connection is only established in event of a ping failure or with the dial out connection is always on In both of the above cases in the event of a disruption in the dial out connection the console server will endeavor to re establish the connection 5 3 1 Always on dial out With V3 4 firmware and later the console server modem can be configured for out dial to be always on with a permanent external dial up ppp connection gt Select the System Dial menu option and check Enable Dial Out to allow outgoing modem communications gt Select the Baud Rate and Flow Control that will communicate with the modem gt Inthe Dial Out Settings Always On Out of Band field enter the access details for the remote PPP server to be called Override DNS is available for PPP Devices such as modems Override DNS allows the use of alternate DNS servers from those provided by your ISP For example an alternative DNS may be required for OpenDNS used for content filtering gt To enable Override DNS check the Override returned DNS Servers
36. For firmware pre V3 1 0 the advanced console server does not support automatic failure recovery back to the original state prior to the failover So to restore networking to a recovered state the following command then needs to be run rm f var run failed over amp amp config r ipconfig If required you can run a custom bash script when the device fails over It is possible to use this script to implement automatic failure recovery depending on your network setup The script to create is etc contig scripts interface failover alert 5 6 Cellular Modem Connection The ACM5500 ACM5000 IM4004 5 and IM4200 family of advanced console servers support internal and or external cellular modem These modems first need to be set up to validate they can connect to the carrier network They then can be configured for operation in Failover mode OoB mode Cellular router mode or CSD mode Console Server amp RMM Gateway User Manual 101 5 6 1 Chapter 5 Firewall Failover and Out of Band Connect to the GSM HSUPA UMTS carrier network The ACM5004 G l ACM5504 5 G I models and IM4200 G families have an internal GSM modem that will connect to any major GSM carrier globally The ACM5500 ACM5000 IM4004 5 and IM4200 family of advanced console servers also support attaching an external USB GSM HSPA cellular modem from Sierra Wireless to one of its USB 2 0 ports gt Before powering on the ACM5004 G l ACM55044 5 G I or IM4200 X2 G you must insta
37. INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES END OF TERMS AND CONDITIONS Wireless Driver License The Opengear firmware includes 802 11 driver code which is used in various console server models This code is Copyright c 2007 Ralink Technology Corporation All rights reserved Redistribution and use in binary form without modification are permitted provided that the following conditions are met Redistributions must reproduce the above copyright notice and the following disclaimer in the documentation and or other materials provided with the distribution Neither the name of Ralink Technology Corporation nor the names of its suppliers may be used to endorse or promote products derived from this software without specific prior written permission No reverse engineering decompilation or disassembly of this software is permitted Ralink Technology Corporation grants a world wide royalty free non exclusive license under patents it now or hereafter owns or controls to make have made use import offer to sell and sell Utilize this software but solely to the extent that any such patent is necessary to Utilize the software alone or in combination with an operating system licensed under an approved Open Source
38. Interval gt Refer the sample Nagios configuration section below for some examples of configuring specific NSCA checks 10 3 4 Configure selected Serial Ports for Nagios monitoring The individual Serial Ports connected to the console server to be monitored must be configured for Nagios checks Refer Chapter 4 4 Network Host Configuration for details on enabling Nagios monitoring for Hosts that are network connected to the console server To enable Nagios to monitor on a device connected to the console server serial port gt Select Serial amp Network Serial Port and click Edit on the serial Port to be monitored gt Select Enable Nagios specify the name of the device on the upstream server and determine the check to be run on this port Serial Status monitors the handshaking lines on the serial port and Check Port monitors the data logged for the serial port Nagios Settings Enable Nagios Host Name Port Log Serial Status C Switch Nagios on for this port E Name of host in Nagios Defaults te hest name if unset O Switch on Nagios port logging O Switch on Nagios serial status 215 Console Server amp Router User Manual Chapter 10 Nagios Integration 10 3 5 Configure selected Network Hosts for Nagios monitoring The individual Network Hosts connected to the console server to be monitored must also be configured for Nagios checks 216 gt Select Serial amp Network Network Port and click
39. NI I I I Internal I I A N os s e EE i a i a D Ro aaa NINININ On RO BRO TRO 7 RO TRS TRO J RO BRO BRO BO OT NS J RO EE eset elles als a EA ek lh Me o_o I I I I I I I _ _ 00 Single AC 00 Single AC 00 Ext AC DC 00 Ext AC DC SD4001 DB9 Ext AC DC _ I CO I I _ I I I I I I I RO gt I I _ I I I I I I I I SD4002 DB9 Ext AC DC RS4232 422 485 All other models have RS232 serial These models have 2x USB2 0 and 1xUSB1 1 port All other models have USB2 0 ports Internal cellular available as an option The initial IM42xx models were superseded by IM42xx X models to provide additional flash and USB support The IMG4004 5 is superseded by IM4004 5 with additional flash and USB support The IMG4216 25 is superseded by IM4216 34 with additional Ethernet ports flash and USB ports The SD4008 is end of life EoL and is replaced with ACM5508 2 1 The KCS6000 family is EoL 16 Console Server amp RMM Gateway User Manual User Manual The various product families support different software features Feature by Mgt WLAN Model Family LAN CM4xxx IM4004 5 OoB Auto Internal IPsec PPTP Failover Response Flash amp OpenVPN yes SD400x Option for ACM5002 ACM5003 M and ACM5004 only ACM500x 2 ACM550x 2 amp ACM5504 5 G I models only
40. Notes Connections Add Connection Serial amp Network Managed Devices Router A descriptive name for this device Cisco 3640 serial console A brief description of the device Serial v Pot2 Network Host RPC UPS N gt Click Add Connection and select Serial and the Port that connects to the Managed Device gt To add a UPS RPC power connection or network connection or another serial connection click Add Connection gt Click Apply 12 Console Server amp RMM Gateway User Manual User Manual Note To set up anew serially connected RPC UPS or EMD device you configure the serial port designate it as a Device then enter a Name and Description for that device in the Serial amp Network RPC Connections or UPS Connections or Environmental When applied this will automatically create a corresponding new Managed Device with the same Name Description as the RPC UPS Host refer Chapter8 Power and Environment Also all the outlet names on the PDU will by default be Outlet 1 Outlet 2 When you connect a particular Managed Device that draws power from the outlet then the outlet will then take up the name of the powered Managed Device 4 9 IPsec VPN The ACM5500 ACM5000 IM4004 5 and IM4200 family of advanced console servers include Openswan a Linux implementation of the IPsec IP Security protocols which can be used to configure a Virtual Private Network VPN The VPN allows multiple sites or r
41. Serial DB9 Port Internal Modem Internal Modem Dial Settings Disable Dial Disable modem communication Enable Dial In Allow incoming modem communication Enable Dial Out gt Allow outgoing modem communication Serial Settings Baud Rate 9600 r The port speed in characters per second Flow Control Hardware The method of flow control to use Dial In Settings Remote Address The IP address to assign a dial in client Local Address The IP address for the dial in server Default Route Custom Modem Initialization Authentication Type Required Encryption Level Dynamic DNS DDNS server DDNS Hostname DDNS Username DDNS Password Confirm DDNS Password Maximum interval between updates Minimum interval between checks Maximum attempts per update Apply The dialed connection is to become a default route for the system An optional AT command sequence to initialize the modem None least secure PAP CHAP MSCHAPy2 most secure The method to use when checking the dial in users credentials Only no encryption also disables compression 40bit or 128bit encryption Only 40bit encryption Only 128bit encryption Any encryption including none The encryption to require for the dial in connection None DDNS disabled x Update a DNS server when IP address is changed The DDNS server to push updates to The format is server address port This is used by
42. TLS Initial packet from 192 168 250 152 1194 sid dd3359de 265f251d VERIFY OK depth 1 C US ST CA L SanFrancisco O Fort Funston CN OpenvPN CA emai 1Addr ess me n VERIFY OK depth 0 C US ST CA L SanFrancisco O Fort Funston CN ser ver emai 1Address me myhos Data Channel Encrypt Cipher BF CBC initialized with 128 bit key Data Channel Encrypt Using 160 bit message hash SHA1 for HMAC authentication Data Channel Decrypt Cipher BF CBC initialized with 128 bit key Data Channel Decrypt Using 160 bit message hash SHAL for HMAC authentication Control Channel TLSv1 cipher TLSv1 SSLv3 DHE RSA AES256 SHA 1024 bit RSA server Peer Connection Initiated with 192 168 250 152 1194 SENT CONTROL server PUSH REQUEST status 1 PUSH Received control message PUSH_REPLY route 10 100 10 1 topology net30 ping 10 ping res Options error Unrecognized option or missing parameter s in PUSH OPTIONS 2 topo logy 2 0 OPTIONS IMPORT timers and or timeouts modified OPTIONS IMPORT ifconfig up options modified OPTIONS IMPORT route options modified TAP WIN32 device Local Area Connection 3 opened Global 12EF532A 3135 4F37 B689 720FEC TAP win32 Driver Version 8 4 TAP win32 MTU 1500 Notified TAP win32 driver to set a DHCP IP netmask of 10 100 10 6 255 255 255 252 on interfac Successful ARP Flush on interface 5 12EF532A 3135 4F37 B689 720FE0B1F713 TEST ROUTES 0 0 succeeded len 1 ret 0 a 0 u d down Route Wa
43. The address of a Slave KDC to authenticate against if the Master is not available Discover Slave KDCs F using DNS Use DNS to find slave KDCs Only enable this if the DNS contains Kerberos information 9 1 11 Authentication testing The Authentication Testing tab firmware V3 5 2u3 and later enables the connection to the remote authentication server to be tested System Name img4004 5 Model IMG4004 5 Firmware 3 5 2u3 opengear Uptime 0 days 9 hours 25 mins 8 secs Current User root Backup Log Out Serial amp Network Authentication Serial Port Authentication Configuration Authentication Testing Users amp Groups Authentication Authentication Testing Network Hosts Trusted Networks Test Username IPsec OpenVPN PPTP VPN Call Home Test Password Cascaded Ports UPS Connections RPC Connections Environmental Apply Managed Devices 9 2 PAM Pluggable Authentication Modules The console server supports RADIUS TACACS and LDAP for two factor authentication via PAM Pluggable Authentication Modules PAM is a flexible mechanism for authenticating users Nowadays a number of new ways of authenticating users have become popular The challenge is that each time a new authentication scheme is developed it requires all the necessary programs login ftpd etc to be rewritten to support it PAM provides a way to develop programs that are independent of authentication scheme These programs need
44. Users amp Groups Port Label Mode Logging Parameters Flow Control Authentication evel Network Hosts Trusted Networks 1 IP Power RPC Unconfigured 0 19200 8 N 1 None Edit IPsec VPN 5 OpenVPN 2 Cisco 2501 Console Tehet SSH 2 9600 8 N 1 None Edit i olen Ports 3 Cisco 2900 Console SSH 2 9600 8 N 1 None Edit Es CORES 4 8 Port Server Tech PDU RPC Unconfigured 2 9600 8 N 1 None Edit RPC Connections Environmental 5 TrippLite 450 UPS UPS Unconfigured 0 9600 8 N 1 None Edit Managed Devices 6 APC Smart UPS 1400XL UPS Unconfigured 0 9600 8 N 1 None Edit Alerts amp Logging 7 IM4248 Console Console SSH 2 115200 8 N None Edit Port Log j Alerts IE ee 8 Loopback connector Console Tehet SSH Raw 1 9600 8 N 1 None Edit SNMP TC a Edit Multiple Ports Administration gt Select Serial amp Network Serial Port and you will see details of the serial ports that are currently set up gt By default each serial port is set in Console Server mode For the port to be reconfigured click Edit gt When you have reconfigured the common settings Chapter 4 1 1 and the mode Chapters 4 1 2 4 1 6 for each port you set up any remote syslog Chapter 4 7 7 then click Apply Note If you wish to set the same protocol options for multiple serial ports at once click Edit Multiple Ports and select which ports you wish to configure as a group gt If the console server has been configured with distri
45. amp Network Serial Port Users amp Groups Device Name Description Notes Related Connections 7 EEEE IBM X 324 Asterisk PBX Network Host 192 168 0 44 UPS MainUPS Edit Delete Network Hosts RPC PDU R7D outlet 3 Trusted Networks Cascaded Ports PowerEdgeR9000 5 Dell mail server Serial Port 2 Network Host 192 168 0 70 Edit Delete UPS Connections UPS MainUPS RPC Connections Environmental MainUPS Computer room UPS MainUPS Edit Delete Managed Devices battery PDU R7D Baytech PDU RPC PDU R7D Edit Delete Alerts amp Logging Port Log Add Device Alerts SMTP amp SMS SNMP Serial v mAre rene Y wWuuelv v veic Add Connection Administration TD This screen displays all the Managed Device with their Description Notes and lists of all the configured Connections Serial Port if serially connected or USB if USB connected IP Address if network connected Power PDU outlet details if applicable and any UPS connections Devices such as servers will commonly have more than one power connections e g dual power supplied and more than one network connection e g for BMC service processor All users can view but not edit these Managed Device connections by selecting Manage Devices Whereas the Administrator can edit and add delete these Managed Devices and their connections To edit an existing device and add a new connection gt Select Edit on the Seria
46. an advanced console server whose IP address is dynamically assigned and that may change from time to time can be located using a fixed host or domain name The ACM5500 ACM5000 IM4004 5 and IM4200 family of advanced console servers with Firmware 3 0 2 and later support DDNS gt The first step in enabling DDNS is to create an account with the supported DDNS service provider of your choice Console Server amp RMM Gateway User Manual 35 Chapter 3 Initial System Configuration Supported DDNS providers include DyNS www dyns cx dyndns org www dyndns org GNUDip gnudip cheapnet net ODS www ods org TZO www tzo com 3322 org Chinese provider www 3322 org Upon registering with the DDNS service provider you will select a username and password as well as a hostname that you will use as the DNS name to allow external access to your machine using a URL The Dynamic DNS service providers allow the user to choose a hostname URL and set an initial IP address to correspond to that hostname URL Many Dynamic DNS providers offer a selection of URL hostnames available for free use with their service However with a paid plan any URL hostname including your own registered domain name can be used You can now enable and configure DDNS on any of the Ethernet or cellular network connections on the console server by default DDNS is disabled on all ports 3 4 gt Select the DDNS service provider from the drop down Dynami
47. does not represent foo1 or foo9 but rather represents a degenerate range foo19 This range syntax is meant only as a convenience on clusters with a prefix NN naming convention and specification of ranges should not be considered necessary the list fo01 f009 could be specified as such or by the range foo 1 9 Some examples of powerman targets follows Power on hosts bar baz foo01 foo02 f0005 powerman on bar baz foo 01 05 Power on hosts bar foo7 foo9 foo10 powerman on bar foo 7 9 10 Power on foo0 foo4 foo5 powerman on foo 0 4 5 As a reminder to the reader some shells will interpret brackets and for pattern matching Depending on your shell it may be necessary to enclose ranged lists within quotes For example in tcsh the last example above should be executed as powerman on foo 0 4 5 296 Console Server amp RMM Gateway User Manual 15 9 2 The pmpower tool The pmpower utility is a high level tool for manipulating remote preconfigured power devices connected to the console server either via a serial or network connection The PDU UPS and IPMI power devices are variously controlled using the open source PowerMan IPMItool or Network UPS Tools and Opengear s pmpower utility arches over these tools so the devices can be controlled through the one command line pmpower h I device r host o outlet u username p password action h This help message 1 The serial port to use The o
48. e g Port 2 if the target device is attached to the second serial port Ensure the port s serial configuration is appropriate for the attached device Scroll down to Console Server Setting and select Console Server Mode Check Telnet or SSH and scroll to the bottom and click Apply Select Network Hosts from Serial amp Network and click Add Host In the IP Address DNS Name field enter 127 0 0 1 this is the Opengear s network loopback address and enter Loopback in Description Remove all entries under Permitted Services and select TCP and enter 200n in Port This configures the Telnet port enabled in the previous step so for Port 2 you would enter 2002 Click Add then scroll to the bottom and click Apply Administrators by default have gateway and serial port access privileges however for Users to access the gateway and the serial port you will need to give those Users the required access privileges Select Users amp Console Server amp RMM Gateway User Manual 131 Chapter 6 Secure SSH Tunneling amp SDT Connector Groups from Serial amp Network Click Add User Enter a Username Description and Password Confirm Select 127 0 0 1 from Accessible Host s and select Port 2 from Accessible Port s Click Apply 6 5 Using SDT Connector for out of band connection to the gateway SDT Connector can also be set up to connect to the console server gateway out of band OoB OoB access uses an alternate path for connecting to the gate
49. ioc p 1 d0 v 1 sleep 1 ioc p 1 d0 v0 This will set the output high for 1 second then return it to low assuming the initial state is low 8 4 2 Digital I O Input Configuration When either of the two digital I O DIO1 amp DIO2 outlets are configured as nputs on the System I O Ports they can be used to monitor the current status of any attached sensor When configured as inputs and this is the factory default these first two ports are notionally attached to an internal EMD So to configure them as alarms go to the Environmental page and edit and enable the Internal EMD Also the low voltage circuits in DIO1 and DIO2 should not be wired to voltages greater than 5V DC Alternately these input ports can be monitored using the ioc command line utility as detailed in the previous section 8 4 3 High Voltage Outputs OUT1 and OUT2 internally DIO3 amp DIO4 outlets are wired as high voltage outputs The way these outputs are expected to be used is to pull a power connected line to ground i e the OUT1 and OUT2 transistors are open collector The I O port header includes a 12v reference line VIN which can be used to detect the line state change For example to light a 12v LED using the high voltage outputs connect the positive leg of the LED to the 12v reference and the negative leg to output pin 4 Due to the way that the I O port is connected internally the output has to be set high to pull the output to ground The
50. is the usual method of user authentication used on the internet sending a username and password to a server where they are compared with a table of authorized users Whilst most common PAP is the least secure of the authentication options Console Server amp Router User Manual 323 Terminology Point to Point Protocol A networking protocol for establishing simple links between two peers RADIUS The Remote Authentication Dial In User Service RADIUS protocol was developed by Livingston Enterprises as an access server authentication and accounting protocol The RADIUS server can support a variety of methods to authenticate a user When it is provided with the username and original password given by the user it can support PPP PAP or CHAP UNIX login and other authentication mechanisms Router A network device that moves packets of data A router differs from hubs and switches because it is intelligent and can route packets to their final destination SIM Subscriber Identity Module SIM card stores unique serial numbers and security authentication used to identify a subscriber on mobile telephony devices SMASH Systems Management Architecture for Server Hardware is a standards based protocols aimed at increasing productivity of the management of a data center The SMASH Command Line Protocol SMASH CLP specification provides an intuitive interface to heterogeneous servers independent of machine state operating system or OS state
51. lt address of unit gt etc conftig PuTTY and the PSCP utility can be downloaded from httop www chiark greenend org uk sgtatham putty download html More detailed documentation on the PSCP can be found htto the earth li sgtatham putty 0 58 htmidoc Chapter5 html pscp 15 8 4 Launching the HTTPS Server Note that the easiest way to enable the HI TPS server is from the web Management Console Simply click the appropriate checkbox in Network Services HTTPS Server and the HTTPS server will be activated assuming the ss _key pem amp ssl_cert pem files exist in the etc config directory Alternatively inetd can be configured to launch the secure fnord server from the command line of the unit as follows Edit the inetd configuration file From the unit command line vi etc config inetd cont Append a line 443 stream tcp nowait root ssilwrap cert etc config ssI_cert pem key etc config ssl_key pem exec bin httpd home httpd save the file and signal inetd of the configuration change kill HUP cat var run inetd pid The HTTPS server should be accessible from a web client at a URL similar to this httos lt common name of unit gt More detailed documentation about the openssl utility can be found at the website htto vwww openssl org 15 9 Power Strip Control The console server supports a growing list of remote power control devices RPCs which can be configured using the Management Console as described in Chapter
52. 0 openg ear Uptime 0 days 1 hours 9 mins 33 secs Current User root Manage Terminal Serial amp Network Serial Port Users amp Groups Note To access Opengear SDTConnector Authentication be installed on tH File Edit Help Network Hosts Trusted Networks Cascaded Ports Connect Gateway Actions Out OF Band Retrieve Hosts Date amp Time Note SDT Connector must be installed on the computer you are browsing from and the console server must be added as a gateway as detailed in Chapter 6 13 4 Power Management Administrators and Users can access and manage the connected power devices gt Select Manage Power This enables the user to power Off On Cycle any power outlet on any PDU the user has been given access privileges to refer Chapter 8 for details System Name img4004 5 Model IMG4004 5 Firmware 2 7 0p1 opengear Uptime 0 days 0 hours 22 mins 48 secs Current User user 13 Manage Power Devices Port Logs Target 192 168 253 240 SNMP Controlled Baytech Outlet Outlet1 1 iv piep ERN a Power o action Oum Cm O D Perform an action on the power device Status No existing status the last action may not be completed Console Server amp Router User Manual 243 Chapter 14 Command Line Configuration CONFIGURATION FROM THE COMMAND LINE For those who prefer to configure their console server at the Linux command line level r
53. 1051 When configured in FIPS mode all SSH HTTPS and SDT Connector access to all services on the advanced console servers will use the embedded FIPS compliant cryptographic module To connect you must also be using cryptographic algorithms that are FIPs approved in your browser or client or the connection will fail gt Select the System Administration menu option gt Check FIPS Mode to enable FIPS mode on boot and check Reboot to safely reboot the console server Manage Devices l l Port Logs Enable FIPS mode on boot changing requires safe reboot Host Logs Power l Terminal Safely reboot the device gt Click Apply and the console server will now reboot It will take several minutes to reconnect as secure communications with your browser are validated and when reconnected it will display F Ps mode Enabled in the banner System Name im4216 Model IM4216 Firmware 2 8 2 opengear Uptime 0 days 0 hours 6 mins 15 22 vurrent gt a TEN User i FIPs mode Enabled Backup Log Out Serial amp Network Serial Port Note To enable FIPS mode from the command line login and run these commands config s config system fips on touch etc config FIPS chmod 444 etc contig FIPS flatfsd b The final command saves to flash and reboots the unit The unit will take a few minutes to boot into FIPS mode To disable FIPS mode config d contig system fips rm etc config FIPS flatfsd b
54. 14 1 16 Administration To change the administration settings to System Name og mydomain com System Password root account secret Description Device in office 2 config s config system name og mydomain com contig P config system password will prompt user for a password config s config system location Device in office 2 NOTE The P parameter will prompt the user for a password and encrypt it In fact the value of any config element can be encrypted using the P parameter but only encrypted user passwords and system passwords are supported If any other element value were to be encrypted the value will become inaccessible and will have to be re set The following command will synchronize the live system with the new configuration config a 14 1 17 IP settings To configure the primary network interface with static settings IP address 192 168 0 23 Netmask 255 255 255 0 Default gateway 192 168 0 1 DNS server 1 192 168 0 1 DNS server 2 192 168 0 2 config s config interfaces wan address 192 168 0 23 config s config interfaces wan netmask 255 255 255 0 config s config interfaces wan gateway 192 168 0 1 config s config interfaces wan dns1 192 168 0 1 config s config interfaces wan dns2 192 168 0 2 config s config interfaces wan mode static config s config interfaces wan media Auto 100baseTx FD 100baseTx HD 10baseT HD 10baseT FD To enable bridging between all interfaces c
55. 172 16 0 0 172 31 255 255 or 192 168 0 0 192 168 255 255 System Name acm5004 g Model ACM5004 G Firmware 3 2 0u1 Ra 0 opengear Uptime 0 days 19 hours 28 mins 14 secs Current User root Backup Log Out Status Statistics Serial amp Network Serial Port ae 3 Users amp Groups Interfaces Routes Serial Ports IP ICMP TCP UDP sa Cellular Authentication Out of Band Network Hosts Trusted Networks IPsec VPN OpenVPN Failover Call Home Ca Failover is not configured ded Ports UPS Connections RPC Connections Environmental Managed Devices Always on Out of Band Internal Cellular Modem cellmodem Connection Status Connected IP Address 10 168 76 104 Warning This is a private IP address VPN is required to enable incoming connections gt For inbound OoB connection with such a plan you will need to use Call Home with a VCMS CMS6110 or set up a VPN In out of band access mode the internal cellular modem will continually stay connected The alternative is to set up Failover mode on the console server as detailed in the next section 5 7 2 Cellular failover setup Once you have configured carrier connection the cellular modem can be configured for failover Console Server amp RMM Gateway User Manual 107 Chapter 5 Firewall Failover and Out of Band This will tell the cellular connection to remain idle in a low power state If the primary and secondary probe ad
56. 2 Once the fields are set apply the configuration with the following command config run snmp You can add a third or more SNMP servers by incrementing the 2 in the above commands e g config system snmp protocol3 config system snmp address3 etc Console Server amp Router User Manual 285 Chapter 16 KCS Client Configuration 15 6 Secure Shell SSH Public Key Authentication This section covers the generation of public and private keys in a Linux and Windows environment and configuring SSH for public key authentication The steps to use in a Clustering environment are Generate a new public and private key pair Upload the keys to the Master and to each Slave console server Fingerprint each connection to validate 15 6 1 SSH Overview Popular TCP IP applications such as telnet rlogin ftp and others transmit their passwords unencrypted Doing this across pubic networks like the Internet can have catastrophic consequences It leaves the door open for eavesdropping connection hijacking and other network level attacks Secure Shell SSH is a program to log into another computer over a network to execute commands in a remote machine and to move files from one machine to another It provides strong authentication and secure communications over insecure channels OpenSSH the de facto open source SSH application encrypts all traffic including passwords to effectively eliminate these risks Additionally OpenSSH provid
57. 3 5 2u1 Ra O opengear Uptime 0 days 0 hours 32 mins 26 secs Current User root Backup Log Out Alerts amp Logging Auto Response Seated Pest Auto Response Settings Users amp Groups Name Authentication Network Hosts Unique Name for this AutoResponse Trusted Networks IPsec VPN Reset Timeout 0 OpenVPN i PPTP VPN Time in seconds after resolution to delay before this AutoResponse can be triggered again Call Home z Cascaded Ports Repeat Trigger E UPS Connections ELIIS Repeat Trigger actions until the check is resolved RPC Connections Environmental Repeat Trigger Action 300 Managed Devices Delay Delay time before repeating trigger actions Alerts amp Logging The dely starts after the fast action is queued Port Log Disable Auto Response F 4 bonito at specific times Allows Auto Responses to be periodically disabled based on time and day SNMP Check Add a new check by selecting a check type from the left menu Administration Conditions F SSL Certificates Return to Auto Response List Configuration Backup Environmental Firmware IP Alarms Digital Date amp Time Inputs Dial Firewall UPS Power Check Disable Auto Response at specific times and you will be able to periodically disable auto Responses between specified times of day System Name im4216 Model IM4216 Firmware 3 5 2u1 Aa 0 opPengear Uptime 0 days
58. 3A APC APC 8 Port Serial Port 2 x Edit Delete Cascaded Ports APPv2 0 0 AOSv2 5 4 i anapo PDU R4A PDU Rack 4A SNMP Controlled Network Edit Delete gt ieS i Baytech 192 168 252 31 PDU R4A Managed Devices CET e gt Click Add RPC gt Connected Via presents a list of serial ports and network Host connections that you have set up with device type RPC but have yet to connect to a specific RPC device System Name img4004 5 Model IMG4004 5 Firmware 2 7 0p1 opengear Uptime 0 days 0 hours 28 mins 1 secs Current User root Serial amp Network RPC Connections Serial Port Add RPC Users amp Groups Connected Via Authentication Network Hosts Trusted Networks RPC Type Network 192 168 253 240 PDU R7D for the power device Network 192 168 0 39 PDU R5A None 7 Cascaded Ports Specify the type of the connected power device UPS Connections RPC Connections Log Connections level 0 Disabled v Environmental Log connections into the power device Managed Devices Name PDU R7D Alerts amp Logging Port Log A descriptive name for the power device Alerts a SMTP amp SMS Description Baytech PDU SNMP A brief description for the power device Administration Username Firmware Specify the login name for the power device TD When you select Connect Via for a Network RPC connection then the corresponding Host Name Description that y
59. 6 Secure SSH Tunneling amp SDT Connector SSH TUNNELS amp SDT CONNECTOR Each Opengear console server has an embedded SSH server and uses SSH tunneling so remote users can securely connect through the console server to Managed Devices using text based console tools Such as SSH telnet SoL or graphical tools such VNC RDP HTTPS HTTP X11 VMware DRAC iLO The Managed Devices being accessed can be located on the same local network as the console server or they can be attached to the console server via a serial port The remote User Administrator connects to the console server thru an SSH tunnel via dial up wireless or ISDN modem a broadband Internet connection the enterprise VPN network or the local network Secure Remote Management Secure OoB Dial In or Broradband Network Serial connected connected To set up the secure SSH tunnel from the Client PC to the console server you must install and launch SSH client software on the User Administrators PC Opengear recommends you use the SDT Connector client software that is supplied with the console server for this SDT Connector is simple to install and auto configure and it will provides all your users with point and click access to all the systems and devices in the secure network With one click SDT Connector sets up a secure SSH tunnel from the client to the selected console server then establishes a port forward connection to the target network connected host
60. 6 7 8 C Port C Port C Port C Port C Port C Port C Port Cl Port Port Log 9 10 11 12 13 14 15 16 Alerts SMTP Network SNMP Address n m The IP Address of the subnet to permit Administration sao i Firmware The subnet mask for the permitted IP range IP EYR Date amp Time ata i Dial A brief explanation of this entry Services DHCP Server gt Select the Accessible Port s that the new rule is to be applied to gt Then enter the Network Address of the subnet to be permitted access gt Then specify the range of addresses that are to be permitted by entering a Network Mask for that permitted IP range e g To permit all the users located with a particular Class C network 204 15 5 0 say connection to the nominated port then you would add the following Trusted Network New Rule 255 255 255 0 f you want to permit only the one users who is located at a specific IP address 204 15 5 13 say to connect 255 255 255 255 f however you want to allow all the users operating from within a specific range of IP addresses say any of the thirty addresses from 204 15 5 129 to 204 15 5 158 to be permitted connection to the nominated port Host Subnet Address 204 15 5 128 Subnet Mask 255 255 255 224 Note The above Trusted Networks will limit access by Users and Administrators to the console serial ports However they do not restrict access by the Administrator to the consol
61. 8 These RPCs are controlled using the open source PowerMan and Network UPS Tools and with Opengear s pmpower utility 15 9 1 The PowerMan tool PowerMan provides power management in a data center or compute cluster environment It performs operations such as power on power off and power cycle via remote power controller RPC devices Synopsis Console Server amp Router User Manual 295 Chapter 16 KCS Client Configuration powerman option targets pm option targets Options 1 on Power ON targets 0 off Power OFF targets C cycle Power cycle targets r reset Assert hardware reset for targets if implemented by RPC f flash Turn beacon ON for targets if implemented by RPC u unflash Turn beacon OFF for targets if implemented by RPC list List available targets If possible output will be compressed into a host range see TARGET SPECIFICATION below q query Query plug status of targets If none specified query all targets Status is not cached each time this option is used powermand queries the appropriate RPC s Targets connected to RPC s that could not be contacted e g due to network failure are reported as status unknown If possible output will be compressed into host ranges n node Query node power status of targets if implemented by RPC If no targets specified query all targets In this context a node in the OFF state could be ON at the plug but operati
62. CM4148 kit components 2 1 4 CM4008 kit components 2 1 5 CM4001 and SD4002 kit components 2 1 6 SD4001 kit components 2 1 7 ACM5000 kit components 2 1 8 ACM5500 kit components 2 2 Power Connection 2 2 1 IM4216 34 DAC IM4208 2 DAC IM4216 2 DAC IM4232 2 DAC and IM4248 2 DAC power 2 2 2 CM4116 SAC CM4132 SAC and CM4148 SAC power 2 2 3 IM4004 5 and CM4008 power 2 2 4 CM4001 SD4002 and SD4001 power 2 2 5 ACMS500x ACM5S00x 2 ACM500x M W I G and ACM500x SDC power 2 2 6 ACM5508 2 M ACM5508 2 I ACM5504 5 G I ACM5504 5 GV I and ACM5504 2 P power 2 2 7 IM4216 34 DDC IM4208 2 DDC IM4216 2 DDC IM4232 2 DDC and IM4248 2 DDC power 2 3 Network Connection 2 4 2 4 1 2 4 2 2 4 3 2 5 2 6 2 6 1 2 6 2 2 6 3 2 6 4n 2 7 Serial Port Connection Opengear Classic RJ45 pinout option X0 Cisco Rolled Cyclades RJ45 pinout option X1 Cisco RJ45 pinout option X2 USB Port Connection Fitting Cellular SIM and Antennas ACM5004 G G I and ACM5504 5 G I SIM ACM5004 G G I GV and ACM5504 5 G I antenna IM42xx 2 DAC X2 G and IM42xx 2 DAC X0 G External USB cellular modems Digital I O and Environmental Sensors SYSTEM CONFIGURATION 3 1 3 1 1 3 1 2 3 2 3 2 1 3 3 Jod 39 2 3 4 3 5 3 5 1 D2 3 5 3 3 6 3 6 1 3 6 2 3 6 3 3 6 4 3 6 5 3 6 6 Management Console Connection Connected computer set up Browser connection Administrator Password Set up new administrator Network IP Address IPv6 configuration D
63. CPU provided that 1 you may not rent lease sell sublicense or lend the Software 2 you may not reverse engineer decompile disassemble or modify the Software except and only to the extent that such activity is expressly permitted by applicable law notwithstanding this limitation and 3 you may not transfer rights under this EULA unless such transfer is part of a permanent sale or transfer of the Product you transfer at the same time all copies of the Software to the same party or destroy such materials not transferred and the recipient agrees to this EULA No license is granted in any of the Software s proprietary source code This license does not grant you any rights to patents copyright trade secrets trademarks or any other rights with respect to the Software You may make a reasonable number of copies of the electronic documentation accompanying the Software for each Software license you acquire provided that you must reproduce and include all copyright notices and any other proprietary rights notices appearing on the electronic documentation Opengear reserves all rights not expressly granted herein INTELLECTUAL PROPERTY RIGHTS The Software is protected by copyright laws international copyright treaties and other intellectual property laws and treaties Opengear and its suppliers retain all ownership of and intellectual property rights in including copyright the Software components and all copies thereof provided however
64. Capabilities of the daemon There is a draft RFC detailing this protocol TCP IP Transmission Control Protocol Internet Protocol The basic protocol for Internet communication TCP IP address Fundamental Internet addressing method that uses the form nnn nnn nnn nnn Telnet Telnet is a terminal protocol that provides an easy to use method of creating terminal connections to a network UDP User Datagram Protocol UTC Coordinated Universal Time UTP Unshielded Twisted Pair cabling A type of Ethernet cable that can operate up to 100Mb s Also known as Category 5 or CAT 5 VNC Virtual Network Computing VNC is a desktop protocol to remotely control another computer It transmits the keyboard presses and mouse clicks from one computer to another relaying the screen updates back in the other direction over a Go 24 Console Server amp RMM Gateway User Manual D VPN Virtual Private Network VPN a network that uses a public telecommunication infrastructure and Internet to provide remote offices or individual users with secure access to their organization s network WAN Wide Area Network WINS Windows Internet Naming Service WINS that manages the association of workstation names and locations with IP addresses Console Server amp Router User Manual 325 License Agreement APPENDIX F END USER LICENSE AGREEMENTS READ BEFORE USING THE ACCOMPANYING SOFTWARE YOU SHOULD CAREFULLY READ THE FOLLOWING TERMS AND CONDITIONS BEFORE
65. Change file owner and group config Opengear tool to manipulate and query the system configuration from the command line cp Copy files and directories date Print or set the system date and time dd Convert and copy a file deluser Delete USER from the system df Report filesystem disk space usage dhcpd Dynamic Host Configuration Protocol server discard Network utility that listens on the discard port dmesg Print or control the kernel ring buffer echo Print the specified ARGs to stdout erase Tool for erasing MTD partitions eraseall Tool for erasing entire MTD partitions false Do nothing unsuccessful find Search for files flashw Write data to individual flash devices flatfsd Daemon to save RAM file systems back to FLASH ftp Internet file transfer program gen keys SSH key generation program 304 Console Server amp RMM Gateway User Manual getopt gettyd grep gunzip gzip hd hostname httpd hwclock inetd inetd echo init ip ipmitool iptables ip6tables iptables restore iptables save kill In login loopback loopback1 loopback2 loopback8 amp loopback16 loopback48 Is mail mkdir mkfs jffs2 mknod more mount msmitp mv nc netflash netstat ntpd pgrep pidof ping ping6 pkill pmchat pmdeny pminetd Parses command options Getty daemon Print lines matching a pattern Compress or expand files Compress or expand files ASCII decimal hexadecimal octal dump Get or s
66. Chapter 2 Installation SD4001 Serial Device Server Connector DB9F to RJ45 crossover Universal Input 12 VDC Wall mount Power Supply Quick Start Guide and CD ROM Unpack your SD4001 and verify you have all the parts shown above and that they all appear in good working order Proceed to connect your SD4001 to the network to the serial port of the controlled device and to power as outlined below ACM5000 kit components Part 509054 Part 509055 Part 509056 Part 509057 Part 509058 Part 509059 Part 509000 Part 509073 Part 440016 Part 3190014 and 3190015 Part 4500XX Part 539000 ACM5002 Advanced Console Server ACM5003 M ACM5003 W ACM5004 ACM5004 2 ACM5004 G ACM5004 G ACM5004 2 2 X Cable UTP Cat5 blue Cisco Connector DB9F RJ45 straight and DB9F RJ45 cross over Power Supply 12VDC 1 0A Wall mount Quick Start Guide and CD ROM Unpack your ACM5000 kit and verify you have all the parts shown above and that they all appear in good working order The ACM5004 G has an external 3G aerial to be attached Proceed to connect your ACM5000 to the network the serial ports of the controlled servers and AC power as shown below Console Server amp RMM Gateway User Manual User Manual 2 1 8 ACM5500 kit components Part 509110 ACM5508 2 M RMM Gateway Part 509109 ACM5508 2 RMM Gateway Part 509108 ACM5504 5 G RMM Gateway Part 509115 ACM5504 5 GV I RMM Gateway
67. DB9 Y DB9 Y 1 port The first serial port can be reassigned to be a console modem port 2 4 1 Opengear Classic RJ45 pinout option X0 The CM4000 CM4100 and IM4004 models have the Opengear Classic RJ45 pinout shown below The IM4200 console servers are also available with this RJ45 pinout as an option 2 4 2 Cisco Rolled Cyclades RJ45 pinout option X1 The IM4200 console servers are the only products which are available with this RJ45 pinout option This makes it easy to replace Avocent Cyclades products and is convenient for use with rolled RJ 45 cable PIN SIGNAL DEFINITION DIRECTION RTS Request To Send Output DR Data Terminal Ready Output RXD Receive Data Input RTS DTR TXD GND CTS RXD 7 26 Console Server amp RMM Gateway User Manual User Manual 8 DSR Data Set Ready Input 2 4 3 Cisco RJ45 pinout option X2 The ACM5000 ACM5500 and IM4216 34 models have Cisco serial pinouts on its RJ45 connectors The IM4200 console servers are also available with this RJ45 pinout This provides straight through RJ 45 cable to equipment such as Cisco Juniper SUN and many more anai PIN SIGNAL DEFINITION DIRECTION RJ 45 CTS 1 CTS Clear To Send Input i DSR 2 DSR Data Set Ready Input 2 M 3 3 RXD Receive Data Input 4 4 GND Signal Ground NA t a 5 GND Signal Ground NA n j id a 6 TXD Tranen Data Output E E 7 DIR Data Terminal Ready Output 8 RTS Request To Send Output
68. Desktop Connection General Display Local Resources Programs Experience Logon settings Type the name of the computer or choose a computer from the drop down list Computer Username MS Bob Domain Save my password Connection settings Save curent settings or open saved connection gt Click Connect Note The Remote Desktop Connection software is pre installed with Windows XP Vista and Server 2003 2008 however for earlier Windows PCs you will need to download the RDP client Go to the Microsoft Download Center site http www microsoft com downloads details aspx familyid 801 1 1F21 D48D 426E 96C2 08AA2BD23A49 amp displaylang en and click the Download button This software package will install the client portion of Remote Desktop on Windows 95 Windows 98 and 98 Second Edition Windows Me Windows NT 4 0 and Windows 2000 When run this software allows these older Windows platforms to remotely connect to a computer running current Windows B Ona Linux or UNIX client PC gt Launch the open source rdesktop client rdesktop u windows user id p windows password g 1200x950 ms windows terminal server host name option description a Color depth 8 16 24 Device redirection i e Redirect sound on remote machine to local device i e 0 r sound MS Windows 2003 9 Geometry widthxheight or 70 screen percentage p Use p to receive password prompt gt You can use GUI front end tools like
69. Fingerprinting as described below 55H RSA Pubie Cid Key Upload a replacement RSA public key file Key Upload a replacement RSA private key file SSH DSA Public CB Key Upload a replacement DSA public key file SSH DSA Private A Bs Key Upload a replacement DSA private key file Keys Upload a replacement authorized keys file 15 6 4 Installing SSH Public Key Authentication Linux Alternately the public key can be installed on the unit remotely from the linux host with the scp utility as follows Assuming the user on the Management Console is called fred the IP address of the console server is 192 168 0 1 default and the public key is on the inux unix computer in ssh id_dsa pub Execute the following command on the linux unix computer scp ssh id_dsa pub root 192 168 0 1 etc config users fred ssh authorized_keys The authorized_keys file on the console server needs to be owned by fred so login to the Management Console as root and type chown fred etc config users fred ssh authorized_keys Console Server amp Router User Manual 287 Chapter 16 KCS Client Configuration Master Slave Slave authorized_key authorized_key ssh rsa AAAAB3NzaC1 yc2Efg4 t GHIAAA name client1 ssh rsa AAAAB3NzaC1yc2Efg4 t GHIAAA name client1 BEGIN RSA PRIVATE KEY MIIEogIBAAKCAQEA yIPGsNf5 a0LnPUMc nujXXPGiQGyD3b79 KZg3UZ4MjZ1525sCy opv4TJTvTK6e8QlYt GYTByUdl
70. IP if set Port Log Alerts Nagios Server SMTP Address Address of the upstream server SNMP P Disable SDT Nagios rs Don t show sdt links in service status Administration Firmware SDT Gateway IP Address A External address of this system shown in sdt links Defauits to Nagios Host Address Date amp Time Dial Prefer NRPE F Services Use NRPE instead of NSCA whenever possible Defaults to prefer NSCA DHCP Server Nagios gt Browse the Opengear console server and select System Nagios on the console server Management Console Check Nagios service Enabled 208 Console Server amp RMM Gateway User Manual gt gt Enter the Host Name and the Nagios Host Address i e IP address that the central Nagios server will use to contact the distributed Opengear console server Enter the IP address that the distributed Opengear console server will use to contact the central Nagios server in Nagios Server Address Enter the IP address that the clients running SDT Connector will use to connect through the distributed Opengear servers in SDT Gateway address Check Prefer NRPE NRPE Enabled and NRPE Command Arguments Check NSCA Enabled choose an NSCA Encryption Method and enter and confirm an NSCA Secret Remember these details as you will need them later on For NSCA Interval enter 5 Click Apply Next you must configure the attached Window network host an
71. IS NO WARRANTY AGAINST INTERFERENCE WITH YOUR ENJOYMENT OF THE SOFTWARE OR AGAINST INFRINGEMENT IF YOU HAVE RECEIVED ANY WARRANTIES REGARDING THE DEVICE OR THE SOFTWARE THOSE WARRANTIES DO NOT ORIGINATE FROM AND ARE NOT BINDING ON OPENGEAR NO LIABILITY FOR CERTAIN DAMAGES EXCEPT AS PROHIBITED BY LAW OPENGEAR SHALL HAVE NO LIABILITY FOR COSTS LOSS DAMAGES OR LOST OPPORTUNITY OF ANY TYPE WHATSOEVER INCLUDING BUT NOT LIMITED TO LOST OR ANTICIPATED PROFITS LOSS OF USE LOSS OF DATA OR ANY INCIDENTAL EXEMPLARY SPECIAL OR CONSEQUENTIAL DAMAGES WHETHER UNDER CONTRACT TORT WARRANTY OR OTHERWISE ARISING FROM OR IN CONNECTION WITH THIS EULA OR THE USE OR PERFORMANCE OF THE SOFTWARE IN NO EVENT SHALL OPENGEAR BE LIABLE FOR ANY AMOUNT IN EXCESS OF THE LICENSE FEE PAID TO OPENGEAR UNDER THIS EULA SOME STATES AND COUNTRIES DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES SO THIS LIMITATION MAY NOT APPLY TO YOU JSch License SDT Connector includes code from JSch a pure Java implementation of SSH2 JSch is licensed under BSD style license and it is Copyright c 2002 2003 2004 Atsuhiko Yamanaka JCraft Inc All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 2
72. Indicator RSSI Note Received Signal Strength Indicator RSSI is a measurement of the Radio Frequency RF power present in a received radio signal at the mobile device It is generally expressed in dBm and the best throughput comes from placing the device in an area with the highest RSSI 100 dbm or less Unacceptable coverage 99 dbm to 90 dbm Weak Coverage 89 dom to 70 dbm Medium to High Coverage 69 dbm or greater Strong Coverage Syatem Name comSh4 g Medel ACM500 G Firniware 3 3 0 aa i ope ngear Uptime 0 days 0 hours 55 ming 35 es Current User root Status Statistics Users amp Groups Interfaces Routes Seniai Ports E ICMP Ter uop gaeb celular Aunheniication Network Hosts Thuta HHn Pee WPN WEN Internal Cellular Modem Service fvallabity Tern avoiabie Roaming Support Superted Current Roaming Status Mot roaming Supported System Mode Auto pehect Current System Mode AODA mock Matwerk Acquisitien Order WODHA then GoM Radic Access Technology UMTS 36 Prefered Supported Service Domain Circuit ond packet pyched Amn tretion S51 Certificates Currant Services Domain Ginouit amd packet switched service Configuration Backup Fire JF i Recelved Signal Strength 3 Dote Time Cai E Indication R551 In dBm Firgvol E DHCP S AS reve rh i Woe gt With the cellular modem connection on you can also see the connection status from the LEDs on top of un
73. Open to SSH connect the Client PC to the console server You will now be prompted for the Username Password for the console server user EP 192 168 252 202 PuTTY f you are connecting as a User in the users group then you can only SSH tunnel to Hosts and Serial Ports where you have specific access permissions f you are connecting as an Administrator in the admin group then you can connect to any configured Host or Serial Ports which has SDT enabled To set up the secure SSH tunnel for a HT TP browser connection to the Managed Device specify port 80 rather than port 3389 as was used for RDP in the Destination IP address To set up the secure SSH tunnel from the Client Viewer PC to the console server for VNC follow the steps above however when configuring the VNC port redirection specify port 5900 in the Destination IP address Console Server amp RMM Gateway User Manual 147 Note 148 Chapter 6 Secure SSH Tunneling amp SDT Connector How secure is VNC VNC access generally allows access to your whole computer so security is very important VNC uses a random challenge response system to provide the basic authentication that allows you to connect to a VNC server This is reasonably secure and the password is not sent over the network However once connected all subsequent VNC traffic is unencrypted So a malicious user could snoop your VNC session Also there are VNC scanning programs available which wil
74. PPP connection for Linux B For Windows XP and 2003 computers follow the steps below to set up an advanced network connection between the Windows computer through its COM port to the console server Both Windows 2003 and Windows XP Professional allow you to create a simple dial in service which can be used for the Remote Desktop VNC HTTP X connection to the console server gt Open Network Connections in Control Panel and click the New Connection Wizard New Connection Wizard K Network Connection Type What do you want to do O Connect to the Intemet Connect to the Intemet so you can browse the Web and read email O Connect to the network at my workplace Connect to a business network using dial up or VPN so you can work from home a field office or another location Set up a home or small office network Connect to an existing home or small office network or set up a new one Connect directly to another computer using your serial parallel or infrared port or set up this computer so that other computers can connect to it Ca ees Ca gt Select Set up an advanced connection and click Next gt On the Advanced Connection Options screen select Accept Incoming Connections and click Next gt Select the Connection Device i e the serial COM port on the Windows computer that you cabled through to the console server By default select COM1 The COM port on the Windows computer should be configured to its maximum baud ra
75. Port Pinouts ACM5004 2 I ACM5504 5 G I and ACM5508 2 I Each serial RJ 45 ports on these models can be software selected to be RS 232 RS 422 or RS 485 Console Server amp Router User Manual 319 Connectivity TCP Ports amp Serial I O e For RS232 they have the Cisco pinout Direction RS422 Signal Description Input Receive Data e For RS 422 mode it s 4 wire full duplex transmit Receive Data on TX TX pair receive on RX RX pair with the following pinout Input Output Transmit Data Output Transmit Data e For RS 485 it s 2 wire half duplex For the RS 485 option to provide half duplex party line communications over a 2 wire bus D D two short cable loops are required between the RX TX pins pins 1 and 6 and RX TX pins pins 3 and 8 on the serial RJ 45 cable connector This is because the I model uses universal differential transceivers that support 4 wire RS 422 and 2 wire RS 485 operation In RS 485 mode the I model listens on the 2 wire bus for receive data until it is required to send data In RS 485 send mode it stops receiving enables its transmitters when there is data to be sent transmits the data and returns to receive mode This eliminates the possibility of collisions with other devices which share the RS 485 bus and avoids receiving bogus stale echoed data Serial Port Pinouts SD4002 The SD4002 supports by default two RS232 ports on Port 1 and Port 2 DB9 connectors Port 2 on
76. PuTTY client software Console Server amp RMM Gateway User Manual 145 ieee PuTTY Configuration El Session Terminal z Keyboard Features E Window Chapter 6 Secure SSH Tunneling amp SDT Connector Basic options for your PuTTY session Specify the destination you want to connect to Host Name or IP address Port 192 168 252 202 ae Connection type O Raw Telnet O Rlogin SSH Serial Load save or delete a stored session Saved Sessions Default Settings Clase window on exit O Aways Never Only on clean exit gt Inthe Session menu enter the IP address of the console server in the Host Name or IP address field For dial in connections this IP address will be the Local Address that you assigned to the console server when you set it up as the Dial In PPP Server For Internet or local VPN connections connections this will be the public IP address of the console server gt Select the SSH Protocol and the Port will be set as 22 gt Goto the SSH Tunnels menu and in Add new forwarded port enter any high unused port number for the Source port e g 54327 gt Set the Destination IP details f your destination device is network connected to the console server and you are connecting using RDP set the Destination as lt Managed Device IP address DNS Name gt 3389 e g if when setting up the Managed Device as Network Host on the console server you specified its IP address to be 192 168 253 1
77. Ra opPengear Uptime 0 days 1 hours 29 mins 51 secs Current User root Backup Log Out Manage Terminal Serial Port pene Users amp Groups login root Authentication Password Network Hosts Trusted Networks cd var og ush e 7 6 2 Serial port logging In Console Server mode activity logs can be maintained of all serial port activity To specify which serial ports are to have activities recorded and to what level data is to be logged Console Server Settings Console Server Mode Enable remote network access to the console at this serial port Logging Level level 0 Disabled x level 0 Disabled level 1 user connects disconnects to port Telnet level 2 input output logging on ports level 1 level 3 input logging on ports level 1 SSH 4 output logging on ports level 1 gt Select Serial amp Network Serial Port and Edit the port to be logged gt Specify the Logging Level of for each port as Level 0 Turns off logging for the selected port Level 1 Logs all User connection events to the port Level 2 Logs all data transferred to and from the port and all changes in hardware flow control status and all User connection events Level 3 Logs all data transferred from the port and all changes in hardware flow control status and all User connection events Level 4 Logs all data transferred to the port and all changes in hardware flow control status and all User connection events
78. Re enter the user s password for confirmation Custom Modem Initialization An optional AT command sequence to initialize the modem aie Ignore Dial Tone F Port Logs Host pied Do not wait for dial tone before dialing Power Terminal Override DNS Override F returned DNS Use the following DNS servers instead of the PPP provided servers servers DNS Server 1 The primary DNS server DNS Server 2 The secondary DNS server Apply 5 3 2 Failover dial out The ACM5500 ACM5000 IM4004 5 and IM4200 family of advanced console servers can be configured so a dial out PPP connection is automatically set up in the event of a disruption in the principal management network Note Only SSH access is enabled on the failover connection However in firmware versions later than 3 0 2 HTTPS access is also enabled So the administrator can then SSH or HTTPS connect to the console server and fix the problem gt When configuring the principal network connection in System IP specify the Failover Interface that will be used when a fault has been detected with Network Network1 ethO This can be either Internal Modem or the Dial Serial DB9 if you are using an external modem on the Console port or USB Modem if you are using a plug on USB modem on an IM4004 5 ACM5500 or ACM5000 Console Server amp RMM Gateway User Manual 97 opengear Serial Port Users amp Groups Authentication Network Hosts Trust
79. Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 The names of the authors may not be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED AS IS AND ANY EXPRESSED OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL JCRAFT INC OR ANY CONTRIBUTORS TO THIS SOFTWARE BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE Console Server amp Router User Manual 327 License Agreement GNU GENERAL PUBLIC LICENSE Version 2 June 1991 Copyright C 1989 1991 Free Software Foundation Inc 51 Franklin Street Fifth Floor Boston MA 02110 1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document but changing it is not allowed GNU GENERAL PUBLIC LICENSE TERMS AND CO
80. Seral amp Network Users page Console Server amp RMM Gateway User Manual 31 Chapter 3 Initial System Configuration A Welcome screen which lists initial installation configuration steps will be displayed These steps are gt Change default administration password System Administration page Refer Chapter 3 2 gt Configure the local network settings System P page Refer Chapter 3 3 To configure console server features gt Configure serial ports settings Serial amp Network Serial Port page Refer Chapter 4 gt Configure user port access Serial amp Network Users page Refer Chapter 4 System Name acm5002 Model ACM5002 Firmware 3 3 0 a 0 opengear Uptime 0 days 0 hours 13 mins 17 secs Current User root Backup Log Out OpenGear Management Console Welcome Serial amp Network Serial Port Users amp Groups You will need to configure the following in order to have a usable unit After completing a step by following the appropriate Authentication link you can return to the updated configuration steps by clicking on the logo in the top left corner of the Management Network Hosts REE Trusted Networks IPsec VPN e Change the default administration password on the System Admin stration page OpenVPN e Configure the local network settings on the System IP page Call Home Cascaded Ports To configure console server features UPS Connections RPC Connections e Configure s
81. Server Enable remote network access to the console at this serial port Logging Level level 0 Disabled Specify the detail of data to log Nagios Configure Dashboard O Ports Telnet Enable Telnet access Port Access Active Users Statistics Support Report Syslog UPS Status RPC Status Environmental Status Dashboard SSH Enable SSH access Raw TCP Enable raw TCP access RFC 2217 Enable RFC 2217 access Unauthenticated Telnet Manage Devices Port Logs Host Logs Power Terminal Enable Telnet access without requiring the user to provide credentials Web Terminal Enable web browser access via Manage gt Devices gt Serial Encrypt Traffic Enable PortShare Encryption Warning This will override standard RFC 2217 and raw TCP behaviour Authenticate Enable PortShare Authentication Warning This will override standard RFC 2217 and raw TCP behaviour Authentication Passw Enter password for PortShare authentication Confirm Password Re type the password for confirmation Accumulation Period Collect serial data for a period of time in milliseconds then transmit any data received during that time over the network at once Escape Character Customize the character used for sending out of band shell commands The default i Power Menu Enable shell power command menu Connect this port to a Managed Device then use p to run power co
82. Server you may create a Remote port forward from the Server to this unit or a Local port forward from this unit to the Server gt Specify a Listening Port to forward from leave this field blank to allocate an unused port gt Enter the Target Server and Target Port that will be the recipient of forwarded connections Console Server amp RMM Gateway User Manual 91 Chapter 5 Firewall Failover and Out of Band FIREWALL FAILOVER amp OoB ACCESS The console server has a number of out of band access capabilities and transparent fail over features to ensure high availability So if there s difficulty in accessing the console server through the main network path all console server models provide out of band OoB access and the Administrator can still access it and tts Managed Devices from a remote location 5 1 All console server models support serially attaching an external dial up modem and configuring dial in OoB access Some models with USB ports support attaching an external USB modem Some models also come standard with an internal modem These modems can also be configured for dial in OoB access All console server models with an internal or externally attached modem and V3 4 firmware or later can be configured for out dial to be permanently connected The advanced console server models can also be configured for transparent out dial failover So in the event of a disruption in the principal management network an external
83. System Name ima4004 5 Model IMG4004 5 Firmware 3 1 0u2 Aa 0 opengear Uptime 5 days 2 hours 51 mins 24 secs Current User root Backup Log Out Status Statistics Serial amp Network Alerts amp Logging Interfaces Routes Serial Ports P ICMP TCP UDP aane Out of eth0 Link encap Ethernet HWaddr 00 13 C6 40 04 01 inet addr 192 168 250 106 Bcast 192 168 250 255 Mask 255 255 255 0 gt Fp inet6 addr fe80 213 c6ff fe40 401 64 Scope Link Statistics UP BROADCAST RUNNING MULTICAST MTU 1500 Metric 1 Support Report RX packets 37 errors 0 dropped 0 overruns 0 frame 0 Syslog TX packets 40 errors 0 dropped 0 overruns 0 carrier 0 UPS Status RPC Status Environmental Status Dashboard E colliisions 0 txqueuelen 1000 Interrupt 29 Memory f00f0000 f0OffFF Link encap Local Loopback Manage inet addr 127 0 0 1 Mask 255 0 0 0 ian inet6 addr 1 128 Scope Host Port Logs UP LOOPBACK RUNNING MTU 16436 Metric 1 Host Logs RX packets 442 errors 0 dropped 0 overruns 0 frame 0 Power TX packets 442 errors 0 dropped 0 overruns 0 carrier 0 Terminal collisions 0 txqueuelen 0 wlan0 Link encap Ethernet HWaddr 00 0E 8E 14 6C 81 inet6 addr fe80 20e 8eff fe14 6c81 64 Scope Link UP BROADCAST MULTICAST MTU 1500 Metric 1 RX packets 139 errors 0 dropped 0 overruns 0 frame 0 TX packets 89 errors 0 dropped 0 overruns 0 carrier 0 gt Detailed statistics reports can be found by selecting the various submenus
84. Terminal Serial Port Users amp Groups Boi Authentication login root Network Hosts Password Trusted Networks whoami IPsec VPN root Call Home cat etc version Cascaded Ports OpenGear ACM500x Version 3 3 0 Wed Nov 10 13 05 42 EST 2010 UPS Connections a RPC Connections 13 3 1 2 Web Terminal to Serial Device To enable the Web Terminal service for each serial port you want to access gt Select Serial amp Network Serial Port and click Edit Ensure the serial port is in Console Server Mode gt Check Web Terminal and click Apply Console Server amp Router User Manual 241 Chapter 13 Management Console Server Settings Console Server Mode Enable remote network access to the console at this serial port oag La level 3 input logging on ports level Specify the detail of data to log Telnet v Enable Telnet access SSH v Enable SSH access Raw TCP mM Enable raw TCP access RFC 2217 J Enable RFC 2217 access Unauthenticated z Telnet Enable Telnet access without requiring the user to provide credentials Web Terminal v Enable web browser access via Manage gt Devices gt Serial Administrator and Users can communicate directly with serial port attached devices from their browser gt Select the Serial tab on the Manage Devices menu gt Under the Action column click the Web Terminal icon to display the Web Terminal connected directly
85. Time DHCP server must be managed by accessing each Slave directly and these functions are not over written when configuration changes are propagated from the Master Similarly the Slaves Network Host and IPMI settings have to be configured at each Slave Also the Master s Management Console provides a consolidated view of the settings for its own and all the Slave s serial ports however the Master does not provide a fully consolidated view For example if you want to find out who s logged in to cascaded serial ports from the master you ll see that Status Active Users only displays those users active on the Master s ports so you may need to write custom scripts to provide this view This is covered in Chapter 11 4 7 Serial Port Redirection PortShare Opengear s Port Share software delivers the virtual serial port technology your Windows and Linux applications need to open remote serial ports and read the data from serial devices that are connected to your console server PortShare Clients Console Serial Port servers Devices pplication lt A gt PortShare is supplied free with each console server and you are licensed to install PortShare on one or more computers for accessing any serial device connected to a console server port PortShare for Windows The portshare_setup exe program is included on the CD supplied with your console server A copy can be freely downloaded from the ftp site Refer to the Portshare User M
86. To notify the central Nagios server of Alerts NSCA must be enabled under System Nagios and Nagios must be enabled for each applicable host or port under Serial amp Network Network Hosts or Serial amp Network Serial Ports refer Chapter 10 Note Ina CMS or VCMS centrally managed environment you can check the Nagios alert option On the trigger condition for matched patterns logins power events and signal changes an NSCA check warning result will be sent to the central Nagios server This condition is displayed on the Nagios status screen and triggers a notification which can then cause the Nagios central server itself to send out an email or an SMS page etc 7 6 Logging The console server can maintain log records of auto response events and log records of all access and communications events with the console server and with the attached serial network and power devices A log of all system activity is also maintained by default as is a history of the status of any attached environmental monitors 7 6 1 Log storage Before activating any Event Serial Network or UPS logging you must specify where those logs are to be saved These records are stored off server or in the ACM IM gateway USB flash memory gt Select the Alerts amp Logging Port Log menu option and specify the Server Type to be used and the details to enable log server access 164 Console Server amp RMM Gateway User Manual User Manual System Name ac
87. VNCandSSH html Taking your desktop virtual with VNC Red Hat magazine http www redhat com magazine O06apr05 features vnc and http www redhat com magazine 007may05 features vnc Wikipedia general background on VNC hitip en wikipedia org wiki VNC 6 10 Using SDT to IP connect to hosts that are serially attached to the gateway Network IP protocols like RDP VNC and HTTP can also be used for connecting to host devices that are serially connected through their COM port to the console server To do this you must establish a PPP connection Section 6 7 1 between the host and the gateway then set up Secure Tunneling Ports on the console server Section 6 7 2 then configure SDT Connector to use the appropriate network protocol to access IP consoles on the host devices that are attached to the Console server serial ports Section 6 7 3 Console Server amp RMM Gateway User Manual 141 Chapter 6 Secure SSH Tunneling amp SDT Connector 6 10 1 Establish a PPP connection between the host COM port and console server This step is only necessary for serially connected computers Firstly physically connect the COM port on the host computer that is to be accessed to the serial port on the console server then A For non Windows Linux UNIX Solaris etc computers establish a PPP connection over the serial port The online tutorial http www yolinux com TUTORIALS LinuxTutorialPPP html presents a selection of methods for establishing a
88. Widgets Users amp Groups Authentication Configuring Dashboard for User Radmin Network Hosts Trusted Networks IPsec VPN ree reams Widget Alerts ae Widget Managed Devices Cascaded Ports UPS Connections Select which widget to display in this Select which widget to display in this RPC Connections position position Environmental Managed Devices i Widget Active Users a Widget UPS Select which widget to display in this Select which widget to display in this Alerts amp Logging position position Port Log Alerts eos Widget RPC Widget Custom Widget SMTP amp SMS Select which widget to display in this Alerts display in this SNMP position Managed Devices Active Users UPS Administration Refresh Timer RPC a aet ater a es Minutes between each dashboard page refresh Default is 5 o in ji Custom Widgej Date amp Time Dial Firewall Note The Alerts widget is a new screen that shows the current alerts status When an alert gets triggered a corresponding XML file is created in var run alerts The dashboard scans all these files and displays a summary status in the alerts widget When an alert is deleted the corresponding XML files that belong to that alert are also deleted To configure what is to be displayed by each widget gt Goto the Configure widgets panel and configure each selected widget e g specify which UPS status is to be displayed on the ups wid
89. a monitored host stops responding to ping requests The first parameter taken by the ping detect script is the hostname IP address of the device to ping Any other parameters are then regarded as a command to run whenever the ping to the host fails ping detect can run any number of commands 210 Console Server amp RMM Gateway User Manual Below is an example using ping detect to power cycle an RPC PDU outlet whenever a specific host fails to respond to a ping request The ping detect is run from etc config rc local to make sure that the monitoring starts whenever the system boots So if we assume we have a serially controlled RPC connected to port01 on a console server and have a router powered by outlet 3 on the RPC and the router has an internal IP address of 192 168 22 2 The following instructions will show you how to continuously ping the router and when the router fails to respond to a series of pings the console server will send a command to RPC outlet 3 to power cycle the router and write the current date time to a file Copy the ping detect script to etc config scripts on the console server Open etc config rc local using vi Add the following line to rc local etc config scripts oing detect 192 168 22 2 bin bash c ompower I port01 o 3 cycle amp amp date gt tmp output log amp The above command will cause the ping detect script to continuously ping the host at 192 168 22 2 which is the router If the rou
90. a password 4 6 3 Configure the slaves and their serial ports You can now begin setting up the Slaves and configuring Slave serial ports from the Master console server System Name img4004 5 Model IMG4004 5 Firmware 2 6 0p2 opengear Uptime 0 days 2 hours 57 mins 10 secs Current User root Serial amp Network Cascaded Ports Serial Port IP Address DNS Name Description Label Number Locally Users amp Groups of Ports Allocated Port Authentication Numbers Network Hosts No slaves currently configured Trusted Networks Cascaded Ports nnn an 68 Console Server amp RMM Gateway User Manual User Manual gt gt Note Select Serial amp Network Cascaded Ports on the Master s Management Console To add clustering support select Add Slave You will be prevented from adding any Slaves until you have automatically or manually generated SSH keys System Name img4004 5 Model IMG4004 5 Firmware 2 6 0p6 opengedf Uptime 0 days 0 hours 55 mins 26 secs Current User root Serial amp Network Cascaded Ports Serial Port Slaves cannot be added until SSH keys have been generated Users amp Groups Click here to go back or here to upload or generate keys Authentication To define and configure a Slave gt gt Enter the remote IP Address or DNS Name for the Slave console server Enter a brief Description and a short Label for the Slave use a convention here t
91. accessed then install and configure the VNC Viewer software on the Viewer PC 6 9 1 Install and configure the VNC Server on the computer to be accessed Virtual Network Computing VNC software enables users to remotely access computers running Linux Macintosh Solaris UNIX all versions of Windows and most other operating systems A For Microsoft Windows servers and clients Windows does not include VNC software so you will need to download install and activate a third party VNC Server software package 138 Console Server amp RMM Gateway User Manual User Manual REA RealVNC _ http www realvnc com is fully cross platform so a desktop N running on a Linux machine may be displayed on a Windows PC on a Solaris machine or on any number of other architectures There is a Windows C server allowing you to view the desktop of a remote Windows machine on any of these platforms using exactly the same viewer RealVNC was founded by members of the AT amp T team who originally developed VNC TightVNC http www tightvnc com is an enhanced version of VNC It has added features such as file transfer performance improvements and read only password support They have just recently included a video drive much like UltraVNC TightVNC is still free cross platform Windows Unix and Linux and compatible with the standard Real VNC UltraVNC http ultravnc com is easy to use fast and free VNC software that has pioneered and perfected
92. addition to multiple remote servers you can also enter for separate lists of Authentication Authorization servers and Accounting servers If no Accounting servers are specified the Authentication Authorization servers are used instead Enter the Server Password Click Apply TACAS remote authentication will now be used for all user access to console server and serially or network attached devices TACACS The Terminal Access Controller Access Control System TACACS security protocol is a recent protocol 9 1 3 developed by Cisco It provides detailed accounting information and flexible administrative control over the authentication and authorization processes TACACS allows for a single access control server the TACACS daemon to provide authentication authorization and accounting services independently Each service can be tied into its own database to take advantage of other services available on that server or on the network depending on the capabilities of the daemon There is a draft RFC detailing this protocol Further information on configuring remote TACACS servers can be found at the following sites http www cisco com en US tech tk59 technologies_tech_note09186a0080094e99 shtml http www cisco com en US products sw secursw ps4911 products user guide chapter09186a00800eb6d6 html htto cio cisco com univercd cc td doc product software ios113ed 113ed cr secur c scort2 sctolus htm RADIUS authentication Perform the foll
93. against desired log lines Alerts SMTP amp SMS SNMP lt 12 gt Dec 15 00 44 52 kernel Iptables Block IN eth0 OUT MAC 00 13 c6 00 51 cf 00 0c 29 5a 71 a6 08 00 Administration SRC 192 168 254 59 DST 192 168 254 137 LEN 48 TOS 0x00 PREC 0x00 TTL 128 ID 9370 DF PROTO TCP SPT 2571 DPT 4003 SSL Certificates WINDOW 65535 RES 0x00 SYN URGP 0 Configuration Backup lt 27 gt Dec 15 00 45 27 stunnel LOG3 1316 0 SSL_accept Peer suddenly disconnected Firmware lt 27 gt Dec 15 00 45 41 stunnel LOG3 1320 0 SSL_accept Peer suddenly disconnected IP Date amp Time lt 27 gt Dec 15 00 53 11 stunnel LOG3 1335 0 SSL_accept Peer suddenly disconnected To make it easier to find information in the local Syslog file a pattern matching filter tool is provided gt Specify the Match Pattern that is to be searched for e g the search for mount is shown below and click Apply The Syslog will then be represented with only those entries that actually include the specified pattern 12 5 Dashboard The Dashboard provides the administrator with a summary of the status of the console server and its Managed Devices Custom dashboards can be configured for each user groups 236 Console Server amp RMM Gateway User Manual S Name cm4116 Model CM4116 Fi 2 9 0 opengear Uptime 0 cays 21 hours 39 mins Ose Current User rot secs Current User root Status Dashboard donut myUPS Status Type Alert Port Address Eve
94. alphanumeric characters for the new network connected Host and optionally enter a Description up to characters Console Server amp RMM Gateway User Manual 63 Chapter 4 Serial Port Device and User Configuration gt Add or edit the Permitted Services or TCP UDP port numbers that are authorized to be used in controlling this host Only these permitted services will be forwarded through by SDT to the Host All other services TCP UDP ports will be blocked gt The Logging Level specifies the level of information to be logged and monitored for each Host access refer Chapter 7 Alerts and Logging gt If the Host is a PDU or UPS power device or a server with IPMI power control then specify RPC for IPMI and PDU or UPS and the Device Type The Administrator can then configure these devices and enable which users have permissions to remotely cycle power etc refer Chapter 8 Otherwise leave the Device Type set to None Device Settings Device Type Port Access Active Users Statistics Support Report Syslog Nagios Settings UPS Status 3 RPC Status a D e Baiat i iii Switch Nagios on for this host Host Name apee Name of host in Nagios Generated using host description if unspecified Port Logs i i g Nagios Checks New Check Clear check host alive Host Logs Power fener gt If the console server has been configured with distributed Nagios monitoring enabled then you will also be pre
95. and Users can view logs of data transfers to connected devices gt Select Manage Port Logs and the serial Port to be displayed gt To display Host logs select Manage Host Logs and the Host to be displayed This will display logs stored locally on the console server memory or USB flash 13 3 Terminal Connection There are two methods available for accessing the console server command line and devices attached to the console server serial ports directly from a web browser 240 Console Server amp RMM Gateway User Manual The Web Terminal service uses AJAX to enable the web browser to connect to the console server using HTTP or HTTPS as a terminal without the need for additional client installation on the user s PC The SDT Connector service launches a pre installed SDT Connector client on the user s PC to establish secure SSH access then uses pre installed client software on the client PC to connect to the console server Web browser access is available to users who are a member of the admin or users groups 13 3 1 Web Terminal The AJAX based Web Terminal service may be used to access the console server command line or attached serial devices Note Any communication using the Web Terminal service using HTTP is unencrypted and not secure The Web Terminal connects to the command line or serial device using the same protocol that is being used to browse to the Opengear Management Console i e if you are browsing using an http
96. arete m US Aleutian Cascaded Po UPS Connections iriaren RPC Connections i Environmental US East Indiana Managed Devices Date and Time US Eastern j US Hawaii Alerts amp Logging al Port Log edi Month SMTP amp SMS Day Hour Administration SSL Certificates Minute Configuration Backup Firmware IP Set Time Date amp Time 11 4 Configuration Backup It is recommended that you back up the console server configuration whenever you make significant changes such as adding new Users or Managed Devices or before performing a firmware upgrade gt Select the System Configuration Backup menu option or click the EAS icon Note The configuration files can also be backed up from the command line refer Chapter 14 System Name acm5003 m Model ACM5003 M Firmware 3 3 2 AA Uptime 1 days 0 hours 21 mins 0 secs Current User root opengear Serial Port Users amp Groups Authentication Network Hosts Trusted Networks IPsec VPN OpenVPN Call Home Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices Alerts amp Logging Port Log Backup Log Out System Configuration Backup Remote Backup Local Backup XML Configuration Remote Backup Last Remote Never p Save Backup paS Choose File No file chosen Saved configuration backup file With all console servers you can save th
97. as distribution of the source code even though third parties are not compelled to copy the source along with the object code 4 You may not copy modify sublicense or distribute the Program except as expressly provided under this License Any attempt otherwise to copy modify sublicense or distribute the Program is void and will automatically terminate your rights under this License However parties who have received copies or rights from you under this License will not have their licenses terminated so long as such parties remain in full compliance 5 You are not required to accept this License since you have not signed it However nothing else grants you permission to modify or distribute the Program or its derivative works These actions are prohibited by law if you do not accept this License Therefore by modifying or distributing the Program or any work based on the Program you indicate your acceptance of this License to do so and all its terms and conditions for copying distributing or modifying the Program or works based on it 6 Each time you redistribute the Program or any work based on the Program the recipient automatically receives a license from the original licensor to copy distribute or modify the Program subject to these terms and conditions You may not impose any further restrictions on the recipients exercise of the rights granted herein You are not responsible for enforcing compliance by third parties to this
98. availability 100 opengear System Name ima4004 5 Model IMG4004 5 Firmware 2 7 0p1 Uptime 1 days 0 hours 50 mins 44 secs Current User admin System IP Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices Alerts amp Logging Port Log Alerts SMTP amp SMS SNMP Administration Firmware IP Date amp Time Dial Services DHCP Server Nagios Port Access Active Users Statistics Support Report Syslog UPS Status RPC Status Environmental Status Network Interface IP Settings Network Configuration Method IP Address Subnet Mask Gateway Primary DNS Secondary DNS Media Failover Interface Primary Probe Address Secondary Probe Address Management LAN Interface Out of Band Failover Interface General Settings DHCP Static The mechanism to acquire IP settings 192 168 252 202 A statically assigned IP address 255 255 255 0 A statically assigned network mask 192 168 252 254 A statically assigned gateway 192 168 252 254 A statically assigned primary name server A statically assigned secondary name server Auto v The Ethernet media type None v e configured and enabled for failover to Management LAN lan DISABLE
99. be displayed System Name cm4001 Model CM4001 Firmware 2 8 0p0 opengear Uptime 1 days 0 hours 53 mins 30 secs Current User root Log Out Status UPS Status Serial Port Users amp Groups Summary blazer tripplite sd4002 Authentication Network Hosts Trusted Networks Thu May 14 02 23 18 EDT 2009 pcos Input Output Load UPS Battery Data UPS Connections RPC Connections System Model Status Battery VAC VAC Temp Runtime Tree Environmental Managed Devices All data blazer error Data stale Alerts amp Logging Port Log Alerts a m SMTP amp SMS tripplite SUINT1000RTXL2Ua All data SSS nm meres ewes wee ny nn nn a a a a a a ni ge rr re ee eee ee ee Script Run the shutdown script when power becomes critical for this UPS Administration Configuration Backup Apply gt Click on any particular UPS System name in the table and you will be presented with a more detailed graphical information on the select UPS System Console Server amp RMM Gateway User Manual 179 180 Srm a Admine Diiira Baerkuip a Frene opengear Usan G Gnus AUcha nich HAME Masts a Trusted Hatworks Datraded Ports a UPS Connections PE er ee ea ee a Error menta A ee Dire ii Rat Lod a fits SMTP Se Chapter 8 Power Environmental amp Digital I O Sete Nae oe Mode COMO Arie 2 80 pl im Uptime i cine
100. button under System Administration gt Click Apply opengear Serial amp Network System Name Alerts amp Logging System Description Administration SSL Certificates Configuration Backup System Password Firmware IP Date amp Time Dial Confirm System Password Services Nagios Configure Dashboard Delayed Config Commits Spply SSH RSA Public Key SSH RSA Private Key SSH DSA Public Key System Name cm4116 Model CM4116 Firmware 3 2 0 re 0 Uptime 0 days 1 hours 31 mins 40 secs Current User root z Backup Log Out System Administration cm4116 An ID for this device cm4116_testing The physical location of this device eeseeeee The secret used to gain administration access to this device Re enter the above password for confirmation M Config changes are queued and must be explicitly applied Browse Upload a replacement RSA public key file Browse Upload a replacement RSA private key file Browse Upload a replacement DSA public key file gt The Commit Config icon will be displayed in top right hand corner of the screen between the Backup and Log Out icons System Name cm4116 Model M4116 Firmware 3 2 0 3 a 0 Uptime 0 days 1 hours 37 mins 20 secs Current User root Back Lip Conmit Log rut Config To queue then run configuration changes gt Firstly apply all the required cha
101. ca c lopenvpnkeys ca crt cert c jooenvpnkeys server crt key c lopenvpnkeys server key dh c openvpnkeys dh pem comp lzo verb 1 Console Server amp RMM Gateway User Manual 81 Chapter 4 Serial Port Device and User Configuration syslog IM4216_OpenVPN_Server The Windows client server configuration file options are This is a comment describing the configuration Comment lines start with a and are ignored b description Client server Specify whether this will be a client or server configuration file In the server configuration file define the IP address pool and netmask For example server 10 100 10 0 255 255 255 0 proto udp Set the protocol to UDP or TCP The client and server must use the oroto tcp same settings mssfix lt max size gt Mssfix sets the maximum size of the packet This is only useful for UDP if problems occur Set log file verbosity level Log verbosity level can be set from 0 minimum to 15 maximum For example 0 silent except for fatal errors 3 medium output good for general usage 5 helps with debugging connection problems 9 extremely verbose excellent for troubleshooting dev tap Ethernet tunnel The client and server must use the same settings verb lt level gt remote lt host gt The hostname IP of OpenVPN server when operating as a client Enter either the DNS hostname or the static IP address of the server Port The UDP TCP port of the server Keepaliv
102. certificate The minimal length of this password is 4 characters Confirm Challenge Password Confirmation of the Challenge Password Key length This is the length of the generated key in bits 1024 Bits are supposed to be sufficient for most cases Longer keys may result in slower response time of the console server during connection establishment gt Once this is done click on the button Generate CSR which will initiate the Certificate Signing Request generation The CSR can be downloaded to your administration machine with the Download button gt Send the saved CSR string to a Certification Authority CA for certification You will get the new certificate from the CA after a more or less complicated traditional authentication process depending on the CA gt Upload the certificate to the console server using the Upload button as shown below System Name cm4116 Model CM4116 Firmware 2 9 0p0 opPengear Uptime 1 days 2 hours 13 mins 31 secs Current User root Log Out System SSL Certificates Serial amp Network i lt Sel Beat Message Changes to configuration succeeded Users amp Groups Authentication Common name supplyrooms Network Hosts The full canonical name for this device Trusted Networks mye Cascaded Ports A ATETEA unit The group overseeing this device UPS Connections RPC Connections Organization myco lic Environmental The name of the organization t
103. choose to connect your LAN before completing the initial setup steps it is important that you ensure there are no other devices on the LAN with an address of 192 168 0 1 the console server and the computer are on the same LAN segment with no interposed router appliances 3 1 1 Connected computer set up To configure the console server with a browser the connected PC workstation should have an IP address in the same range as the console server for example 192 168 0 100 gt Toconfigure the IP Address of your Linux or Unix computer simply run ifconfig gt For Windows PCs Win9x Me 2000 XP Vista 7 NT Click Start gt Settings gt Control Panel and double click Network Connections for 95 98 Me double click Network Right click on Local Area Connection and select Properties Select Internet Protocol TCP IP and click Properties select Use the following IP address and enter the following details o IP address 192 168 0 100 o Subnet mask 255 255 255 0 If you want to retain your existing IP settings for this network connection click Advanced and Add the above as a secondary IP connection gt If itis not convenient to change your computer network address you can use the ARP Ping command to reset the console server P address To do this from a Windows PC 30 Click Start gt Run or select All Programs then Accessories then Run Type cmd and click OK to bring up the command line Type aro d to flush the
104. components Part 509010 IM4004 5 Management Gateway TC O Part 440016 2x Cable UTP Cat5 blue gt gt 18 Part 319000 Connector DB9F RJ45S straight and DB9F RJ45S Ca and 319001 cross over Part 450006 Power Supply 5VDC 2 0A and 440001 IEC Socket and AC power cable bo Unpack your IM4004 5 kit and verify you have all the parts shown above and that they all appear in good working order Part 539000 Quick Start Guide and CD ROM Proceed to connect your IM4004 5 to the network the serial ports USB ports and LAN ports of the controlled devices and to the AC power as shown below CM4116 CM4132 and CM4148 kit components Part 509001 CM4116 Console Manager Part 509002 CM4148 Console Server Part 440016 2 x Cable UTP Cat5 blue Part 319000 Connector DB9F RJ45S straight and DB9F RJ45S and 319001 cross over Part 440001 IEC AC power cord Part 539001 Quick Start Guide and CD ROM Unpack your CM4116 or CM4132 CM4148 kit and verify you have all the parts shown above and that they all appear in good working order If you are installing your CM4116 or CM4132 CM41 48 in a rack you will need to attach the rack mounting brackets supplied with the unit and install the unit in the rack Take care to head the Safety Precautions listed in Appendix C Console Server amp RMM Gateway User Manual User Manual gt Proceed to connect your CM4116 or CM4132 CM41 48 to the network to the serial ports
105. console server to send SNMP trap alerts to an NMS management application gt Select Alerts amp Logging SNMP gt Select Primary SNMP Manager tab The Primary and Secondary SNMP Manager tabs are used to configure where and how outgoing SNMP alerts and notifications are sent If you require your console server to send alerts via SNMP then at a minimum a Primary SNMP Manager must be configured Optionally a second SNMP Network Manager with its own SNMP settings can be specified on the Secondary SNMP Manager tab Note 162 All console servers can also be configured to provide status information on demand using snmpd This SNMP agent is configured using the SNMP Service Detail on Alerts amp Logging SNMP as described in Chapter 15 Console Server amp RMM Gateway User Manual User Manual Vv VV V WV opengear Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks IPsec VPN OpenVPN Call Home Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices Alerts amp Logging Port Log Auto Response SMTP amp SMS SNMP Administration SSL Certificates Configuration Backup Firmware IP Date amp Time Dial DHCP Server Nagios Configure Dashboard I O Ports Port Access Active Users Statistics Support Report Syslog UPS St
106. daemon Dial Firewall NUT UPS monitoring daemon DHCP Server Nagios Configure Dashboard SNMP daemon I O Ports TFTP Server CT Respond to ICMP echos Port Access The Services Access settings specify which services the Administrator can use over which network interface to access the console server It also nominates the enabled services that the Administrator and the User can use to connect through the console server to attached serial and network connected devices lt E E E l 7 aE ER gt The following general service access options can be specified HTTPS This ensures the Administrator has secure browser access to all the Management Console menus on the console server t also allows appropriately configured Users secure browser access to selected Manage menus For information on certificate and user client software configuration refer Chapter 9 Authentication By default HTTPS is enabled and it is recommended that only HTTPS access be used if the console server is to be managed over any public network e g the Internet Console Server amp RMM Gateway User Manual 3 38 Chapter 3 Initial System Configuration HTTP The HTTP service allows the Administrator basic browser access to the Management Console It is recommended the HTTP service be disabled if the console server is to be remotely accessed over the Internet Telnet This gives the Administrator telnet access to the system command
107. enable Remote Desktop on the target Windows computer that is to be accessed and configure the RPD client software on the client PC 6 8 1 Enable Remote Desktop on the target Windows computer to be accessed To enable Remote Desktop on the Windows computer being accessed gt Open System in the Control Panel and click the Remote tab 134 Console Server amp RMM Gateway User Manual User Manual system Properties General Computer Name Hardware Advanced System Restore Automatic Updates Remote Select the ways that this computer can be used from another location Remote Assistance C Allow Remote Assistance invitations to be sent from this computer What is Remote Assistance Remote Desktop Allow users to connect remotely to this computer Full computer name Bigbob What is Remote Desktop select Remote Users For users to connect remotely to this computer the user must have a password Windows Firewall will be configured to allow Remote Desktop connections to this computer gt Check Allow users to connect remotely to this computer gt Click Select Remote Users Remote Desktop Users The users listed below can connect to this computer and any members of the Administrators group can connect even if they are not listed Bob already has access To create new user accounts or add users to other groups go to Control Panel and open User Accounts gt Toset the user s who can remotely acc
108. entered incorrectly three times then the PUK Code will be required to unlock the Card You may also need to set Override DNS to use alternate DNS servers from those provided by your carrier gt To enable Override DNS check the Override returned DNS Servers box Enter the IP of the DNS servers into the spaces provided Override DNS Override returned DNS Servers Use the following DNS Servers instead of the PPP provided servers DNS Server 1 The Primary DNS Server DNS Server 2 The Secondary DNS Server Dynamic DNS Dynamic DNS None DDNS disabled Update a DNS server when IP address is changed DDNS Hostname The Fully Qualified DNS hostname assigned to this interface gt Check Apply and a radio connection will be established with your cellular carrier 5 6 2 Connect to the CDMA EV DO carrier network The ACM5004 GV ACM5504 5 GV I and IM4200 DAC X2 GV models have an internal CDMA modem The IM4200 DAC X2 ACM5000 ACM5500 and IM4004 5 models also support attaching an external USB CDMA cellular modem from Sierra Wireless to one of its USB 2 0 ports Both will connect to the Verizon network in North America After creating an account with the CDMA carrier some carriers require an additional step to provision the Internal Cellular Modem referred to as Provisioning The ACM5004 GV and IM4200 DAC X2 supports Over the Air Service Provisioning OTASP where modem specific parameters can be retrieved via a voice call to a
109. features that the other flavors have consistently refused or been very slow to implement for cross platform and minimalist reasons UltraVNC runs under Windows operating systems 95 98 Me NT4 2000 XP 2003 Download UltraVNC from Sourceforge s UltraVNC file list B For Linux servers and clients Most Linux distributions now include VNC Servers and Viewers and they are generally can be launched from the Gnome KDE etc front end e g with Red Hat Enterprise Linux 4 there s VNC Server software and a choice of Viewer client software and to launch gt Select the Remote Desktop entry in the Main Menu Preferences menu gt Click the Allow other users checkbox to allow remote users to view and control your desktop R Remote Desktop Preferences B Sharing Ca Allow other users to view your desktop Allow other users to control your desktop Users can view your desktop using this command yncviewer hoopoe elk 0 Security When a user ines to view or control your desktop A Iv Ask you for confirmation v Require the user to enter this password Password gt To setup a persistent VNC server on Red Hat Enterprise Linux 4 Set a password using vncpasswd Edit etc sysconfig vncservers Enable the service with chkconfig vncserver on Start the service with service vncserver start o Edit nome username vnc xstartup if you want a more advanced session than just twm and an xterm C For Macintosh servers and cl
110. firmware image file on to a system on the same subnet as the console server gt Also download and read the release_notes txt for the latest information gt To up load the firmware image file to your console server select System Firmware System Name acm5003 m Model ACM5003 M Firmware 3 3 2 Aa 0 opengear Uptime 1 days 0 hours 8 mins 42 secs Current User root Backup Log Out System Firmware Serial amp Network Serial Port is irmware Upgrade Choose File No file chosen Users amp Groups id G wi mci beanie Specify a valid firmware file to upgrade the unit with Network Hosts Firmware Options Trusted Networks IPsec VPN Advanced options should only be used at the request of customer support OpenVPN Call Home Cascaded Ports Apply gt Specify the address and name of the downloaded Firmware Upgrade File or Browse the local subnet and locate the downloaded file Console Server amp Router User Manual 221 Chapter 11 System Management gt Click Apply and the console server appliance will undertake a soft reboot and commence upgrading the firmware This process will take several minutes gt After the firmware upgrade has completed click here to return to the Management Console Your console server will have retained all its pre upgrade configuration information 11 3 Configure Date and Time lt is recommended that you set the local Date and Time in the console server as soon
111. for the period of four 4 years from the date of original purchase from an Authorized Opengear reseller In the event that this product fails to meet this warranty within the applicable warranty period and provided that Opengear confirms the specified defects Purchaser s sole remedy is to have Opengear in Opengear s sole discretion repair or replace such product at the place of manufacture at no additional charge other than the cost of freight of the defective product to and from the Purchaser Repair parts and replacement products will be provided on an exchange basis and will be either new or reconditioned Opengear will retain as its property all replaced parts and products Notwithstanding the foregoing this hardware warranty does not include service to replace or repair damage to the product resulting from accident disaster abuse misuse electrical stress negligence any non Opengear modification of the product except as provided or explicitly recommended by Opengear or other Cause not arising out of defects in material or workmanship This hardware warranty also does not include service to replace or repair damage to the product if the serial number or seal or any part thereof has been altered defaced or removed If Opengear does not find the product to be defective the Purchaser will be invoiced for said inspection and testing at Opengear s then current rates regardless of whether the product is under warranty RMA RETURN PROCEDURE
112. gnudip only The fully qualified DNS hostname assigned to this interface The username for the account to manage this interface The password for the account to manage this interface Re enter the password for confirmation Maximum interval between updates in days DDNS update will be sent even if the address has not changed Defaults to 25 Minimum interval between checks for changed addresses in seconds Updates will still only be sent if the address has changed Defaults to 1800 Number of times to attempt an update before giving up Defauits to 3 Console Server amp RMM Gateway User Manual User Manual gt Note Note 5 2 2 Select the Authentication Type required Access is denied to remote users attempting to connect using an authentication scheme weaker than the selected scheme The schemes are described below from strongest to weakest e Encrypted Authentication MS CHAP v2 The strongest type of authentication to use this is the recommended option e Weakly Encrypted Authentication CHAP This is the weakest type of encrypted password authentication to use It is not recommended that clients connect using this as it provides very little password protection Also note that clients connecting using CHAP are unable to encrypt traffic e Unencrypted Authentication PAP This is plain text password authentication When using this type of authentication the client password is transmitted unencrypted e None Selec
113. host such as its operating system release or anything special about its configuration Click OK Manually adding new services to the new hosts To extend the range of services that can be used when accessing hosts with SDT Connector gt gt gt gt Select Edit Preferences and click the Services tab Click Add Enter a Service Name and click Add Under the General tab enter the TCP Port that this service runs on e g 80 for HTTP Optionally select the client to use to access the local endpoint of the redirection C Opengear SDTConnector E5 SDTConnector Preferences HTTP browser HTTPS browser Telnet client SOL Telnet client HTTP browser RSA II IBM Director console SSH client HyperTerminal VNC viewer VMWare Server console Select which Client application is associated with the new service A range of client application options are pre configured in the default SDT Connector RDP client VNC client HTTP browser HTTPS browser Telnet client etc However if you wish to add new client applications to this range then proceed to the next section Adding a new client then return here FS Opengear SDTConnector fo SDTConnector Preferences 0 G Add Client Client name Path to client executable file Browse Command line format for client executable amp OK 3 Cancel Click OK then
114. in the local area It is a 48 bit number usually written as a series of 6 hexadecimal octets e g 00 d0 cf 00 5b da A console server has a MAC address listed on a label underneath the device Microsoft Challenge Handshake Authentication Protocol MSCHAP is authentication for PPP connections between a computer using a Microsoft Windows operating system and a network access server It is more secure than PAP or CHAP and is the only option that also supports data encryption Network Address Translation The translation of an IP address used on one network to an IP address on another network Masquerading Is one particular form of NAT The way that computers know which part of a TCP IP address refers to the network and which part refers to the host range Network File System is a protocol that allows file sharing across a network Users can view store and update files on a remote computer Network Time Protocol NTP used to synchronize clock times in a network of computers Out of Band OoB management is any management done over channels and interfaces that are separate from those used for user customer data Examples would include a serial console interface or a network interface connected to a dedicated management network that is not used to carry customer traffic or to a BMC service processor Any management done over the same channels and interfaces used for user customer data is In Band Password Authentication Protocol PAP
115. in the Auto Response Settings menu 7 2 1 Environmental To configure Humidity or Temperature levels as the trigger event gt Click on the Environmental as the Check Condition System Name img4004 5 Model IMG4004 5 Firmware 3 5 1b1 a O Uptime 0 days 0 hours 44 mins 30 secs Current User root Backup Log Out opengear Serial amp Network Alerts amp Logging Auto Response Auto Response Settings Serial Port Users amp Groups Name 2 Authentication Site43A Network Hosts Unique Name for this AutoResponse Trusted Networks IPsec VPN Reset Timeout 0 OpenVPN Call Home Time in seconds after resolution to delay before this AutoResponse can be triggered again Cascaded Ports UPS Connections Repeat Trigger E Actions RPC Connections Environmental Repeat Trigger actions until the check is resolved Managed Devices Check Environmental Check Conditions Alerts amp Logging Fame aaa Temperature Port Log Environmental Comms Rack is check on Auto Response ini z Temperature SMTP amp SMS Ba Trigger value for Humidity SNMP the check CabinetR3 UPS Power E rement must exceed or drop below to trigger the peras s Supply Humidity Administration Comparison Above Trigger Value SSL Certificates a type Below Trigger Value Configuration Backup Serial Firmware Login Logout Determines what condition will cause the auto
116. infrequently it uses TCP instead Enter the host address of the SNMP Network Manager into the Manager Address field Enter the TCP IP port number into the Manager Trap Port field default 162 Select the Version to be used The console server SNMP agent supports SNMP v1 v2 and v3 Enter the Community name for SNMP v1 or SNMP v2c At a minimum a community needs to be set for either SNMP v1 or v2c traps to work An SNMP community is the group to which devices and management stations running SNMP belong It helps define where information is sent SNMP default communities are private for Write and public for Read Configure SNMP v3 if required For SNMP v3 messages the user s details and security level must match what the receiving SNMP Network Manager is expecting SNMP v3 mandates that the message will be rejected unless the SNMPvs user sending the trap already exists in the user database on the SNMP Manager The user database in a SNMP v3 application is actually referenced by a combination of the Username and the Engine ID for the given SNMP application you are talking to o Enter the Engine ID for the user sending messages as a hex number e g 0x8000000001020304 o Specify the Security Level The level of security has to be compatible with the settings of the remote SNMP Network Manager Console Server amp RMM Gateway User Manual 163 Chapter 7 Alerts and Logging noAuthNoPriv No authentication or encryption authNoPriv Authenticat
117. left blank for any MAC addresses use the format XX XX XX XX XX XX where XX are hex digits Specify the source IP address or address range to match IP address ranges use the format ip netmask where netmask is in bits 1 32 This may be left blank for Any Specify the destination IP address address range to match IP address ranges use the format ip netmask where netmask is in bits 1 32 This may be left blank Select if the firewall rule will apply to TCP or UDP or TCP and UDP or ICMP or ESP or GRE or Any Select the traffic direction that the firewall rule will apply to Ingress incoming or Egress Select the action Accept or Block that will be applied to the packets detected that match the Interface Port Range Source destination Address Range Protocol Direction For example to block all SSH traffic from leaving Dialout Interface the following settings can be used Interface Dialout Cellular Port Range 22 Protocol TCP Direction Egress Console Server amp RMM Gateway User Manual 117 Chapter 5 Firewall Failover and Out of Band Action Block The firewall rules are processed in a set order from top to bottom So rule placement is important For example with the following rules all traffic coming in over the Network Interface is blocked except when it comes from two nominated IP addresses SysAdmin and Tony To allow all incoming traffic on all To allow all incoming To block all incoming traffic inte
118. line shell Linux commands While this may be suitable for a local direct connection over a management LAN it is recommended this service be disabled if the console server is to be remotely administered This service may also be useful for local Administrator and the User access to selected serial consoles SSH This service provides secure SSH access It is recommended you choose SSH as the protocol where the Administrator connects to the console server over the Internet or any other public network This will provide authenticated communications between the SSH client program on the remote computer and the SSH sever in the console server For more information on SSH configuration refer Chapter 9 Authentication gt There are also a number of related service options that can be configured at this stage SNMP This will enable netsnmp in the console server which will keep a remote log of all posted information SNMP is disabled by default To modify the default SNMP settings the Administrator must make the edits at the command line as described in Chapter 15 Advanced Configuration TFTP FTP If a USB flash card or internal flash is detected on an ACM5000 ACM5500 IM4200 or IM4004 5 advanced console server then enabling this service will set up default tftp and ftp server on the USB flash These servers are used to store config files maintain access and transaction logs etc Files transferred using tftp and ftp will be stored under var tmp usb
119. monitor multiple NUT servers that may be distributed throughout the data center across a campus or around the world NUT supports the more complex power architectures found in data centers communications centers and distributed office environments where many UPSes from many vendors power many systems with many clients and each of the larger UPSes power multiple devices and many of these devices are in turn dual powered iui ETWORK IIPS 182 Console Server amp RMM Gateway User Manual User Manual 8 3 Environmental Monitoring All Opengear console servers can be configured to monitor their operating environment External Environmental Monitor Devices EMDs can be connected to any Opengear console server serial port Each console server can support multiple EMDs Each EMD device has an internal temperature and humidity sensor plus one or two general purpose status sensor ports which can be connected to smoke detectors water detectors vibration sensors or open door sensors The ACM5000 and ACM5500 advanced console server models also each have internal temperature sensor and can optionally be configured to have up to four general purpose status sensor ports which can be connected smoke or water detector and vibration or open door sensors directly connected Using the Management Console Administrators can view the ambient temperature in C or F and humidity percentage and configure alerts to monitor the status and sen
120. monitoring of the hosts and services in your distributed network Nagios is freely downloadable open source software This section offers a quick background of Nagios and its capabilities A complete overview FAQ and comprehensive documentation are available at htto www nagios org Nagios forms the core of many leading commercial system management solutions such as GroundWork htto www groundworkopensource com Nagios does take some time to install and configure solutions such as GroundWork and Opengear SDT Nagios are aimed at simplifying this process Once Nagios is up and running however it provides an outstanding network monitoring system With Nagios you can Display tables showing the status of each monitored server and network service in real time Use a wide range of freely available plug ins to make detailed checks of specific services e g don t just check a database is accepting network connections check that it can actually validate requests and return real data Display warnings and send warning e mails pager or SMS alerts when a service failure or degradation is detected Assign contact groups who are responsible for specific services in specific time frames 206 Console Server amp RMM Gateway User Manual User Manual 10 2 Central management and setting up SDT for Nagios The Opengear Nagios solution has three parts the Central Nagios server Distributed Opengear console servers and the SDT Cent f
121. or its DNS Name was accounts myco intranet com then specify the Destination as 192 168 523 1 3389 or accounts myco intranet com 3389 Only devices which have been configured as networked Hosts can be accessed using SSH tunneling except by the root user who can tunnel to any IP address the console server can route to 146 Console Server amp RMM Gateway User Manual User Manual ieee PuTTY Configuration Options controlling 55H port forwarding Port forwarding S eee Local ports accept connections from other hosts H Window Remote ports do the same SSH 2 only Appearance reas eee alien E Translation F Selection i Colours g Connection L321 192 168 253 1 30 Add new forwarded port Source port HESSA Add Destination Taz1682531338 Local Remote Dynamic Auto Pv IPv z Tunnels i Bugs If your destination computer is serially connected to the console server set the Destination as lt port label gt 3389 e g if the Label you specified on the serial port on the console server is win2k3 then specify the remote host as win2k3 3389 Alternative you can set the Destination as portXX 3389 where XX is the SDT enabled serial port number e g if port 4 is on the console server is to carry the RDP traffic then specify port04 3389 Note http www jfitz com tips putty_config html has useful examples on configuring PuTTY for SSH tunneling gt Select Local and click the Add button gt Click
122. order to prevent an infinite loop The pmpower utility is used to send power commands to RPC device in order to power cycle our telecom device Console Server amp Router User Manual 267 Chapter 16 KCS Client Configuration pmpower I port01 o 3 cycle The RPC is on serial port 1 The telecom device is powered by RPC outlet 3 We can now append this command to our custom script This will guarantee that our telecom device will be power cycled every time the console reads the EMERGENCY character stream on port 2 15 1 4 Example script Multiple email notifications on each alert If you desire to send more than one email when an alert triggers you have to create a replacement script using the method described above and add the appropriate lines to your new script Currently there is a script etc scripts alert email which gets run from within all the alert scripts e g portmanager user alert or environmental alert The alert email script is responsible for sending the email The line which invokes the email script looks as follows bin sh etc scripts alert email suffix amp If you wish to send another email to a single address or the same email to many recipients edit the custom script appropriately You can follow the examples in any of the seven alert scripts listed above In particular let s consider the portmanager user alert script If you need to send the same alert email to more than one email address find the line
123. other computers that are drawing power through this UPS to connect to the console server to monitor the UPS status so they can shut themselves down when battery power is low Monitoring will typically be performed using the upsmon client running on the slave server refer section 8 2 3 These login credentials are not related the Users and access privileges you will have configured in Serial amp Networks Users amp Groups Select the action to take when UPS battery power becomes critical i e Shut down the UPS or Shut down all Managed UPSes or simply Run until failure The shutdown script etc scripts ups shutdown can be customized so in the event of a critical power failure when the UPS battery runs out you can perform program the console server to perform last gasp actions using before power is lost Refer online FAQ for details However it generally is much simpler to perform such last gasp actions by triggering Auto Response on the UPS hitting batt or lowbatt Refer Chapter 7 If you have multiple UPSes and require them to be shut down in a specific order specify the Shutdown Order for this UPS This is a whole positive number or 7 Os are shut down first then 7s 2s etc 1s are not shut down at all Defaults to 0 Select the Driver that will be used to communicate with the UPS Most console servers are preconfigured so the drop down menu presents full selection of drivers from the latest Network UPS Tools NUT version 2 4
124. packets V Display version information If no password method is specified then omitoo will prompt the user for a password If no password is entered at the prompt the remote server password will default to NULL SECURITY The ipmitool documentation highlights that there are several security issues to be considered before enabling the IPMI LAN interface A remote station has the ability to control a system s power state as well as being able to gather certain Console Server amp Router User Manual 299 Chapter 16 KCS Client Configuration platform information To reduce vulnerability it is strongly advised that the IPMI LAN interface only be enabled in trusted environments where system security is not an issue or where there is a dedicated secure management network or access has been provided through an console server Further it is strongly advised that you should not enable IPMI for remote access without setting a password and that that password should not be the same as any other password on that system When an IPMI password is changed on a remote machine with the IPMlv1 5 an interface the new password is sent across the network as clear text This could be observed and then used to attack the remote system It is thus recommended that IPMI password management only be done over IPMlv2 0 anplus interface or the system interface on the local station For IPMI v1 5 the maximum password length is 16 characters Passwords lo
125. physical PPP endpoints and securely transports data across the tunnel The strength of PPTP is its ease of configuration and integration into existing Microsoft infrastructure It is generally used for connecting single remote Windows clients If you take your portable computer on a business trip you can dial a local number to connect to your Internet access service provider ISP and then create a second connection tunnel into your office network across the Internet and have the same access to your corporate network as if you were connected directly from your office Similarly telecommuters can also set up a VPN tunnel over their cable modem or DSL links to their local ISP To set up a PPTP connection from a remote Windows client to your Opengear appliance and local network 1 Enable and configure the PPTP VPN server on your Opengear appliance 2 Setup VPN user accounts on the Opengear appliance and enable the appropriate authentication 3 Configure the VPN clients at the remote sites The client does not require special software as the PPTP Server supports the standard PPTP client software included with Windows XP NT 2000 7 and Vista 4 Connect to the remote VPN 4 11 1 Enable the PPTP VPN server gt Select PPTP VPN on the Serial amp Networks menu 84 Console Server amp RMM Gateway User Manual User Manual System Name im4216 Model IM4216 Firmware 3 5 2u1 opengear Uptime 0 days 3 hours 29 mins 26 secs Current User roo
126. power on 1 0 Port 2 1 0 Port 2 default Input direction Output Administration SSL Certificates The direction of the I O port at power on Configuration Backup Firmware 1 0 Port 2 default Low electrical state High If the port is configured as an output this is the electrical state of the port at power on DHCP Server Nagios Configure Dashboard I O Ports I O Port 3 8 4 1 Digital I O Output Configuration Each of the two digital I O ports DIO1 and DIO2 can be configured as an nput or Output port To use them as digital outputs first configure the port direction on the System I O Ports menu page The DIO1 and DIO2 pins are current limited by the chip to 20mA and accept 5V levels so they cannot drive a relay etc Alternately you can change the output states using the ioc command line utility The following text is the usage message from the joc usage loc digital io port controller pin_num pin number 1 to 4 d pin_dir pin direction 0 output 1 input Console Server amp RMM Gateway User Manual 189 Chapter 8 Power Environmental amp Digital I O v pin_val pin electrical value in output mode 0 low 1 high F reset pins to all inputs and low g displays the pin directions and current values I load pin configuration from configlity For example to set pin 1 to a low output type ioc p 1 d0 v0 To pulse one of these outputs use a script like the following
127. pub gt home user keys authorized_keys_bridge_server Uploading Keys The keys for the server can be uploaded through the web interface on the System Administration page as detailed earlier If only one client will be connecting then simply upload the appropriate public key as the authorized keys file Otherwise upload the authorized keys file constructed in the previous step Each client will then need it s own set of keys uploaded through the same page Take care to ensure that the correct type of keys DSA or RSA go in the correct spots and that the public and private keys are in the correct spot 15 6 8 SDT Connector Public Key Authentication SDT Connector can authenticate against a console server using your SSH key pair rather than requiring your to enter your password i e public key authentication gt To use public key authentication with SDT Connector first you must first create an RSA or DSA key pair using ssh keygen PuTTYgen or a similar tool and add the public part of your SSH key pair to the console server as described in the earlier section gt Next add the private part of your SSH key pair this file is typically named id_rsa or id_dsa to SDT Connector client Click Edit Preferences Private Keys Add locate the private key file and click OK You do not have to add the public part of your SSH key pair it is calculated using the private key Console Server amp Router User Manual 293 Chapter 16 KCS
128. server product or a copy can be freely download from Opengear s website gt Run the set up program Console Server amp RMM Gateway User Manual 121 Chapter 6 Secure SSH Tunneling amp SDT Connector Opengear SDTConnector Setup Welcome to the Opengear SDTConnector Setup Wizard This wizard will guide you through the installation of Opengear SDTConnector It is recommended that you close all other applications before starting Setup This will make it possible to update relevant system files without having to reboot your computer Click Next to continue Note For Windows clients the SDTConnectorSetup 1 n exe application will install the SDT Connector 1 n exe and the config file defaults xml If there is already a config file on the Windows PC then it will not be overwritten To remove earlier config file run the regedit command and search for SDT Connector then remove the directory with this name For Linux and other Unix clients SDTConnector tar gz application will install the sdtcon 1 n jar and the config file defaults xml Once the installer completes you will have a working SDT Connector client installed on your machine and an icon on your desktop gt Click the SDT Connector icon on your desktop to start the client Note SDT Connector is a Java application so it must have a Java Runtime Environment JRE installed This can be freely downloaded from http java sun com j2se It will install on Windows 20
129. servers that draw power through the UPS to shutdown gracefully when the battery power reaches critical There are also logging clients ups og and third party interface clients Big Sister Cacti Nagios Windows and more Refer www networkupstools org client projects The latest release of NUT 2 4 also controls PDU systems It can do this either natively using SNMP or through a binding to Powerman open source software from Livermore Labs that also is embedded in Opengear console servers These NUT clients and servers all are embedded in each Opengear console server with a Management Console presentation layer added and they also are run remotely on distributed Console servers and other remote NUT monitoring systems This layered distributed NUT architecture enables Multiple manufacturer support NUT can monitor UPS models from 79 different manufacturers and PDUs from a growing number of vendors with a unified interface Multiple architecture support NUT can manage serial and USB connected UPS models with the same common interface Network connected USB and PDU equipment can also be monitored using SNMP Multiple clients monitoring the one UPS Multiple systems may monitor a single UPS using only their network connections and there s a wide selection of client programs which support monitoring UPS hardware via NUT Big Sister Cacti Nagios and more Central management of multiple NUT servers A central NUT client can
130. sharia Network Hosts IP address or DNS name of the CMS or SSH server Trusted Networks Call Home Password aoa Enter the password to authenticate this connection e g the Call Home Password this gt RPC Connections password will not be stored but used to propagate SSH keys and then forgotten Environmental Managed Devices Alerts amp Loggin g Advanced Port Log Alerts SMTP amp SMS SNMP Apply gt Enter the IP address or DNS name e g the dynamic DNS address of the CMS 88 Console Server amp RMM Gateway User Manual User Manual gt Enter the Password that you configured on the CMS as the Call Home Password gt Click Apply These steps initiate the Call Home connection from the console server to the CMS This creates an SSH listening port on the CMS and sets the console server up as a candidate System Name cm4116 Model CM4116 Firmware 3 2 0u1 Aa 0 opPengear Uptime 2 days 20 hours 6 mins 26 secs Current User root Backup Log Out Serial amp Network Call Home Serial amp Network Call Home Serial Port Users amp Groups Call home to CMS if this device is behind a third party firewall or is otherwise not routable from the CMS This establishes an Authentication SSH connection to the CMS nominating this device as a candidate for management Network Hosts Trusted Networks Connected To Listening Port Call Home Cascaded Ports cms 192 168 254 56
131. snmpwalk Oa v3 I noAuthNoPriv u readonlyusername M usr share snmp mibs im4004 OG STATUS MIB ogStatus auth snmpwalk Oa v3 I authNoPriv u readonlyusername a SHA A authpassword M usr share snmp mibs im4004 OG STATUS MIB ogStatus priv snmpwalk Oa v3 authNoPriv u readonlyusername a SHA A authpassword x DES X privpassword M usr share snmp mibs im4004 OG STATUS MIB ogStatus rver amp RMM Gateway User Manual N OO No O O U O Cp CD D Qo Security Level U Security Name or Read Only Username a Authentication Protocol SHA or MD5 A Authentication Password X Privacy Protocol DES or AES X Privacy Password A mib browser may be used to explore the Opengear enterprise MIB structure For example the ogStatus tree is shown below Console Server amp Router User Manual 283 Chapter 16 KCS Client Configuration ea ocSionaertStatsSignadlane S FFF ogSerialPortStatusTable A ogSigralAlertStatusstate r ogserialPortstatusEntry bm ogEnvalertStatusTable ol ogSerialPortStatusIndex i ogEnvAlertStatusEntry 7 ml amp ogSeriaPortStatusPort 2 A ogEnvAlertStatusIndex i 1B ogGeriaPortStatushxBytes ogEnvAlertStatusDevice z ogSeriaPortStatusTxBytes ogEnvAlertStatusSensor AQ ogSeriaPortstatusspeed AR octets ogSeriaPortStatusDCD ogEnvAlertStatusValue ogSeriaPortStatusDTR ogEnvAler
132. standard CM4116 CM4132 and CM4148 models have a built in universal auto switching AC power supply This power supply accepts AC input voltage between 100 and 240 VAC with a frequency of 50 or 60 Hz and the power consumption is less than 20W Console Server amp RMM Gateway User Manual 21 Chapter 2 Installation CM4116 CM4132 and CM4148 models have an IEC AC power socket located at the rear of the metal case This IEC power inlet uses a conventional IEC AC power cord and the power cords for various regions are available The North American power cord is provided by default There is a warning notice printed on the back of each unit A N To avoid electrical shock the power cord grounding conductor must be connected to ground 2 2 3 IM4004 5 and CM4008 power The IM4004 5 and CM4008 are supplied with an external power supply unit This unit accepts an AC input voltage between 100 and 250 VAC with a frequency of 50Hz or 60Hz The power supply has an IEC AC power socket which accepts a conventional IEC AC power cord The power cord for North American is provided by default The 5V DC connector from the power supply plugs into the 5VDC power socket on the rear of the IM4004 5 or CM4008 chassis gt Plug in the AC power cable and the DC power cable and turn AC power On gt Confirm the Power LED is lit Note When you have applied power to the CM4008 you will also observe the LEDs P1 through P8 light up in sequence 2 2 4 CM4001 SD400
133. such as system contact name and location can be achieved by editing etc config snmpd conf file and locating the following lines sysdescr opengear syscontact root lt root localhost gt configure etc default snmpd conf sysname Not defined edit etc default snmpd conf syslocation Not defined edit etc default snmpd conf Simply change the values of sysdescr syscontact sysname and sysiocation to the desired settings and restart snmpd The snmpd conf provides is extremely powerful and too flexible to completely cover here The configuration file itself is commented extensively and good documentation is available at the net snmp website hitp www net snmp org specifically Man Page http www net snmp org docs man snmpd conf htm FAQ http www net snmp org docs FAQ htm Net SNMPD Tutorial http www net snmp org tutorial tutorial 5 demon snmpd htm 284 Console Server amp RMM Gateway User Manual 15 5 5 Adding multiple remote SNMP managers You can add multiple SNMP servers for alert traps add the first and second SNMP servers using the Management Console refer Chapter 7 or the command line config tool Further SNMP servers must be added manually using config Log in to the console servers command line shell as root or an admin user Refer back to the Management Console UI or user documentation for descriptions of each field To set the SNMP Manager Address field config set config system snmp address3 w x y z
134. supports RFC2217 virtual com ports so a remote host can monitor and manage remote serially attached devices as though they were connected to the local serial port see Chapter 4 6 Serial Port Redirection for details RFC2217 also enables the serial port to be tunneled to a remote console server so two serial port devices can be transparently interconnect over a network see Chapter 4 1 6 Serial Bridging Unauthenticated Telnet Selecting Unauthenticated Telnet enables telnet access to the serial port without requiring the user to provide credentials When a user accesses the console server to telnet to a serial port they normally are given a login prompt However with unauthenticated telnet they connect directly through to port with any console server login at all This mode is mainly used when you have an external system such as conserver managing user authentication and access privileges at the serial device level For Unauthenticated Telnet the default port address is IP Address _ Port 6000 serial port i e 6001 6048 Web Terminal Selecting Web Terminal enables web browser access to the serial port via Manage Devices Serial using the Management Console s built in AJAX terminal Web Terminal connects as the currently authenticated Management Console user and does not re authenticate See section 13 3 for more details Authenticate Enable for secure serial communications using Portshare and add password Accumulation Period
135. system smtp encryption SSL can also be TLS or None contig s contig system smto sender John opengear com config s config system smtp username john config s config system smtp password secret contig s contig system smto subject SMTP alerts To set up an SMTP SMS server with the same details as above contig s contig system smtp server2 mail opengear com contig s contig system smtp encryption2 SSL can also be TLS or None contig s contig system smto sender2 John opengear com config s config system smtp username2 john config s config system smtp password2 secret contig s contig system smto subject2 SMTP alerts The following command will synchronize the live system with the new configuration config a 14 1 15 SNMP To set up the SNMP agent on the device contig s contig system snmp protocol UDP TCP contig s contig system snmp trapport port number default is 162 config s contig system snmp address NMS IP network address contig s contig system snmp commnity community name v1 and v2c only contig s contig system snmp engineid 1D v3 only config s config system snmp username username v3 only config s config system snmp password password v3 only config s config system snmp version 1 2c 3 The following command will synchronize the live system with the new configuration config a 260 Console Server amp RMM Gateway User Manual
136. that 1 certain components of the Software including SDT Connector are components licensed under the GNU General Public License Version 2 which Opengear supports and 2 the SDT Connector includes code from JSch a pure Java implementation of SSH2 which is licensed under BSD style license Copies of these licenses are detailed below and Opengear will provide source code for any of the components of the Software licensed under the GNU General Public License upon request EXPORT RESTRICTIONS You agree that you will not export or re export the Software any part thereof or any process or service that is the direct product of the Software in violation of any applicable laws or regulations of the United States or the country in which you obtained them U S GOVERNMENT RESTRICTED RIGHTS The Software and related documentation are provided with Restricted Rights Use duplication or disclosure by the Government is subject to restrictions set forth in subparagraph c 1 ii of the Rights in Technical Data and Computer Software clause at DFARS 252 227 7013 or subparagraphs c 1 and 2 of the Commercial Computer Software Restricted Rights at 48 C F R 52 227 19 as applicable or any successor regulations TERM AND TERMINATION This EULA is effective until terminated The EULA terminates immediately if you fail to comply with any term or condition In such an event you must destroy all copies of the Software You may also terminate this EULA at a
137. the Host Name or IP address Select Telnet as the protocol and set the TCP port to 2000 plus the physical serial port number e 2001 to 2048 Click the Open button You may then receive a Security Alert that the host s key is not cached you will need to choose yes to continue You will then be presented with the login prompt of the remote system connected to the serial port chosen on the console server You can login as normal and use the host serial console screen Console Server amp RMM Gateway User Manual 53 Note SSH 54 Chapter 4 Serial Port Device and User Configuration EY PuTTY Configuration Session Basic options for your PuTTY session i ma Specify the destination you want to connect to 7 B Host Name or IF address Fort Keyboard rot 192 168 252 202 2001 i Features Connection type B Window Raw O Telnet Rlogin SSH Seral gt Appearance Behaviour Translation Selection Colours Default Settings Load save or delete a stored session Saved Sessions Close window on edt O Never Only on clean exit Open Canca PuTTY can be downloaded at http www tucows com preview 195286 html In Console Server mode when you connect through to a serial port you connect via pmshell To will generate a BREAK on the serial port you need to type the character sequence b and if you re doing this over SSH you ll need to type b
138. the ACM5500 ACM5000 and SD4001 are by default all configured as RJ serial Console Server ports However Port 1 can be configured to be the Local Console Modem port OoB Dial In Access Once a modem has been attached to the console server you can configure the console server for dial in PPP access The console server will then await an incoming connection from a dial in at remote site Next the remote client dial in software needs to be configured to establish the connection between the Administrator s client modem to the dial in modem on the console server 5 2 1 Enable PPP access on the internal or externally attached modem 92 Configure Dial In PPP gt Select the System Dial menu option and the port to be configured Serial DB9 Port or Internal Modem Port or External USB Port gt Select the Baud Rate and Flow Control that will communicate with the modem Console Server amp RMM Gateway User Manual User Manual Note Note By default the modem port on all Opengear console servers is set with software flow control and the baud rate is set at 115200 baud for external modems connected to the Serial DB9 Port on CM4008 CM41xx IM42xx and IM4004 5 console servers 9600 baud for the internal modem or external USB modem and for external modems connected to the Console serial ports which have been reassigned for dial in access on SD4001 SD4002 ACM5000 and ACM5500 When enabling OoB dial in it is recommended that
139. the GNOME Terminal Services Client tsclientto configure and launch the rdesktop client Using tsclient also enables you to store multiple configurations of rdesktop for connection to many servers Console Server amp RMM Gateway User Manual 137 Chapter 6 Secure SSH Tunneling amp SDT Connector a Terminal Server Client X al Type the name of the computer or choose a computer fram the drop down list Computer Protocol User Name Password Domain Client Hostname Protocol File a Note The rdesktop client is supplied with Red Hat 9 0 rpm ivh rdesktop 1 2 0 1 i886 rpom For Red Hat 8 0 or other distributions of Linux download source untar configure make make then install rdesktop currently runs on most UNIX based platforms with the X Window System and can be downloaded from http www rdesktop org C Ona Macintosh client gt Download Microsoft s free Remote Desktop Connection client for Mac OS X http www microsoft com mac otherproducts otherproducts aspx pid remotedesktopclient 6 9 SDT SSH Tunnel for VNC Alternately with SDT and Virtual Network Computing VNC Users and Administrators can securely access and control Windows Linux Macintosh Solaris and UNIX computers There s a range of popular VNC software available UltraVNC RealVNC TightVNC freely and commercially To set up a secure VNC connection you must install and configure the VNC Server software on the computer to be
140. the Opengear technical support team to solve any problems you may experience with your console server If you do experience a problem and have to contact support ensure you include the Support Report with your email support request The Support Report should be generated when the issue is occurring and attached in plain text format Console Server amp Router User Manual 235 Chapter 12 Status Reports System Name acm5003 m Model ACM5003 M Firmware 3 3 2 ha O opengear Uptime 1 days 0 hours 59 mins 12 secs Current User root Backup Log Out Status Support Report l Firmware Version Serial Port Users amp Groups OpenGear ACM500x Version 3 3 2 Tue Dec 14 00 33 01 EST 2010 Authentication Network Hosts Trusted Networks IPsec VPN Uptime Gaa RA 1 days 0 hours 59 mins 12 secs UPS Connections RPC Connections Environmental Managed Devices IP Configuration eth0 Link encap Ethernet HWaddr 00 13 C6 00 51 CF ae inet addr 192 168 0 1 Bcast 192 168 0 255 Mask 255 255 255 0 Port Log inet6 addr fe80 213 c6ff fe00 51cf 64 Scope Link Alerts UP BROADCAST RUNNING MULTICAST MTU 1500 Metric 1 gt m ae RX packets 157561 errors 0 dropped 0 overruns 0 frame 0 TX packets 137919 errors 0 dropped 0 overruns 0 carrier 0 collisions 0 txqueuelen 1000 Interrupt 12 Memory 1 ff8000 1fff80ff Administration gt ere eth0 0 Link encap Ethernet HWaddr 00 13 C6 00 51 CF iG so
141. the SD40X2 Can also be software selected to be an RS485 or RS422 port connected through the screw terminal block shown below V DC IN GND RX RX TX TX 3 3V DC OUT GND CONOoRWND e RS 422 uses a full duplex transmit on TX TX pair receive on RX RX pair e RS 485 uses half duplex over single pair The SD4002 supports half duplex party line communications over a 2 wire RS 485 bus D D This is enabled by choosing the RS 485 option instead of RS 232 or RS 422 for Signaling Protocol from the Serial Port Configuration link on the Web management console In addition two short cable loops are required between the RX TX pins and RX TX pins This is because the SD4002 uses universal differential transceivers that support 4 wire RS 422 and 2 wire RS 485 operation In RS 485 mode Port2 on the SD4002 listens on the 2 wire bus for receive data until it is required to send data In RS 485 send mode it stops receiving enables its transmitters when there is data to be sent transmits the data and returns to receive mode This eliminates the possibility of collisions with other devices which share the RS 485 bus and avoids receiving stale echoed data 320 Console Server amp RMM Gateway User Manual 2 short wire loops on SD4002 screw terminal block D4002 RS 485 2 Wire Wiring Diagram Connection to ES 485 Device R5 485 Bus E WAT SCREW TERMINAL Serial Port Pinouts SD40
142. the default route contig s contig console ppp defaultroute on Please note that supported authentication types are None PAP CHAP and MSCHAPv2 Supported serial port baud rates are 9600 19200 38400 57600 115200 and 230400 Supported parity values are None Odd Even Mark and Space Supported data bits values are 8 7 6 and 5 Supported stop bits values are 1 1 5 and 2 Supported flow control values are Hardware Software and None If you do not wish to use out of band dial in access please note that the procedure for enabling start up messages on the console port is covered in Chapter 15 Accessing the Console Port The following command will synchronize the live system with the new configuration config a 14 1 20 DHCP server To enable the DHCP server on the console management LAN with settings Default lease time 200000 seconds Maximum lease time 300000 seconds DNS servert 192 168 2 3 DNS server2 192 168 2 4 Domain name company com Default gateway 192 168 0 1 IP pool 1 start address 192 168 0 20 IP pool 1 end address 192 168 0 100 Reserved IP address 192 168 0 50 MAC to reserve IP for 00 1 67 82 72 d9 Name to identify this host John PC Issue the commands contig s contig interfaces lan dhcpd enabled on config s contig interfaces lan dhcpd defaultlease 200000 config s contig interfaces lan dhcpd maxlease 300000 config s conf
143. to be issued to the DHCP clients If this field is left blank the console servers IP address will be used gt Enter the Primary DNS and Secondary DNS address to issue the DHCP clients Again if this field is left blank console servers P address is used so leave this field blank for automatic DNS server assignment gt Optionally enter a Domain Name suffix to issue DHCP clients gt Enter the Default Lease time and Maximum Lease time in seconds The lease time is the time that a dynamically assigned IP address is valid before the client must request it again gt Click Apply The DHCP server will sequentially issue IP addresses from a specified address pool s gt Click Add in the Dynamic Address Allocation Pools field gt Enter the DHCP Pool Start Address and End Address and click Apply Console Server amp RMM Gateway User Manual 43 Chapter 3 Initial System Configuration System Name acm5002 Model ACM5002 Firmware 3 3 0 Ra O opengear Uptime 0 days 4 hours 24 mins 55 secs Current User root Backup Log Out System DHCP Server Serial Port Network Interface Users amp Groups Authentication Network Hosts ss Thmted Netwaiks Dynamically Allocated Pool IPsec VPN DHCP Pool Start 100 OpenVPN Address Call Home The first address in the pool to use for DHCP Cascaded Ports UPS Connections DHCP Pool End 150 RPC Connections Address Environmental The last address in the pool
144. to generate and store all keys to be used on the console servers However if this is not ideal to your situation keys may be generated on the console servers themselves It is possible to generate only one set of keys and reuse them for every SSH session While this is not recommended each organization will need to balance the security of separate keys against the additional administration they bring Generated keys may be one of two types RSA or DSA and it is beyond the scope of this document to recommend one over the other RSA keys will go into the files id_rsa and id_rsa pub DSA keys will be stored in the files id_dsa and id_dsa pub For simplicity going forward the term private key will be used to refer to either id_rsa or id_dsa and public key to refer to either id_rsa pub or id_dsa pub Client 1 Server Client 2 Vv v amp amp Client 1 Keys Client 2 Keys To generate the keys using OpenBSD s OpenSSH suite we use the ssh keygen program ssh keygen t rsa dsa Generating public private rsa dsa key pair Enter file in which to save the key home user ssh id_ rsa dsa Enter passphrase empty for no passphrase Enter same passphrase again Your identification has been saved in home user ssh id_ rsa dsa 292 Console Server amp RMM Gateway User Manual Your public key has been saved in home user ssh id_ rsa dsa pub The key fingerprint is 28 a4a 29 38 ba 40 14 11 5e 3f 0d4 fa e5 36 14 d6 user se
145. user 4 11 3 Setup a remote PPTP client 4 12 Call Home 4 12 1 Setup Call Home candidate 4 12 2 Accept Call Home candidate as Managed Console Server on CMS 4 12 3 Calling Home to a generic central SSH server FIREWALL FAILOVER amp OoB ACCESS 5 1 Dialup Modem Connection 5 2 OoB Dial In Access 5 2 1 Configure Dial In PPP 5 2 2 Using SDT Connector client 5 2 3 Set up Windows XP 2003 Vista 7 client 5 2 4 Set up earlier Windows clients 5 2 5 Set up Linux clients 5 3 Dial Out Access 5 3 1 Always on dial out 5 3 2 Failover dial out 5 4 OoB Broadband Ethernet Access 5 5 Broadband Ethernet Failover 5 6 Cellular Modem Connection 5 6 1 Connect to the GSM HSUPA UMTS carrier network 5 6 2 Connect to the CDMA EV DO carrier network 5 6 3 Verify cellular connection 5 7 Cellular Operation 5 7 1 OoB access set up 5 7 2 Cellular failover setup Console Server amp RMM Gateway User Manual 50 51l 52 56 56 57 57 58 58 59 60 61 63 63 64 65 66 67 68 69 70 71 73 73 75 76 I SO 84 84 86 S6 88 S8 89 90 92 92 92 92 95 95 95 96 96 96 97 99 100 101 102 103 105 107 107 107 5 7 3 Cellular routing 5 7 4 Cellular CSD dial in setup 5 8 Firewall amp Forwarding 5 8 1 Configuring network forwarding and IP masquerading 5 8 2 Configuring client devices 5 8 3 Port Protocol forwarding 5 8 4 Firewall rules SSH TUNNELS amp SDT CONNECTOR 6 1 Configuring for SSH Tunneling to Hosts 6 2 SDT Connector Client Configura
146. with Opengear Classic pinouts However console servers with 01 and 02 pinouts only support attaching a single sensor to each EMD The EMD can be used only with an Opengear console server and cannot be connected to standard RS232 serial ports on other appliances gt Select Environmental as the Device Type in the Serial amp Network Serial Port menu for the port to which the EMD is to be attached No particular Common Settings are required gt Click Apply Device Settings Device Type Environmental v Specify the device type Apply this setting then use the Environmental page to configure the attached environmental monitor 8 3 2 Connecting sensors to ACM5000 and ACM5500s You can connect EMDs and their attached environmental sensors to the serial ports on your ACM5000 as detailed in the previous section However the ACM5000 can also support direct connection of environmental sensors All the ACM5000 models except ACM5004 2 can be configured with the environmental option E Models with this option have a green connector block on the side marked SENSORS 1 4 and up to four environmental sensors can be directly attached to this block opengear ADVANCED CONSOLE MANAGER 184 Console Server amp RMM Gateway User Manual User Manual The ACM5004 2 I model is supplied with a green connector block on the side by default The first two connectors on this block marked D O7 and D O2 can be configured to have exte
147. with a central upstream Nagios server to provide distributing monitoring of attached network hosts and serial devices They embed the NSCA Nagios Service Checks Acceptor and NRPE Nagios Remote Plug in Executor add ons this allows them to communicate with the central Nagios server eliminating the need for a dedicated slave Nagios server at remote sites The console server products all support basic distributed monitoring Additionally IM4xxx families support extensive customizable distributed monitoring Even if distributed monitoring is not required the Console servers can be deployed locally alongside the Nagios monitoring host server to provide additional diagnostics and points of access to managed devices Central site Remote site Nagios Server lt Console server Network and services Opengear s SDT for Nagios extends the capabilities of the central Nagios server beyond monitoring enabling it to be used for central management tasks It incorporates the Opengear SDT Connector client enabling point and click access and control of distributed networks of Console servers and their attached network and serial hosts from a central location Note If you have an existing Nagios deployment you may wish to use the console server gateways in a distributed monitoring server capacity only If this case and you are already familiar with Nagios skip ahead to section 10 3 10 1 Nagios Overview Nagios provides central
148. with popular access tools such as Telnet SSH HTTP HTTPS VNC RDP to provide point and click secure remote management access to all the systems and devices being managed Information on using SDT Connector for browser access to the console servers Management Console Telnet SSH access to the console server command line and TCP UDP connecting to hosts that are network connected to the console server can be found in Chapter 6 Secure Tunneling SDT Connector can be installed on Windows 2000 XP 2003 7 Vista PCs and on most Linux UNIX and Solaris 3 5 2 PuTTY Communications packages like PuTTY can be also used to connect to the Console server command line and to connect serially attached devices as covered in Chapter 4 PuTTY is a freeware implementation of Telnet and SSH for Win32 and UNIX platforms It runs as an executable application without needing to be installed onto your system PuTTY the Telnet and SSH client itself can be downloaded at http www tucows com preview 195286 html To use PuTTY for an SSH terminal session from a Windows client you enter the console servers RR PuTTY Configuration Category y A IP address as the Host Name or IP address Logging i Teminal jg oe omen aes To access the console server command line you Keyboard a i 192 168 252 202 22 select SSH as the protocol and use the default Features Connection oe oa PaT IP Port 22 Window Raw gin i oo L
149. 0 hours 32 mins 26 secs Current User root Backup Log Out Alerts amp Logging Auto Response gt Carni Pat Auto Response Settings Users amp Groups Name Authentication Network Hosts Unique Name for this AutoResponse Trusted Networks IPsec VPN Reset Timeout 0 OpenVPN i l PPTP VPN Time in seconds after resolution to delay before this AutoResponse can be triggered again Call Home z Cascaded Ports Repeat Trigger w UPS Connections Actions Repeat Trigger actions until the check is resolved RPC Connections Environmental Repeat Trigger Action 300 Managed Devices Delay Delay time before repeating trigger actions Alerts amp Logging The deby starts after the bst action is queued Port Log Disable Auto Response T henga at specific times Allows Auto Responses to be periodically disabled based on time and day SNMP Disable Auto Response between the following times Administration a o x 00 x o 00 Configuration Backup men o o0 0 o0 x TA o e ool I o Prewal ae 0 00 0 00 Console Server amp RMM Gateway User Manual 151 Chapter 7 Alerts and Logging 7 2 Check Conditions To configure the condition that will trigger the Auto Response gt Click on the Check Condition type e g Environmental UPS Status or ICMP ping to be configured as the trigger for this new Auto Response
150. 00 XP 2003 Vista PCs and on most Linux platforms Solaris platforms are also supported however they must have Firefox installed SDT Connector can run on any system with Java 1 4 2 and above installed but it assumes the web browser is Firefox and that xterm e telnet opens a telnet window To operate SDT Connector you first need to add new gateways to the client software by entering the access details for each console server refer Section 6 2 2 then let the client auto configure with all host and serial port connections from each console server refer Section 6 2 3 then point and click to connect to the Hosts and serial devices refer Section 6 2 4 Alternately you can manually add network connected hosts refer Section 6 2 5 and manually configure new services to be used in accessing the console server and the hosts refer Section 6 2 6 then manually configuring clients to run on the PC that will use the service to connect to the hosts and serial port devices refer Section 6 2 7 and 6 2 9 SDT Connector can also be set up to make an out of band connection to the console server refer Section 6 2 9 6 2 2 Configuring a new gateway in the SDT Connector client To create a secure SSH tunnel to a new console server gt Click the New Gateway icon or select the File New Gateway menu option 122 Console Server amp RMM Gateway User Manual User Manual Note FS Opengear SDTConnector File Edit Help Sa New Gateway N
151. 01 The SD4001 has one DB9 serial port that can selected to be an RS232 RS485 or RS422 port By default the SD4001 is configured in RS232 mode with a vertical jumper in place on the left hand SEL pins 7 a These jumpers factory use only J 4 JN Pe SX ATAN DC Power S 40H00 Base T 7 dumper ON for Jack l Ethernet RS232andOFF ks bN _ a neice at te me y ry _ _ To set the port in RS422 or RS485 mode you must remove the SEL jumper and then configure the Signaling Protocol using the Management Console The DB9 pin out is Pin RS232 RS422 RS485 1 DCD DCD 2 RXD RX 3 TXD TX D 4 DTR DTR 5 GND GND GND 6 DSR RX T RTS TX D 8 CTS DCD 9 DTR Console Server amp Router User Manual 321 Terminology APPENDIX E TERMINOLOGY TERM MEANING S O APN Access Point Name APN is used by carriers to identify an IP packet data network that a mobile data user wants to communicate with and the type of wireless service Authentication Authentication is the technique by which a process verifies that its communication partner is who it is supposed to be and not an imposter Authentication confirms that data is sent to the intended recipient and assures the recipient that the data originated from the expected sender and has not been altered on route BIOS Basic Input Output System is the built in software in a computer that are executed on start up boot and that dete
152. 04 04 15 26 06 Od Oh 22m 23s 2008 04 04 15 27 58 Od 4h 33m 26s 2008 04 04 15 29 32 Od Oh 22m 23s Unreachable All Types G Attempt 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 Pending 0 Service Status Totals Ok Warning Unknown Critical Pending 16 0 0 0 T Ali Problems Al Types 0 TA Status Information OK load average 0 06 0 06 0 05 USERS OK 1 users currently logged in DISK OK free space 6371 MB 90 inode 96 fvarfrun 61 MB 99 inode 99 var lock 61 MB 100 inode 99 dev 61 MB 99 inode 82 dev shm 61 MB 100 inode 99 boot 199 MB 89 inode 99 HTTP OK HTTP 1 1 200 OK 244 bytes in 0 003 seconds SSH OK OpenSSH_4 6p1 Debian Subuntu0 1 protocol 2 0 PROCS OK 52 processes TCP OK 0 000 second response time on port 22 Connect via SDT TCP OK 0 000 second response time on port 25 TCP OK 0 020 second response time on port 443 Connect via SDT TCP OK 0 060 second response time on port 443 Connect via SDT Service is not scheduled to be checked 4pr 1 15 53 08 RXDATA Send rp 192 168 00 01 PING OK Packet loss 0 RTA 1 06 ms Device ready to accept data Terminal Connect via SDT Once the wizard has completed successfully verify the Nagios configuration is valid as instructed and restart Nagios If you chose to apply the SDT for Nagios theme you may need to flush your browser s cache for it to displa
153. 2 5 USB Port Connection Most console server models have external USB ports and these ports are mostly USB2 0 They can be used for connecting to USB consoles of Managed Devices e g for managing UPS supplies attaching other external USB peripherals e g an external USB memory stick or modem adding supported Sierra Wireless cellular USB modems plugging in USB hubs to provide additional ports some console server models also have a USB1 1 port and this is best reserved for use with an external USB memory stick dedicated to recovery firmware boot images extended log file storage etc The IM42xx 2 DAC X2 G and IM42xx 2 DAC X0 G models have one USB1 1 port on the front face and one USB 2 0 port at the rear face This USB2 0 port uses a micro AB USB connector so an adapter cable is also included These models also have 16GB flash installed internally via a USB 2 0 flash drive for improved logging All the other models in the IM42xx X family IM42xx 2 DxC Xx models such as IM4208 2 DAC X0 IM4248 2 DDC X2 and IM4216 34 DAC X2 have one USB1 1 port on the front face and two additional USB 2 0 ports at the rear face adjacent to modem jack These IM42xx X models also have an internal 16GB flash drive The ACM5500 and IM4004 5 models all have an internal 4GB USB flash drive as well as two unallocated external USB2 0 ports The ACM5000 models have two USB2 0 ports However one or both of these may be pre allocated internally Fo
154. 2 Alert Status Date amp Time Fri Jan 16 20 37 05 24 51 Open 0 Open 0 Normal Dial 2009 Services DHCP Server Fri Jan 16 20 38 05 24 47 Open 0 Open 0 Normal Nagios 2009 188 Console Server amp RMM Gateway User Manual User Manual 8 4 Digital I O Ports The ACM5004 2 1 ACM5508 2 and ACM5504 5 G models have four digital interface ports which present on a green connecior block on the side of the unit DIO1 and DIO2 are two TTL level digital I O ports 5V max 20mA OUT1 and OUT2 are two High Voltage digital Output ports gt 5V to lt 30V 100mA i s l g DIO1 GNO DIO2 GNO OUT1 GNO OUT2 EXT 9 30V DC The I O ports are configured via the I O port page which is found under the system menu Each port can be configured with a default direction and state gt Select the System I O Ports menu System Name les1204a Model LES1204A Firmware 3 1 0u1 n 4 O opengear Uptime 1 days 6 hours 50 mins 24 secs Current User root Backup Log Out System I O Ports I O Port 1 Users amp Groups 1 O Port 1 default Input Authentication direction Network Hosts Output Trusted Networks IPsec VPN The direction of the I O port at power on Cascaded Ports UPS Connections 1 0 Port 1 default Low RPC Connections ical state Environmental High Managed Devices If the port is configured as an output this is the electrical state of the port at
155. 2 and SD4001 power The CM4001 SD4002 and SD4001 models are each supplied with an external DC wall mount power supply A specific power supply models for each region will have been supplied as specified by the US EU UK JP or AU extension to the part number The 12V DC connector from the power supply unit plugs into the DC power socket on the side of the console server casing gt Plug in the power supply AC power cable and the DC power cable gt Turn onthe AC power and confirm the console server Power LED PWR is lit Note When you first apply power to the SD4002 CM4001 you will observe the Local and Serial LEDs flashing alternately The CM4001 SD4002 can also be powered directly from any 9V DC to 48V DC power source by connecting the DC power lines to the IN GND and IN VIN screw jacks 2 2 5 ACM500x ACM500x 2 ACM500x M W I G and ACM500x SDC power All the ACM5000 models are supplied with an external AC 12VDC wall mount power supply This comes with a selection of wall socket adapters for each geographic region North American Europe UK Japan or Australia The 12V DC connector from the power supply unit plugs into the 12VDC PWR power jack on the side of the console server casing gt Plug in the power supply AC power cable and the DC power cable gt Turn onthe AC power and confirm the console server Power LED PWR is lit 22 Console Server amp RMM Gateway User Manual User Manual The ACM5000 models can also b
156. 208 16 48 Classic and IM4004 5 all have the Opengear Classic pinout and ship with a cross over and a straight RJ45 DB9 connector for connecting to other vendor s products WIRING TABLE peor RJ45 DB9F RJ45S straight kia 7 i v connector e Part 319000 OCD 1 3 pep RxD 3 4 RYD TxD 3 5 TXD GND 5 GND DTR 7 DIR CTS 8 8 CTS Ril 4 WIRING TABLE DESF RJ45 DB9F RJ45S cross CTs 8 RTS over connector DTR 2 DSR Part 319001 DTR 4 3 DCD TXD 3 4 RxD RxD 3 5 TXD GND 5 6 GND DSR 7 DTR DCD i 7 DTR RTS 7 x CTs Ri 9 The IM4208 16 32 48 02 and IM4216 34 02 have the Cisco pinout and ship with these cross over straight RJ45 DB9 connectors WIRING TABLE RJ 45 DBS F Gi DB9F RJ45S straight connector iOS a 8 CTS Part 319014 2 DCD 1 DCD 3 RED 9 RZD 4 N C 5 GND 5 CNO 6 TED 3 TED 7 DTR 4 DTR 8 BTS 7 RTE Console Server amp Router User Manual 317 Connectivity TCP Ports amp Serial I O WIRING TABLE EE DB9F RJ45S cross RJ 45 DB9 F over connector Part 319015 LOIS a 7 RTS a j 4 DTR TEID 3 TZD 4 N C i R a 5 GND E TED 2 RED 7 it 1 DCD 6 DSR HETS 8 CTS Other available connectors and adapters Opengear also supplies a range of cables and adapters that will enable you to easily connect to the more popular servers and network appliances More detaile
157. 22 Port 57452 192 168 254 56 57452 UPS Connections 127 0 0 1 22 Edi Delete RPC Connections Environmental Managed Devices Add Alerts amp Logging Once the candidate has been accepted on the CMS as outlined in the next section an SSH tunnel to the console server is then redirected back across the Call Home connection The console server has now become a Managed Console Server and the CMS can connect to and monitor it through this tunnel 4 12 2 Accept Call Home candidate as Managed Console Server on CMS This section gives an overview on configuring the CMS to monitor console servers that are connected via Call Home For more details refer to the CMS6100 and VCMS User Manual 1 You first must enter a new Call Home Password on the CMS This password is used solely for accepting Call Home connections from candidate console servers 2 So the CMS can be contacted by the console server it must either have a static IP address or if using DHCP be configured to use a dynamic DNS service 3 The Configure Managed Console Servers screen on the CMS shows the status of local and remote Managed Console Servers and candidates System Name vcms Model VCMS Firmware 3 2 0 re 0 opengear Uptime 9 days 23 hours 21 mins 28 secs Current User root Backup Log Out Configure Managed Console Servers Managed Console Servers Name IP Address DNS Description Hosts Last Retrieved Name E im4216 2
158. 25 02 24 01 2009 33 Normal gt Click Manage to query or control the individual power outlet This will take you to the Manage Power screen Console Server amp RMM Gateway User Manual 173 Chapter 8 Power Environmental amp Digital I O 8 2 Uninterruptible Power Supply Control UPS All Opengear console servers can be configured to manage locally and remotely connected UPS hardware using Network UPS Tools Network UPS Tools NUT is a group of open source programs that provide a common interface for monitoring and administering UPS hardware and ensuring safe shutdowns of the systems which are connected NUT is built ona networked model with a layered scheme of drivers server and clients covered in some detail in Chapter 8 2 6 Multiple local CT networked UPSes MANAGED UPS Multiple remote UPSes e REMOTE UPS 8 2 1 Managed UPS connections A Managed UPS is a UPS that is directly connected as a Managed Device to the console server It can be connected by serial or USB cable or by the network The console server becomes the master of this UPS and runs a upsd server to allow other computers that are drawing power through the UPS slaves to monitor the UPS status and take appropriate action such as shutdown in event of low UPS battery Serial USB or network connections Managed UPS The console server may or may not be drawing power itself through the Managed UPS When the UPS s battery power r
159. 4 Configuring Serial Ports 6 10 3 Set up SDT Connector to ssh port forward over the console server Serial Port In the SDT Connector software running on your remote computer specify the gateway IP address of your console server and a username password for a user you have setup on the console server that has access to the desired port Next you need to add a New SDT Host In the Host address you need to put portxx where xx the port you are connecting to Example for port 3 you would have a Host Address of port03 and then select the RDP Service check box 6 11 SSH Tunneling using other SSH clients e g PuTTY As covered in the previous sections of this chapter we recommend you use the SDT Connector client software that is supplied with the console server However there s also a wide selection of commercial and free SSH client programs that can also provide the secure SSH connections to the console servers and secure tunnels to connected devices PuTTY is a complete though not very user friendly freeware implementation of SSH for Win32 and UNIX platforms SSHTerm is a useful open source SSH communications package SSH Tectia is leading end to end commercial communications security solution for the enterprise Reflection for Secure IT formerly F Secure SSH is another good commercial SSH based security solution By way of example the steps below show the establishment of an SSH tunneled connection to a network connected device using the
160. 4004 5 Firmware 2 7 0p1 opengedr Uptime 0 days 0 hours 44 mins 49 secs Current User root Serial amp Network Network Hosts Serial amp Network Serial Port IP Address DNS 192 168 0 54 Name Users amp Groups The host s IP Address or DNS name Authentication Network Hosts Host Name PDU R3C Trusted Networks oeps A descriptive name for this host UPS Connections Description Notes Baytech PDU Rack3C RPC Connections EE A brief description of the host Managed Devices Permitted Services 80 tcp http 0 Remove Port Log Alerts SMTP amp SMS SNMP TCP UDP Port level 2 Input Output logging on services levell v Add NEP The TCP services available from this host Administration Firmware IP Date amp Time Device Settings Dial 3 3 Device Type RPC Services gt Select the Serial amp Network RPC Connections menu This will display all the RPC connections that have already been configured 168 Console Server amp RMM Gateway User Manual User Manual System Name img4004 5 Model IMG4004 5 Firmware 2 7 0p1 Qpengear Uptime 0 days 0 hours 39 mins 42 secs Current User root Serial amp Network RPC Connections Serial Port Remote Power Controllers Users amp Groups Name Description RPC Type Connected Via Log Authentication Status Network Hosts Trusted Networks PDD R3A Power Rack
161. 4070 USA Alternately the complete source code corresponding to each released version is available from us for a period of three years after its last shipment If you would like the source code for an earlier release than the latest current release please write source for firmware Version x xx in the memo line of your payment This offer is valid to anyone in receipt of this information The console server also embodies the okvm console management software This is GPL code and the full source is available from http okvm sourceforge net The console server BIOS boot loader code is a port of uboot which is also a GPL package with source openly available The console server CGls the html code xml code and web config tools for the Management Console are proprietary to Opengear however the code will be provided to customers under NDA Also inbuilt in the console server is a Port Manager application and Configuration tools as described in Chapters 14 and 15 These both are proprietary to Opengear but open to customers as above The console server also supports GNU bash shell script enabling the Administrator to run custom scripts GNU bash version 2 05 0 1 release arm OpenGear linux gnu offers the following shell commands 308 alias p name value bg job_ spec bind lpvsPVS m keymap f fi break n builtin shell builtin arg case WORD in PATTERN PATTERN cd PL dir comman
162. 5 192 168 254 152 22 im4216 25 Wed Aug 18 16 52 31 2010 Managed Console Servers 3 User Authorization F Select unselect al nodes Authentication Network Settings Retrieve Hosts Delete SMTP amp SMS System Administration SSL Certificates Detected Console Servers Date amp Time Configuration Backup Local Console Servers 192 168 254 23 Firmwa These console servers have been detected on the local network as candidates for management Add Rekes Remote Console Port 58231 localhost58231 192 168 254 149 Servers Kamaua Port 57452 localhost57452 192 168 254 149 didates for management Port 58231 localhost 58231 192 168 254 149 Add Refresh New Console Server Manually enter the details of a console server to manage The Managed Console Server section shows the console servers currently being monitored by the CMS The Detected Console Servers section Console Server amp RMM Gateway User Manual 89 Chapter 4 Serial Port Device and User Configuration o The Local Console Servers drop down list in lists all the console servers which are on the same subnet as the CMS and are not currently being monitored o The Remote Console Servers drop down list in the Detected Console Servers section lists all the console servers that have established a Call Home connection and are not currently being monitored i e candidates You can click Refresh to update 4 To adda con
163. 5 2 and later will generate Windows client config automatically from the GUI for Pre shared Secret Static Key File configurations System Name im4216 Model IM4216 Firmware 3 5 2u1 Ra opengear Uptime 6 days 23 hours 5 mins 10 secs Current User root Backup Log Out Serial amp Network OpenVPN Serial amp Network Serial Port Edit OpenVPN Tunnel Details Manage OpenVPN Files Users amp Groups Authentication Manage OpenVPN Files Network Hosts Configuration Choose File No file chosen File is not ww conf File custom Root CA page ease z File is not No file z Choose File No file chosen Certificate custom available Certificate File Choose File No file chosen File is not No file custom available Private Key File Choose File No file chosen File is not No file custom available tatus Diffie Hellman Choose File No file chosen File is not No file aa File custom available Manage No file chosen ebe static key Client Choose File No fle chosen File is not ww Note The remote Configuration custom client ovpn UNDEFINED setting in this File config file must be fixed before use Client Choose File No file chosen File is not batei Contains both the Client Configuration custom dient zip Configuration File and the Zip Static Key File Apply Alternately Open VPN GUI for Windows software which includes the standard OpenVPN package plus a Windows GUI can be downloaded f
164. 8 279 284 285 286 286 286 287 287 289 290 291 293 294 294 294 294 295 295 295 295 297 297 298 301 301 302 302 304 310 312 314 322 326 332 10 Console Server amp RMM Gateway User Manual Table of Contents THIS MANUAL Introduction This Users Manual walks you through installing and configuring the following Opengear product lines ACM5504 5 G I ACM5504 2 P ACM5508 2 M and ACM5008 2 P Remote Monitoring and Management RMM gateways ACM5002 ACM5004 ACM5004 2 ACM5004 G ACM5004 ACM5003 M amp ACM5003 W Advanced Console Manager with SDC E and F options and ACM5004 G GV with SDC and E options amp ACM5005 G I Cellular Routers IM4004 5 amp IM4216 34 DAC or DDC Management Gateways IM4248 2 DAC or DDC IM4232 2 DAC DDC IM4216 2 DAC DDC amp IM4208 2 DAC Infrastructure Managers CM4001 CM4008 CM4116 SAC CM4116 SAC amp CM4148 SAC Console Servers D4001 SD4002 Secure Device Server Each of these products is referred to generically in this manual as a console server Where appropriate product groups may be referred to as RMM gateways or cellular routers or by specific product line name or product group e g IM4200 family ACM5500 Manual Organization This manual contains the following chapters 1 Introduction 2 Installation 3 System Configuration 4 Serial amp Network 5 Firewall Failover amp OoB 6 Secure Tunneling 7 Auto Respo
165. 92 05 inet addr 192 168 0 1 Bcast 192 168 0 255 Mask 255 255 255 0 inet6 addr fe80 210 a1ff fe96 9205 64 Scope Link UP BROADCAST RUNNING MULTICAST MTU 1500 Metric 1 RX packets 2616 errors 0 dropped 0 overruns 0 frame 0 TX packets 1565 errors 0 dropped 0 overruns 0 carrier 0 collisions 0 txqueuelen 1000 Interrupt 12 Memory 1fff8000 1fff80fF etho 0 Link encap Ethernet HWaddr 00 10 A1 96 92 05 inet addr 192 168 250 111 Bcast 192 168 250 255 Mask 255 255 255 0 UP BROADCAST RUNNING MULTICAST MTU 1500 Metric 1 Interrupt 12 Memory 1fff8000 1fff80ff lo Link encap Local Loopback inet addr 127 0 0 1 Mask 255 0 0 0 inet6 addr 1 128 Scope Host UP LOOPBACK RUNNING MTU 16436 Metric 1 RX packets 975 errors 0 dropped 0 overruns 0 frame 0 TX packets 975 errors 0 dropped 0 overruns 0 carrier 0 collisions 0 tqueuelen 0 tun0d Link encap UNSPEC HWaddr 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 inet addr 10 100 0 6 P t P 10 100 0 5 Mask 255 255 255 255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU 1500 Metric 1 RX packets 0 errors 0 dropped 0 overruns 0 frame 0 TX packets 0 errors 0 dropped 0 overruns 0 carrier 0 collisions 0 txqueuelen 100 4 10 3 Windows OpenVPN Client and Server set up Windows does not come standard with any OpenVPN server or client This section outlines the installation and configuration of a Windows OpenVPN client or a Windows OpenVPN server and setting up a VPN connection to a console server Console servers with firmware V3
166. 9258 via RS232 Serial Port 1 N A View Manage RPC Connections Log Environmental SR 3PDU Power to rack SR 3 Server Technology Sentry Network 192 168 26 2 N A Manage Switched CDU SR 3 PDU Port Log siiis DRAC VMWare Accounts IPMI 2 0 Network 192 168 26 45 N A Manage Del DRAQ SMTP amp SMS SNMP Status unavailable or not supported by this summary dick Manage to query individual outlet status Administration gt Click on View Log or select the RPCLogs menu and you will be presented with a table of the history and detailed graphical information on the selected RPC System Name img4004 5 Model IMG4004 5 Firmware 2 7 0p1 opengear Uptime 0 days 0 hours 45 mins 25 secs Current User root Status RPC Status Serial amp Network Serial Port Users amp Groups RPC Status RPC Logs Authentication Network Hosts PDU R7D Power Rack 7 Row D Sensor Graphs Trusted Networks Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices Alerts amp Logging Port Log 62 38 62 48 62 58 Alerts El Temperature SMTP amp SMS SNMP PDU R7D Power Rack 7 Row D Log Administration Firmware Time Temperature Alert Status P Wed Mar 25 02 22 11 2009 33 Normal Date amp Time Dial Wed Mar 25 02 22 22 2009 33 Normal Services DHCP Server Wed Mar 25 02 23 00 2009 33 Normal Nagios Wed Mar
167. A N To avoid physical and electrical hazard please read Appendix C on Safety The sections below show the components shipped with each of these models 2 1 1 IM4208 2 IM4216 2 IM4232 2 IM4248 2 and IM4216 34 kit components Part 509006 Part 509007 Part 509008 Part 509009 Part 440016 Part 319000 t oa and 319001 Se Se Part 440001 Oe Part 539001 IM4216 2 Infrastructure Manager IM4248 2 Infrastructure Manager IM4208 2 Infrastructure Manager IM4216 34 Management Gateway 2 x Cable UTP Cat5 blue Connector DB9F RJ45S straight and DB9F RJ45S cross over Dual IEC AC power cord DAC models only Quick Start Guide and CD ROM gt Unpack your IM42xx IM4208 2 IM4216 2 IM4232 2 IM4248 2 Infrastructure Manager or IM4216 34 Management Gateway kit and verify you have all the parts shown above and that they all appear in good working order gt Ifyou are installing your IM42xx in a rack you will need to attach the rack mounting brackets supplied with the unit and install the unit in the rack Take care to head the Safety Precautions listed in Appendix C Console Server amp RMM Gateway User Manual 17 Chapter 2 Installation Proceed to connect your IM42xx to the network to the serial ports of the controlled devices and to power as outlined below The IM4216 2 DDC IM4232 2 DDC IM4248 2 DDC and IM4216 34 DDC products are DC powered and the kits do not include an IEC AC power cord IM4004 5 kit
168. AP attribute corresponding to the login name On Active Directory servers the attribute is sAMAccountName LDAP Group Membershi Attribute The LDAP attribute that is used to indicate group memberships On Active Directory servers the attribute is membe rOrt LDAP Console Server Group DN The distinguished name of a group existing on the server which all users with access to the console server must belong to LDAP Administration eae a Group DN The distinguished name of a group existing on the server whose members will be given admin access Enter the Server Address IP or host name of the remote Authentication server Multiple remote servers may be specified in a comma separated list Each server is tried in succession Enter the Server Password To interact with LDAP requires that the user account exist on our console server to work with the remote server i e you can t just create the user on your LDAP server and not tell the console server about it You need to add the user account Click Apply LDAP remote authentication will now be used for all user access to console server and serially or network attached devices The Lightweight Directory Access Protocol LDAP is based on the X 500 standard but significantly simpler and more readily adapted to meet custom needs The core LDAP specifications are all defined in RFCs LDAP is a protocol used to access information stored in an LDAP server Further information on configuring re
169. ARP cache Type arp a to view the current ARP cache this should be empty Console Server amp RMM Gateway User Manual User Manual a Type the name of a program folder document or yj Internet resource and Windows will open it for you Open H C Now add a static entry to the ARP table and ping the console server to assign the IP address to the console server In the example below a console server has a MAC Address 00 13 C6 00 02 0F designated on the label on the bottom of the unit and we are setting its IP address to 192 168 100 23 Also the computer issuing the arp command must be on the same network segment as the console server that is have an IP address of 192 168 100 xxx Type arp s 192 168 100 23 00 13 C6 00 02 0F Note for UNIX the syntax is arp s 192 168 100 23 00 13 C6 00 02 0F Type ping t 192 18 100 23 to start a continuous ping to the new IP Address Turn on the console server and wait for it to configure itself with the new IP address It will start replying to the ping at this point Type arp d to flush the ARP cache again 3 1 2 Browser connection gt Activate your preferred browser on the connected PC workstation and enter https 192 168 0 1 The Management Console supports all current versions of the popular browsers Internet Explorer Mozilla Firefox Google Chrome Apple Safari and more opengear Username Password Passcode System Name acm5003 m Mode
170. Add ACM5500 Remove KCS 14 Console Server amp RMM Gateway User Manual User Manual Copyright Opengear Inc 2012 All Rights Reserved Information in this document is subject to change without notice and does not represent a commitment on the part of Opengear Opengear provides this document as is without warranty of any kind either expressed or implied including but not limited to the implied warranties of fitness or merchantability for a particular purpose Opengear may make improvements and or changes in this manual or in the product s and or the program s described in this manual at any time This product could include technical inaccuracies or typographical errors Changes are periodically made to the information herein these changes may be incorporated in new editions of the publication Proper back up systems and necessary safety devices should be utilized to protect against injury death or property damage due to system failure Such protection is the responsibility of the user This console server device is not approved for use as a life support or medical system A N Any changes or modifications made to this console server device without the explicit approval or consent of Opengear will void Opengear of any liability or responsibility of injury or loss caused by any malfunction This equipment is for indoor use and all the communication wirings are limited to inside of the building Console Server amp RMM
171. Administration on Masters Management Console Browse to the location you have stored RSA or DSA Public Key and upload it to SSH RSA DSA Public Key Browse to the stored RSA or DSA Private Key and upload it to SSH RSA DSA Private Key Click Apply Y VV WV Console Server amp RMM Gateway User Manual 6 Chapter 4 Serial Port Device and User Configuration System Name ima4004 5 Model IMG4004 5 Firmware 2 6 0p2 oye 4 als Aa Uptime 0 days 3 hours 6 mins 29 secs Current User root System Administration Serial amp Network Serial Port System Name img4004 5 Users amp Groups Authentication Network Hosts System Description Trusted Networks Cascaded Ports UPS Connections System Password PEET RPC Connections Environmental An ID for this device The physical location of this device The secret used to gain administration access to this device Confirm em Alerts amp Logging P m eecceeee Port Log Re enter the above password for confirmation Alerts SMTP amp SMS Apply ater Browse Upload a replacement RSA public key file Firmware SS P SSH RSA Private Key Browse Date amp Time Upload a replacement RSA private key file Dil SSH DSA Public Key SEEN Services DHCP Server Upload a replacement DSA public key file Nagios i Nag SSH DSA Private Key Browse Upload a replacement DSA private key file Next you must reg
172. Authentication Disable 0 Network Hosts l l e Tiad iaia Deactivate this network interface Cascaded Ports Alerts amp Logging mery IP Settings Management LAN Currently Failover for Network Interface PO og Alerts Ser DHCP SMTP i O Static SNMP The mechanism to acquire IP settings IP Address Administration A statically assigned IP address Firmware G IP Subnet Mask Date amp Time A statically assigned network mask Dial Note The ACM5504 5 G l IM4004 5 and IM4216 34 can be configured with an active Management LAN gateway and with one of the switched Ethernet ports configured for OoB Failover ETH 1 on the ACM5504 5 G I and IM4004 5 or NETOWRK 2 on the IM4216 34 However with the other IM4200 ACM5508 2 and ACM5004 2 models the second Ethernet port can be configured as either a gateway port or as an OoB Failover port but not both So ensure you did not enable the Management LAN function on Network LAN 2 3 6 4 Aggregating the network ports By default the console servers Management LAN network ports can only be accessed using SSH tunneling port forwarding or by establishing an IPsec VPN tunnel to the console server However all the wired network ports on the console servers can be aggregated by being bridged or bonded stem Name im4216 Model IM4216 Firmware 3 5 2u1 re opengear ete 6 days 23 hours 28 mins 4 secs Current User root Backup Log
173. By default once a connection has been established for a particular serial port Such as a RFC2217 redirection or Telnet connection to a remote computer then any incoming characters on that port are forwarded over the network on a character by character basis The accumulation period changes this by specifying a period of time that incoming characters will be collected before then being sent as a packet over the network Escape Character This enables you to change the character used for sending escape characters The default is Power Menu This setting enables the shell power command so a user can control the power connection to a Managed Device from command line when they are telnet or ssh connected to the device To operate the Managed Console Server amp RMM Gateway User Manual 55 Chapter 4 Serial Port Device and User Configuration Device must be set up with both its Serial port connection and Power connection configured The command to bring up the power menu is p EP 192 168 252 202 Pul TY Single Connection This setting limits the port to a single connection so if multiple users have access privileges for a particular port only one user at a time can be accessing that port i e port snooping is not permitted 4 1 3 SDT Mode This Secure Tunneling setting allows port forwarding of RDP VNC HTPP HTTPS SSH Telnet and other LAN protocols through to computers which are locally connected to the console server by their seria
174. C Connections Enable Dial Out Environmental Allow outgoing modem communication Managed Devices Alerts amp Logging Port Log Dial Out Settings Failover Currently Failover for Network Interface APN The access point name Phone Number Administration Aes SSL Certificates The sequence to dial to establish the connection defaults to 99 1 Configuration Backup Firmware Username He Optional user name to authenticate the connection Password y DHCP Server Optional secret to use when authenticating the user Nagios Configure Dashboard Confirm O Ports Re enter the user s password for confirmation Custom Modem Port Access Initialization Active Users An optional AT command sequence to initialize the modem Statistics Support Report Radio Access Automatic Syslo Technology UPS Status Select the Radio Access Technology for this connection RPC Status Environmental Status Dashboard Override DNS nana Override returned DNS F i J a Dah eee servers Lise the following DNS servers instead of the PPP nrovided servers Note By default the advanced console server supports automatic failure recovery back to the original state prior to failover V3 1 0 firmware and later The advanced console server continually pings probe addresses whilst in original and failover states The original state will automatically be set as a priority and reestablished following three successful pings of th
175. CS RADIUS LDAP Kerberos Down Local Tries remote authentication first falling back to local if the remote authentication returns an error condition e g the remote authentication server is down or inaccessible 9 1 1 Local authentication gt Select Serial and Network Authentication and check Local gt Click Apply 9 1 2 TACACS authentication Perform the following procedure to configure the TACACS authentication method to be used whenever the console server or any of its serial ports or hosts is accessed 192 Console Server amp RMM Gateway User Manual User Manual gt Select Serial and Network Authentication and check TACAS or LocalTACACS or TACACSLocal or TACACSDownLocal TACACS Authentication and Authorisation Server Address Comma separated list of remote authentication and authorization servers Accounting Server Address Comma separated list of remote accounting servers If unset Authentication and Authorization Server Address will be used Server Password The shared secret allowing access to the authentication server Confirm Password Re enter the above password for confirmation TACACS Group Membership Attribute The TACACS access attribute that is used to indicate group memberships Defaults to groupname n Enter the Server Address IP or host name of the remote Authentication Authorization server Multiple remote servers may be specified in a comma separated list Each server is tried in succession In
176. Client Configuration SDT Connector will now use public key authentication when SSH connecting through the console server You may have to restart SDT Connector to shut down any existing tunnels that were established using password authentication If you have a host behind the console server that you connect to by clicking the SSH button in SDT Connector you can also configure it for public key authentication Essentially what you are using is SSH over SSH and the two SSH connections are entirely separate and the host configuration is entirely independent of SDT Connector and the console server You must configure the SSH client that SDT Connector launches e g Putty OpenSSH and the host s SSH server for public key authentication 15 7 Secure Sockets Layer SSL Support Secure Sockets Layer SSL is a protocol developed by Netscape for transmitting private documents via the Internet SSL works by using a private key to encrypt data that s transferred over the SSL connection The console server includes OpenSSL The OpenSSL Project is a collaborative effort to develop a robust commercial grade full featured and Open Source toolkit implementing the Secure Sockets Layer SSL v2 v3 and Transport Layer Security TLS v1 protocols as well as a full strength general purpose cryptography library The project is managed by a worldwide community of volunteers that use the Internet to communicate plan and develop the OpenSSL toolkit and its related doc
177. Close A service typically consists of a single SSH port redirection and a local client to access it However it may consist of several redirections some or all of which may have clients associated with them An example is the Dell RAC service The first redirection is for the HT TPS connection to the RAC server it has a client associated with it web browser that is launched immediately upon clicking the button for this service 126 Console Server amp RMM Gateway User Manual User Manual The second redirection is for the VNC service that the user may choose to later launch from the RAC web console It is automatically loads in a Java client served through the web browser so it does not need a local client associated with it R Opengear SDTConnector File Edit Help E fa SDTConnector Preferences Clientg Edit Service Service Name Dell RAC Local gt Remote Port Redirections gt On the Add Service screen you can click Add as many times as needed to add multiple new port redirections and associated clients You may also specify Advanced port redirection options gt Enter the local address to bind to when creating the local endpoint of the redirection It is not usually necessary to change this from localhost gt Enter a local TCP port to bind to when creating the local endpoint of the redirection If this is left blank a random port will be selected Fa Opengear SDTConne
178. Console Server and will retrieve its Managed Devices user account details and configured alerts 4 12 3 Calling Home to a generic central SSH server If you are connecting to a generic SSH server not a CMS VCMS you may configure Advanced settings gt Enter the SSH Server Port and SSH User to authenticate as gt Enter the details for the SSH port forward s to create 90 Console Server amp RMM Gateway User Manual User Manual System Name cm4116 Model CM4116 Firmware 3 2 0u1 Aa 0 opPengear Uptime 1 days 23 hours 37 mins 13 secs Current User root Backup Log Out Serial amp Network Call Home z Edit Connection Serial Port o amp Groups Server Address 192 168 254 56 Authentication Network Hosts IP address or DNS name of the CMS or SSH server Trusted Networks Call Home Password i menpean arial Enter the password to authenticate this connection e g the Call Home Password this RPC Connections password wil not be stored but used to propagate SSH keys and then forgotten Environmental Managed Devices 5 Advanced SSH Server Port 22 The SSH server port SSH User cms S User to authenticate as Administration z 7 Listening Port SSL Certificates 9 Listening Listening Target Server Target Configuration Backup Server Port Port Firmware IP A Date amp Time Dial Remote 57452 127 0 0 1 22 Local s Configure Dashboard By selecting Listening
179. D Out of Band Failover oobfo Serial DB9 Port sercon DISABLED Internal Modem Port modem01 DISABLED ity detection The address of the second peer to probe for connectivity detection gt When configuring the principal network connection specify Management LAN Network 2 eth1 as the Failover Interface to be used when a fault has been detected with Network 1 eth0 gt Specify the Probe Addresses of two sites the Primary and Secondary that the advanced console server is to ping to determine if Network 1 eth0O is still operational gt Then on the Management LAN Interface Network 2 IM42xx or ACM5004 2 or Out of Band Failover IM4004 5 configure the IP Address Subnet Mask Gateway the same as you used for Network Interface Network 1 Console Server amp RMM Gateway User Manual User Manual System Name img4004 5 Model IMG4004 5 Firmware 2 7 0p1 opengear Uptime 0 days 23 hours 18 mins 49 secs Current User admin System IP Serial Port Network Interface Management LAN Interface Out of Band Failover General Settings Users amp Groups Interface Authentication Network Hosts Disable i haerea Deactivate this network interface UPS Connections RPC Connections Environmental IP Settings Out of Band Failover Managed Devices z Configuration DHCP m Method Alerts amp Logging Static Port Log The mechanism to acquire IP settings Alerts SMTP amp SMS
180. D hous 53 mns 30sec Currant Dear root SE Log Sut Status UPS Status Samman birar kepka fec4 ts smartOnlire SUINTLOOORTXL2Ua on tripplited seb Tha May 14 09 95 13 EDT 2009 Battery Input Output Load UPS Model Stale Battery Input Output SUINT LOMIRT SLA OMILIBE feud WY fa W 50 0 He 273 8 Y 0 0 4 50 0 Hz gt Click on any particular All Data for any UPS System in the table for more status and configuration information on the select UPS System Dev UPS Dattery voltage 225 Oriver name Bemxecp_usb Griver parameter poliinterval Sr 4 Griver psrameter port auto Griver parameter shutdown_delay 60 Griver version parr Griver version internal 0 14 input frequency 49 9 input voltage 244 cutput current Shs output frequency 49 9 output phases a output voltage 244 output voltage nominal 240 ups firmware Cont 00 50 Inve 01 50 ups load EF ups model POWERWARE UPS SOOVA Ups power nominal 500 ups serial ups status OL gt Select UPS Logs and you will be presented with the log table of the load battery charge level temperature and other status information from all the Managed and Monitored UPS systems This information will be logged for all UPSes which were configured with Log Status checked The information is also presented graphically Console Server amp RMM Gateway User Manual User Manual System Name cm4001 Model CM4001 Firmware 2 8 0p0 O o
181. DAMAGES REGARDLESS OF WHETHER OPENGEAR WAS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES Console Server amp Router User Manual 333
182. E port 5600 port to listen on for nrpe Defualts to 5666 NRPE user user1 User to run as Defaults to nrpe NRPE group group1 Group to run as Defaults to nobody Allow command arguments Enabled 264 Console Server amp RMM Gateway User Manual contig s contig system nagios nrpe enabled on config s contig system nagios nrpe pormt 5600 contig s contig system nagios user user1 contig s config system nagios nrpe group group 1 config s config system nagios nrpe cmdargs on To configure NSCA with the following settings NSCA encryption BLOWFISH can be None XOR DES TRPLEDES CAST 256 BLOWFISH TWOFISH RIJNDAEL 256 SERPENT GOST NSCA password secret NSCA check in interval 5 minutes NSCA port 5650 defaults to 5667 user to run as User1 defaults to nsca group to run as Group1 defaults to nobody contig s contfig system nagios nsca enabled on contig s contig system nagios nsca encryption BLOWFISH config s contig system nagios nsca secret secret config s config system nagios nsca interval 2 config s config system nagios nsca port 5650 config s config system nagios nsca user User1 config s contig system nagios nsca group Group 1 The following command will synchronize the live system with the new configuration config a Console Server amp Router User Manual 265 Chapter 16 KCS Client Configuration ADVANCED CONFIGURATION Opengear console servers run the embe
183. ESTAMP This action was run Check details value AR_VAL vs trigger value AR_TRIGGER_VAL Send Email Click on Send Email as the Add Trigger Action Enter a unique Action Name and set the Action Delay Time Specify the Recipient Email Address to send this email to and the Subject of the email For multiple recipients you can enter comma separated addresses Edit the Email Text message to send and click Save New Action An SMS alert can also be sent via an SMTP email gateway You will need to specify the Recipient Email Address in the format specified by the gateway provider e g for T Mobile it is phonenumber tmomail net Send SMS Click on Send SMS as the Add Trigger Action Enter a unique Action Name and set the Action Delay Time Specify the Phone number that the SMS will be sent to in international format without the Edit the Message Text to send and click Save New Action The SMS alert can only be sent if there is an internal or external USB cellular modem attached However an SMS alert can also be sent via a SMTP SMS gateway as described above Console Server amp RMM Gateway User Manual User Manual 7 3 3 gt 7 3 5 Note 7 3 6 Note Perform RPC Action Click on Perform RPC Action as the Add Trigger Action Enter a unique Action Name and set the Action Delay Time Select a power Outlet and specify the Action to be performed power On OFF or Cycle Click Save New Action Run Custom Script Click on
184. Edit on the Network Host to be monitored V Y V WV VV VV WV Nagios Settings Enable Nagios Switch Nagios on for this host Name of host in Nagios Defaults te host name if unset Nagios Checks Select Enable Nagios specify the name of the device as it will appear on the upstream Nagios server Click New Check to add a specific check which will be run on this host Select Check Permitted TCP UDP to monitor a service that you have previously added as a Permitted Service Select Check TCP UDP to specify a service port that you wish to monitor but do not wish to allow external SDT Connector access to Select Check TCP to monitor Nagios Settings Enable L Nagios Switch Magios on for this host Host Mame Mame of host in Nagios Generated using host description Wf unspecified Nagios Check NRPE Check Ping Check Permitted TCP Default Aras H WHOSTH 0 COMMAND Check Permitted UDP Mew Check TCP Check UDP eres iw Use Default args y Command oo The Nagios Check nominated as the check host alive check is the check used to determine whether the network host itself is up or down Typically this will be Check Ping although in some cases the host will be configured not to respond to pings lf no check host alive check is selected the host will always be assumed to be up You may deselect check host alive by clicking Clear check host alive If required customize the selected Nagios Checks to use custom arguments
185. Enter the SDT Nagios Address from section 10 2 2 in Gateway Address 211 Console Server amp Router User Manual Chapter 10 Nagios Integration gt Enter the Username and Password from10 2 2 in Gateway Username and Password in this example we used sdtnagiosuser gt Close SDT Connector it s not necessary to add any SDT Connector hosts Now you can open your web browser and login to the SDT Nagios web UI on the central Nagios server gt Select Service Detail from the Monitoring menu gt Locate the row with the Windows IIS Server host then the service check beginning with check_tcp_ 3339 and click the link to Connect via SDT Opengear Nagios Management Console Mozilla Firefox localhost 2887 Remote Desktop formation 0 06 0 06 0 05 Log On to Windows s currently logged in i inode 96 Windows Server 2003 99 var lock 61 MB 100 Standard Edition a 3 inode 82 dev shm 61 ot 199 MB 89 inode 99 244 bytes in 0 003 seconds Debian Subuntu0 1 protocol User name fi 0 52 processes Password 5 inse time on port 22 Connect Cancel Options gt gt SDT Copyright 1985 2003 Microsoft Corporation esponse time on port 25 2sponse time on port 443 via SDT gt Availability img Management console Ek 2008 04 04 15 30 42 Od 0h 17m 47s 1 4 TA R E S Alerts __ Notifications ippower alert E ets Dey ta ie Event Log f File Edit Help Service is not scheduled to be
186. File is not NorthStOutlet custom VPN cont Root CA owe Nortnstoutet Certificate VPN ca ct Certificate File NorthStoutlet VPN public crt Private Key File NorthsStOutlet VPN private key Diffie Hellman File No file available gt To enable OpenVPN Edit the OpenVPN tunnel OpenVPN Tunnels Tunnel Name Tunnel Configuration Protocol Details Enabled Mode Method NorthStOutlet VPN Client PKI X 509 udp Server s N Edit Delete 192 168 250 106 1194 Add Check the Enabled button Apply to save changes Note authentication issues may arise Please make sure that the console server system time is correct when working with OpenVPN Otherwise Edit OpenVPN Tunnel Details Edit OpenVPN Tunnel Details Tunnel Name NorthStOutlet VPN A descriptive name for the OpenVPN tunnel Enabled iw Enable or disable the tunnel Tun IP Select the tap or tun driver to use Protocol UDP Use a UDP or TCP protocol Tunnel Mode Configuration Method Compression Client th Auth e Client or Server end of the tunnel PKI X 509 Certificates enticate using certificates or use a custom configuration Enable or disable compression Console Server amp RMM Gateway User Manual 19 Chapter 4 Serial Port Device and User Configuration gt Select Statistics on the Status menu to verify that the tunnel is operational Interfaces Routes Serial Ports IP ICMP TCP etho Link encap Ethernet HWaddr 00 10 A1 96
187. File will be a crt file type Private Key for the server and each client This Private Key File will be a key file type Master Certificate Authority CA certificate and key which is used to sign each of the server and client certificates This Root CA Certificate will be a crt file type For a server you may also need dh1024 pem Diffie Hellman parameters Refer http openvpn net easyrsa html for a guide to basic RSA key management For alternative authentication methods see http openvpn net index php documentation howto html auth For more information also see http openvpn net howto html gt Check or uncheck the Compression button to enable or disable compression respectively Chent Details Primary Server Address 192 168 250 106 The address of the first server Primary Server Port The TCP IP port of the first server Defauit i 1194 Secondary Server Address The address of the second server Optional Secondary Server Port 4 10 2 Configure as Server or Client gt Complete the Client Details or Server Details depending on the Tunnel Mode selected o If Clienthas been selected the Primary Server Address will be the address of the OpenVPN Server o If Server has been selected enter the IP Pool Network address and the IP Pool Network mask for the IP Pool The network defined by the IP Pool Network address mask is used to provide the addresses for connecting clients gt Click Apply to save changes Console S
188. For example if you have an IM4004 5 configured with a wireless LAN connection the Wireless screen will display all the locally accessible wireless LANs So you can see the SSID and the Encryption Authentication settings to use for the particular access point you wish to connect to Also when you have successfully connected the SSID of this access point will then be shown in the Wireless ESSID filed of ra0 shows below as which is not connected Interfaces Routes Serial Ports P ICMP TCP UDP Wireless ia ut of wlan0 Ralink STA ESSID Nickname RT2860STA Mode Auto Frequency 2 412 GHz Access Point Not Associated Bit Rate 1 Mb s RTS thr off Fragment thr off Encryption key off Link Quality 10 100 Signal level 0 dBm Noise level 87 dBm Rx invalid nwid 0 Rx invalid crypt 0 Rx invalid frag 0 Tx excessive retries 0 Invalid misc 0 Missed beacon 0 Channel SSID BSSID Encryption Authentication Signal Mode Type Strength 3 OpengearDev 00 0e 8e 01 08 20 WPAPSK TKIP 100 11b g NONE Infrastructure 6 OpengearOffice 00 13 46 5a 9d d5 WPAIPSKWPA2PSK TKIPAES 34 11b g NONE Infrastructure 6 PVH Wireless 00 1b 11 ec 8a 38 WEP 70 11b a n BELOW Infrastructure 7 BigPond8423 00 1f b3 0d 35 49 WPAPSK TKIP 50 11b g NONE Infrastructure 8 877W WLAN AP 00 22 90 23 b0 30 WPAPSK TKIP 60 11b g NONE Infrastructure 11 CBD 00 0f b5 d9 92 78 WPAPSK TKIP 39 11b g NONE Infrastructure 12 3 Support Reports The Support Report provides useful status information that will assist
189. Gateway User Manual 15 Chapter 2 Installation INSTALLATION This chapter describes how to install the console server hardware and connect it to controlled devices 2 1 Models There are multiple families and models each with a different number of network serial USB ports or power supply and wireless configurations Serial USB Network Console Modem Wireless Environment RJ Mee Pons ports Pons Port tvazy cetawiry Sensors pinout 00 ACM5002 2 1 1 Temp probes 02 Ext AC DC ACM5004 Temp probes 02 Ext AC DC ACM5004 2 Temp probes 02 Ext AC DC ACM5003 M Temp probes 02 Ext AC DC ACM5003 W 802 11 Temp probes 02 Ext AC DC ACM5004 G GV 3G Cell Temp probes 02 Ext AC DC ACM5004 G I 3G Cell Temp amp DI O 02 Ext AC DC ACM5004 2 Temp amp DI O 02 Ext AC DC ACM5504 2 P 02 PoE ACM5504 5 G I 3G Cell 02 Ext AC DC ACM5508 2 02 Ext AC DC ACM5508 2 M Internal 02 Ext AC DC IM4248 2 DAC Internal Opt 00 01 02 Dual AC IM4248 2 DDC Internal Opt 00 01 02 Dual DC IM4232 2 DAC Internal Opt 00 01 02 Dual AC IM4232 2 DDC Internal Opt 00 01 02 Dual DC IM4216 2 DAC Internal Opt 00 01 02 Dual AC IM4216 2 DDC Internal Opt 00 01 02 Dual DC IM4208 2 DAC Internal Opt 00 01 02 Dual AC IM4208 2 DDC Internal Opt 00 01 02 Dual DC IM4216 34 DAC Internal Opt 02 Dual AC IM4004 5 External Ext Cell 00 Ext AC DC CM4148 SAC 00 Single AC CM4132 SAC CM4116 SAC CM4008 CM4001 D gt
190. IP Address SNMP A statically assigned IP address Subnet Mask Administration A statically assigned network mask Firmware IP Gateway Date amp Time A statically assigned gateway Dial Services Primary DNS sd DHCP Server A statically assigned primary name server Nagios Secondary DNS s Par Arcadia A statically assigned secondary name server Active Users Media Auto Statistics EE The Ethernet media type Syslog UPS Status Apply In this mode Network 2 eth1 is available as the transparent back up port to Network 1 ethO for accessing the management network Network 2 will automatically and transparently take over the work of Network 1 in the event Network 1 becomes unavailable for any reason Note Only SSH access is enabled on the failover connection However in firmware versions later than 3 0 2 HTTPS access is also enabled So the administrator can then SSH or HTTPS connect to the console server and fix the problem By default the advanced console server supports automatic failure recovery back to the original state prior to failover V3 1 0 firmware and later The advanced console server continually pings probe addresses whilst in original and failover states The original state will automatically be set as a priority and reestablished following three successful pings of the probe addresses during failover The failover state will be removed once the original state has been re established Note
191. Is 0 config g config users total This command should display config users total 1 Note that if you see config users total this means you have 0 Users configured Your new User will be the existing total plus 1 So if the previous command gave you 0 then you start with user number 1 if you already have 1 user your new user will be number 2 etc To add a user with Username John Password secret and Description mySecondUser issue the commands config s config users total 2 assuming we already have 1 user configured contig s config users user2 username John config s config users user2 description mySecondUser contig P config users user2 password NOTE The P parameter will prompt the user for a password and encrypt it In fact the value of any config element can be encrypted using the P parameter but only encrypted user passwords and system passwords are supported If any other element value were to be encrypted the value will become inaccessible and will have to be re set To add this user to specific groups admin users config s config users user2 groups group 1 groupname config s config users user2 groups group2 groupname2 etc To give this user access to a specific port config s config users user2 port1 0n config s config users user2 port2 on config s config users user2 port5 0n etc To remove port access config s config users user2 port1 the value is left blank or
192. It is recommended that you use SSH as the protocol where the User or Administrator connects to the console server or connects through the console server to the attached serial consoles over the Internet or any other public network This will provide authenticated SSH communications between the SSH client program on the remote user s computer and the console server so the user s communication with the serial device attached to the console server is secure For SSH access to the consoles on devices attached to the console server serial ports you can use SDT Connector You configure SDT Connector with the console server as a gateway then as a host and you enable SSH service on Port 3000 serial port i e 3001 3048 Chapter 6 Secure Tunneling has more information on using SDT Connector for SSH access to devices that are attached to the console server serial ports Also you can use common communications packages like PuTTY or SSHTerm to SSH connect directly to port address IP Address _ Port 3000 serial port i e 3001 3048 Alternately SSH connections can be configured using the standard SSH port 22 The serial port being accessed is then identified by appending a descriptor to the username This syntax supports any of lt username gt lt portXX gt lt username gt lt port label gt lt username gt lt ttySX gt lt username gt lt serial gt So for a User named fred to access serial port 2 when setting up the SSHTerm o
193. Keys E Environmental Generate DSA Keys CT Next you must select whether to generate keys using RSA and or DSA if unsure select only RSA Generating each set of keys will require approximately two minutes and the new keys will destroy any old keys of that type that may previously been uploaded Also while the new generation is underway on the master functions relying on SSH keys e g cascading may stop functioning until they are updated with the new set of keys To generate keys gt Select RSA Keys and or DSA Keys gt Click Apply System Name img4004 5 Model IMG4004 5 Firmware 2 6 0p6 opPengear Uptime 0 days 1 hours 5 mins 2 secs Current User root System SSH Keys Serial Port Users amp Groups Successfully generated rsa keys Authentication Network Hosts Click here to return a Triband AMatiurnelen gt Once the new keys have been successfully generated simply Click here to return and the keys will automatically be uploaded to the Master and connected Slaves 4 6 2 Manually generate and upload SSH keys Alternately if you have a RSA or DSA key pair you can manually upload them to the Master and Slave console servers Note If you do not already have RSA or DSA key pair and you do not wish to use you will need to create a key pair using ssh keygen PuTTYgen or a similar tool as detailed in Chapter 15 6 To manually upload the key public and private key pair to the Master console server Select System
194. L modem console port on the console servers using a computer or terminal device use the 319001 or 319003 adaptors with standard UTP Cat 5 cable To connect the LOCAL console ports to modems for out of band access use the 319004 adaptor with standard UTP Cat 5 cable Each Opengear console server is supplied with UTP Cat 5 cables Console Server amp Router User Manual 315 Connectivity TCP Ports amp Serial I O RS232 Standard Pinouts The RS232 pinout standards for the DB9 and DB25 connectors are tabled below DB25 SIGNAL DB9 DEFINITION 1 Protective Ground 2 TXD 3 Transmitted Data 3 RXD 2 Received Data 4 RTS 7 Request To Send 5 CTS 8 Clear To Send 6 DSR 6 Data Set Ready 7 GND 5 Signal Ground 8 CD 1 Received Line Signal Detector 9 Reserved for data set testing 10 Reserved for data set testing 11 Unassigned 12 SCF Secondary Revd Line Signal Detector 13 SCB Secondary Clear to Send 14 SBA Secondary Transmitted Data 15 DB Transmission Signal Timing 16 SBB Secondary Received Data 17 DD Receiver Signal Element Timing 18 Unassigned 19 SCA Secondary Request to Send 20 DTR 4 Data Terminal Ready 21 CG Signal Quality Detector 22 9 Ring Indicator 23 CH CI Data Signal Rate Selector 24 DA Transmit Signal Element Timing 29 Unassigned FEMALE MALE l l 25 pin DB25 TOENG 2S AD l l 9 pin DB9 GED z l 8 pin RJ45 i 316 Console Server amp RMM Gateway User Manual Connectors included in console server The CM4008 41 16 4148 IM4
195. License 7 lf as a consequence of a court judgment or allegation of patent infringement or for any other reason not limited to patent issues conditions are imposed on you whether by court order agreement or otherwise that contradict the conditions of this License they do not excuse you from the conditions of this License If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations then as a consequence you may not distribute the Program at all For example if a patent license would not permit royalty free redistribution of the Program by all those who receive copies directly or indirectly through you then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program If any portion of this section is held invalid or unenforceable under any particular circumstance the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application o
196. Line Configuration Assume this is our second alert and we want to send alert emails to john opengear com and sms s to peter opengear com config s config alerts alert2 description MySecondAlert config s config alerts alert2 email john opengear com config s config a erts alert2 email2 peter opengear com To use NAGIOS to notify of this alert contig s contig alerts alert2 nsca enabled on To use SNMP to notify of this alert contig s contig alerts alert2 snmp enabled on Increment the total alerts config s config alerts total 2 Below are the specific settings depending on the type of alert required Connection Alert To trigger an alert when a user connects to serial port 5 or network host 3 contig s contig alerts alert2 host3 host name contig s contig alerts alert2 port5 on config s config alerts alert2 sensor temp contig s contig alerts alert2 signal DSR config s config alerts alert2 type login Signal Alert To trigger an alert when a signal changes state on port 1 contig s config alerts alert2 port1 on config s config alerts alert2 sensor temp config s config alerts alert2 signal DSR DCD CTS contig s contig alerts alert2 type signal Pattern Match Alert To trigger an alert if the regular expression 0 0 id is found in serial port 10 s character stream config s config alerts alert2 pattern 0 0 id contig s contig alerts alert2 port10 on config s
197. M The driver for this UPS model see the hardware compatibility list for details Click here to add additional drivers However for CM4001 8 and SD4001 2 8 models you will need to upload the driver you need from www opengear com download System Name cm4008 Model CM4008 Firmware 2 8 0p0 Ra O opPengear Uptime 3 days 21 hours 17 mins 23 secs Current User root Backup Log Out Serial amp Network UPS Drivers Serial amp Network Serial Port Current Drivers megatec Users amp Groups netxml ups Authentication snmp ups Network Hosts Trusted Networks J Cascaded Ports Upload Driver Browse UPS Connections Specify a valid NUT driver binary RPC Connections i Environmental Apply eed Mee cee Click New Options in Driver Options if you need to set driver specific options for your selected NUT driver and hardware combination more details at http Awww networkupstools org doc Driver Options Option Argument Console Server amp RMM Gateway User Manual User Manual gt Check Log Status and specify the Log Rate minutes between samples if you wish the status from this UPS to be logged These logs can then be viewed from the Status UPS Status screen gt f you have enabled Nagios services then you will presented with an option for Nagios monitoring Check Enable Nagios to enable this UPS to be monitored using Nagios central management RPC Status Environmental Statu
198. M4116 Firmware 2 9 0p0 0 opPengear Uptime 1 days 1 hours 33 mins 26 secs Current User root Log Out System SSL Certificates Serial amp Network Serial Port Common name Users amp Groups The full canonical name for this device Authentication 7 Network Hosts a Trusted Networks The group overseeing this device Cascaded Ports Organization UPS Connections RPC Connections Environmental Locality City Managed Devices The name of the organization to which the device belongs The City where the organization is located Alerts amp Logging State Province Port Log The State or Province where the organization is located Alerts Coun SMTP amp SMS i AD SNMP The country where the organization is located Email _ R The email address of a contact person for this device Administration SSL Certificates Challenge Configuration Backup An optional dependant on CA password Firmware IP Confirm Date amp Time Confirmation of the challenge password Dial Key Length 512 Services bits Length of generated key in bits Nagios Configure Dashboard Generate CSR To do this the console server must be enabled to generate a new cryptographic key and the associated Certificate Signing Request CSR that needs to be certified by a Certification Authority CA A certification authority verifies that you are the person who you claim you are an
199. NDITIONS FOR COPYING DISTRIBUTION AND MODIFICATION 0 This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License The Program below refers to any such program or work and a work based on the Program means either the Program or any derivative work under copyright law that is to say a work containing the Program or a portion of it either verbatim or with modifications and or translated into another language Hereinafter translation is included without limitation in the term modification Each licensee is addressed as you Activities other than copying distribution and modification are not covered by this License they are outside its scope The act of running the Program is not restricted and the output from the Program is covered only if its contents constitute a work based on the Program independent of having been made by running the Program Whether that is true depends on what the Program does 1 You may copy and distribute verbatim copies of the Program s source code as you receive it in any medium provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty keep intact all the notices that refer to this License and to the absence of any warranty and give any other recipients of the Program a copy of this License along with the Program Y
200. OT FAULT TOLERANT YOU HAVE INDEPENDENTLY DETERMINED HOW TO USE THE SOFTWARE IN THE DEVICE AND OPENGEAR HAS RELIED UPON YOU TO CONDUCT SUFFICIENT TESTING TO DETERMINE THAT THE SOFTWARE IS SUITABLE FOR SUCH USE LIMITED WARRANTY Opengear warrants the media containing the Software for a period of ninety 90 days from the date of original purchase from Opengear or its authorized retailer Proof of date of purchase will be required Any updates to the Software provided by Opengear which may be provided by Opengear at its sole discretion shall be governed by the terms of this EULA In the event the product fails to perform as warranted Opengear s sole obligation shall be at Opengear s discretion to refund the purchase price paid by you for the Software on the defective media or to replace the Software on new media Opengear makes no warranty or representation that its Software will meet your requirements will work in combination with any hardware or application software products provided by third parties that the operation of the software products will be uninterrupted or error free or that all defects in the Software will be corrected OPENGEAR DISCLAIMS ANY AND ALL OTHER WARRANTIES WHETHER EXPRESS OR IMPLIED INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OTHER THAN AS STATED HEREIN THE ENTIRE RISK AS TO SATISFACTORY QUALITY PERFORMANCE ACCURACY AND EFFORT IS WITH YOU ALSO THERE
201. Out System IP Network Interface Management LAN Interface Route Settings General Settings Interface Aggregation Disabled Bridge interfaces Configuration Backup 5 Bond interfaces i e Firmwar Enable aggregation of wired Ethernet interfaces IP Date amp Time Dial Enable IPv6 F Enable IPv6 for all interfaces Nagios A Configure Dashboard gt By default Interface Aggregation is Disabled on the System IP General Settings menu gt Select Bridge Interfaces or Bond Interfaces o When bridging is enabled network traffic is forwarded across all Ethernet ports with no firewall restrictions All the Ethernet ports are all transparently connected at the data link layer layer 2 so they do retain their unique MAC addresses o With bonding he network traffic is carried between the ports but they present with one MAC address o Both modes remove all the Management LAN Interface and Out of Band Failover Interface functions and disable the DHCP Server Console Server amp RMM Gateway User Manual 45 Chapter 3 Initial System Configuration gt In aggregation mode all the Ethernet ports are configured collectively using the Network Interface menu System Name im4216 Model IM4216 Firmware 3 5 2u1 Ra 0 opPengear Uptime 6 days 23 hours 34 mins 57 secs Current User root Backup Log Out System IP Network Interface General Settings Route Settings Alerts amp Logging IP Settings Networ
202. P amp SMS Save Settings SNMP Auto Response Logs Administration Ta Ae z 2 SSL Ce rtificates 2011 Sep 9 09 06 48 AR asdasd State Normal 7 6 5 Power device logging The console server also logs access and communications with network attached hosts and maintain a history of the UPS and PDU power status To activate and set the desired levels of logging for each serial Section 7 4 and or network port Section 7 5 and or power and environment UPS refer Chapter 8 Console Server amp RMM Gateway User Manual 167 Chapter 8 Power Environmental amp Digital I O POWER ENVIRONMENT amp DIGITAL I O Opengear console servers manage Remote Power Control devices RPCs including PDUs and IPMI devices and Uninterruptible Power Supplies UPSes They also monitor remote operating environments using Environmental Monitoring Devices EMDs and sensors and can provide digital I O control 8 1 Remote Power Control RPC The console server Management Console monitors and controls Remote Power Control RPC devices using the embedded PowerMan and Network UPS Tools open source management tools and Opengear s power management software RPCs include power distribution units PDUs and IPMI power devices Serial PDUs invariably can be controlled using their command line console so you could manage the PDU through the console server using a remote Telnet client Also you could use proprietary software tools no doubt supplied
203. PS However once logged in they can reconfigure the console server settings e g to enabled HT TP Telnet for future access They can also access any of the connected Hosts or serial port devices using any of the services that have been enabled for these connections But again the Administrator can reconfigure the access services for any Host or serial port So only trusted users should have Administrator access 2 Membership of the user group provides the user with limited access to the console server and connected Hosts and serial devices These Users can access only the Management section of the Management Console menu and they have no command line access to the console server They also can only access those Hosts and serial devices that have been checked for them using services that have been enabled 3 Ifauser is set up with pptd dialin ftp or pmshell group membership they will have restricted user shell access to the nominated managed devices but they will not have any direct access to the console server itself To add this the users must also be a member of the users or admin groups 4 The Administrator can also set up additional Groups with specific power device serial port and host access permissions However users in these additional groups don t have any access to the Management Console menu nor do they have any command line access to the console server itself 5 The Administrator can also set up users with specific power device
204. Part 509107 ACM5504 2 P RMM Gateway Part 440016 2 x Cable UTP Cat5 blue Part 3190014 and Cisco Connector DB9F RJ45 straight and DB9F RJ45 3190015 cross over Part 4500 Power Supply 12VDC 1 0A Wall mount Part 539000 Quick Start Guide and CD ROM gt Unpack your ACM5000 kit and verify you have all the parts shown above and that they all appear in good working order The ACM5004 5 G V I also has an external 3G aerial to be attached Proceed to connect your ACM5500 to the network serial and USB ports of the controlled devices environmental monitors and AC power as shown below 2 2 Power Connection 2 2 1 IM4216 34 DAC IM4208 2 DAC IM4216 2 DAC IM4232 2 DAC and IM4248 2 DAC power These standard IM42xx and IM4216 34 console servers all have dual universal AC power supplies with auto failover built in These power supplies each accept AC input voltage between 100 and 240 VAC with a frequency of 50 or 60 Hz and the total power consumption per console server is less than 30W Two IEC AC power sockets are located at the rear of the metal case and these IEC power inlets use conventional IEC AC power cords Power cords for various regions are available although the North American power cord is provided by default There is a warning notice printed on the back of each unit A N To avoid electrical shock the power cord grounding conductor must be connected to ground 2 2 2 CM4116 SAC CM4132 SAC and CM4148 SAC power These
205. Platform Management Interface IPMI version 1 5 and version 2 0 specifications IPMI is an open standard for monitoring logging recovery inventory and control of hardware that is implemented independent of the main CPU BIOS and OS The service processor or Baseboard Management Controller BMC is the brain behind platform management and its primary purpose is to handle the autonomous sensor monitoring and event logging features The ipmitool program provides a simple command line interface to this BMC It features the ability to read the sensor data repository SDR and print sensor values display the contents of the System Event Log SEL print Field Replaceable Unit FRU inventory information read and set LAN configuration parameters and perform remote chassis power control SYNOPSIS jomitool c h v V l open lt commana gt jomitool c h v V I lan H lt hostname gt p lt port gt U lt username gt A lt authtype gt L lt privivb a E P f lt oasswora gt o lt oemtype gt lt commana gt jomitool c h v V I anplus H lt hostname gt p lt port gt U lt username gt L lt privivi gt a E P f lt oasswora gt o lt oemtype gt C lt ciphersuite gt lt commana gt 298 Console Server amp RMM Gateway User Manual DESCRIPTION This program lets you manage Intelligent Platform Management Interface IPMI functions of either the local system via a kernel
206. PortStatusPort 2 INTEGER 3 BH oqgSerialPort StatusPort 3 INTEGER 4 B SogSerialPort tatus peed INTEGER 9668 BK SoqSerialPort tatussSpeed 1 IHTEGER 9668 B SoqgSerialPort tatus peed 2 INTEGER 19268 BK oqSerialPortStatussS peed INTEGER 9668 B oqgSerialPort StatusDCD A INTEGER of Ft gt B SoqgSerialPort tatusDCD 1 INTEGER of Ft gt BK foqSerialPort StatusDCD 2 INTEGER of f Bo B SoqgSerialPort tatusDCD 3 INTEGER of Ft gt BK foqSerialPortStatusDIR INTEGER of f gt B lt oqgSerialPortStatusDIR 1 INTEGER of Ft gt B SogSerialPort tatusDIR 2 INTEGER oni BK FogqgSerialPortStatusDIR 3 INTEGER onti gt B og erialPort tatusDSR 6 INTEGER offi E og erialPort tatusDSR i INTEGER of f gt B lt oqgSerialPort StatusDSR 2 INTEGER of Ft gt B toqgSerialPort tatusDSR 3 INTEGER offi BK SoqSerialPortStatusCTs 6 INTEGER of f B gt B SoqSerialPort tatusCT 1 INTEGER offi B oqgSerialPortStatusCTs 2 INTEGER of f gt B lt oqgSerialPort tatusCT 3 INTEGER of Ft gt OG STATUS MIB oqgSerialPortStatusRKTs A INTEGER of F lt OG STATUS MIB ogSerialPort tatusRT 1 INTEGER of F lt gt OG STATUS AIEB ogSerialPort tatusRT 2 INTEGER onti gt H o H o H 0o H o H o H 0a H o H o BH oa H o H 0 H o H 0 Ho H o H 0 H o H 0o0 BH o H o H 0 H o H o Ho OG STATUS MI qserialPortStatusRI 3 INTEGER ont1 gt OG STATUS THI qgHhp
207. Power On Off Check Enable Dial Back in the Dial in Options menu to allow an out going dial back connection to be triggered by logging into this port Enter the Dial Back Phone Number with the phone number to call back when user logs In Click Apply The new user will now be able to access the Network Devices Ports and RPC Outlets you nominated as accessible plus if the user is a Group member they can also access any other device port outlet that was set up as accessible to the Group There are no specific limits on the number of users you can set up nor on the number of users per serial port or host So multiple users Users and Administrators can control monitor the one port or host Similarly there are no specific limits on the number of Groups and each user can be a member of a number of Groups in which case they take on the cumulative access privileges of each of those Groups A user does not have to be a member of any Groups but if the User is not even a member of the default user group then they will not be able to use the Management Console to manage ports Note that while there are no specific limits the time to re configure does increase as the number and complexity increases SO we recommend the aggregate number if users and groups be kept under 250 The Administrator can also edit the access settings for any existing users gt 62 select Serial amp Network Users amp Groups and click Edit for the User to be modified C
208. R5A PowerWare PDU 22 tcp ssh 0 RPC Edit Delete 23 tcp telnet 0 Administration 80 tcp http 0 Firmware 443 tcp https 0 IP 1494 tcp ica 0 Date amp Time 3389 tcp rdp 0 Dial 5900 tcp vnc 0 Services Access to this service will be logged DHCP Server gt Selecting Serial amp Network Network Hosts presents all the network connected Hosts that have been enabled for access and the related access TCP ports services gt Click Add Host to enable access to a new Host or select Edit to update the settings for existing Host opengear POPPE cya TONES SE Wile 17 sees Clavel Weer OA Serial amp Network Network Hosts Serial amp Network Serial Port IP Address DNS Users amp Groups Name Authentication Network Hosts Host Name Trusted Networks Cascaded Ports UPS Connections Description Notes RPC Connections Environmental The host s IP Address or DNS name A descriptive name for this host A brief description of the host Managed Devices Permitted Services 22 tcp ssh 0 23 tcp telnet 0 Alerts amp Logging 80 tcp http 0 Port Log 443 tcp https 0 soe SMTP amp SMS cp rcp SNMP 5900 tcp vnc 0 TCP Administration upP Port i z level 0 Disabled Date amp Time Dial The TCP services available from this host gt Enter the IP Address or DNS Name and a Host Name up to 254
209. RJ 45 jack Adapter for console server with Opengear classic pinout to Rackable Systems console 318 Console Server amp RMM Gateway User Manual For console servers with Cisco pinouts 319014 DB9F to RJ45 straight Console server with Cisco pinout to IP Power and other serial device 319015 DB9F to RJ45 DCE Adapter Console server with Cisco pinout to to X86 and other crossover 319016 DB9M to RJ45 straight DTE Adapter Console server with Cisco pinout to Netscreen and Dell 319004 DB9M to RJ45 straight DTE Adapter Console server OoB modem connection TCP UDP Port Numbers Port numbers are divided into three ranges Well Known Ports Registered Ports and Dynamic and or Private Ports Well Known Ports are those from 0 through 1023 Registered Ports are those from 1024 through 49151 Dynamic and or Private Ports are those from 49152 through 65535 Well Known Ports are assigned by IANA and on most systems can only be used by system processes or by programs executed by privileged users Table below shows some of the well known port numbers For more details please visit the IANA website http www iana org assignments port numbers Fort Protocol TCP UDP Number FTP File Transfer Protocol TCP SSH Secure Shell TCP TOP SMTP Simple Mail Transfer Protocol TCP RLP Resource Location Protocol UDP DNS UDP UDP S e S T me Y SP TOP TOP o o P SOS TCP TOP NNTP Network News Transfer Protocol TCP UDP 443 TOP Serial
210. Run Custom Script as the Add Trigger Action Enter a unique Action Name and set the Action Delay Time Create a script file to execute when this action is triggered and enter the Script Executable file name e g etc config action sh Set the Script Timeout i e the maximum run time for the script Leave as 0 for unlimited Enter any Arguments that are to be passed to the script and click Save New Action Send SNMP Trap Click on Send SNMP Trap as the Add Trigger Action Enter a unique Action Name and set the Action Delay Time The SNMP Trap actions are valid for Serial Environmental UPS and Cellular data triggers only Send Nagios Event Click on Send Nagios Event as the Add Trigger Action Enter a unique Action Name and set the Action Delay Time Edit the Nagios Event Message text to display on the Nagios status screen for the service Specify the Nagios Event State OK Warning Critical or Unknown to return to Nagios for this service Click Save New Action To notify the central Nagios server of Alerts NSCA must be enabled under System Nagios and Nagios must be enabled for each applicable host or port Console Server amp RMM Gateway User Manual 159 Chapter 7 Alerts and Logging 7 4 Resolve Actions Actions can also be scheduled to be taken a trigger condition has been resolved gt Fora nominated Auto Response with a defined trigger Check Condition click on Add Resolve Action e g Send Email or Run Custom Script to s
211. Section 10 2 2 Set up distributed Opengear servers i Run the SDT for Nagios Configuration Wizard on the central Nagios server Section 10 2 3 Set up SDT Nagios on central Nagios server and perform any additional configuration tasks Console Server amp RMM Gateway User Manual 207 Chapter 10 Nagios Integration iv Install SDT Connector on each client Section 10 2 4 Set up clients 10 2 1 Set up central Nagios server SDT for Nagios requires a central Nagios server running Nagios 2 x or 3 x Nagios 1 x is not supported The Nagios server software is available for most major distributions of Linux using the standard package management tools Your distribution will have documentation available on how to install Nagios This is usually the quickest and simplest way to get up and running Note that you will need the core Nagios server package and at least one of the NRPE or NSCA add ons NSCA is required to utilize the alerting features of the Opengear distributed hosts installing both NRPE and NSCA is recommended You will also require a web server such as Apache to display the Nagios web UI and this may be installed automatically as a dependency of the Nagios packages Alternatively you may wish to download the Nagios source code directly from the Nagios website and build and install the software from scratch The Nagios website http www nagios org has several Quick Start Guides that walk through this process Once you are a
212. Server amp Router User Manual 251 Chapter 14 Command Line Configuration Add power device host To add a UPS RPC network host with the following details IP address DNS name 192 168 2 5 Host name remoteUPS Description UPSroom3 Type UPS Allowed services ssh port 22 and https port 443 Log level for services 0 Issue the commands below contig s contig sdt hosts host4 address 192 168 2 5 config s contig sdt hosts host4 name remoteUPS contig s contig sdt hosts host4 description UPSroom3 contig s contig sdt hosts host4 device type ups contig s contig sdt hosts host4 tcoports tcpport1 22 contig s contig sdt hosts host4 tcpports tcpport1 loglevel 0 contig s contig sdt hosts host4 udoports udpport2 443 config s contig sdt hosts host4 udpports udpport2 loglevel 0 The loglevel can have a value of 0 or 1 The default services that should be configured are 22 tcp ssh 23 tcp telnet 80 tcp http 443 tcp https 1494 tcp ica 3389 tcp rdp 5900 tcp vnc Add other network host To add any other type of network host with the following details IP address DNS name 192 168 3 10 Host name OfficePC Description MyPC Allowed sevices ssh port 22 https port 443 log level for services 1 Issue the commands below If the Host is not a PDU or UPS power device or a server with IPMI power control then leave the device type blank contig s contig sdt hosts host4 address 192 168 3 10 config s c
213. Terminal Server Mode Enable a TTY login for a local terminal attached to this serial port Terminal Type vt220 v The terminal standard to use on this serial port The getty will then configure the port and wait for a connection to be made An active connection on a serial device is usually indicated by the Data Carrier Detect DCD pin on the serial device being raised When a connection is detected the getty program issues a login prompt and then invokes the login program to handle the actual system login Note Selecting Terminal Server mode will disable Port Manager for that serial port so data is no longer logged for alerts etc 4 1 6 Serial Bridging Mode With serial bridging the serial data on a nominated serial port on one console server is encapsulated into network packets and then transported over a network to a second console server where is then represented as serial data So the two console servers effectively act as a virtual serial cable over an IP network One console server is configured to be the Server The Server serial port to be bridged is set in Console Server mode with either RFC2217 or RAW enabled as described in Chapter 4 1 2 Console Server Mode For the Client console server the serial port to be bridged must be set in Bridging Mode Serial Bridge Settings Serial Bridging O Mode Create a network connection to a remote serial port via RFC 221L7 Server address The network address of an RPC 2217
214. The portmanager has the ability to execute external scripts on certain events When a port is opened by the portmanager When the portmanager opens a port it attempts to execute etc config scripts portxxX init where XX is the number of the port e g 08 The script is run with STDIN and STDOUT both connected to the serial port Ifthe script cannot be executed then portmanager will execute etc config scripts portXX chat via the chat command on the serial port When an alert occurs on a port When an alert occurs on a port the portmanager will attempt to execute etc config scripts portXX alert where XX is the port number e g 08 The script is run with STDIN containing the data which triggered the alert and STDOUT redirected to dev null NOT to the serial port If you wish to communicate with the port use pmshell or pmchat from within the script Ifthe script cannot be executed then the alert will be mailed to the address configured in the system administration section When a user connects to any port Ifa file called etc config omshell start sh exists it is run when a user connects to a port It is provided 2 arguments the Port number and the Username Here is a simple example lt etc config omshell start sh gt bin sh PORT 1 USER S echo Welcome to port SPORT USER lt etc config omshell start sh gt The return value from the script controls whether the user is accepted or not i
215. USING THE ACCOMPANYING SOFTWARE THE USE OF WHICH IS LICENSED FOR USE ONLY AS SET FORTH BELOW IF YOU DO NOT AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT DO NOT USE THE SOFTWARE IF YOU USE ANY PART OF THE SOFTWARE SUCH USE WILL INDICATE THAT YOU ACCEPT THESE TERMS You have acquired a product that includes Opengear Opengear proprietary software and or proprietary software licensed to Opengear This Opengear End User License Agreement EULA is a legal agreement between you either an individual or a single entity and Opengear for the installed software product of Opengear origin as well as associated media printed materials and online or electronic documentation Software By installing copying downloading accessing or otherwise using the Software you agree to be bound by the terms of this EULA If you do not agree to the terms of this EULA Opengear is not willing to license the Software to you In such event do not use or install the Software If you have purchased the Software promptly return the Software and all accompanying materials with proof of purchase for a refund Products with separate end user license agreements that may be provided along with the Software are licensed to you under the terms of those separate end user license agreements LICENSE GRANT Subject to the terms and conditions of this EULA Opengear grants you a nonexclusive right and license to install and use the Software on a single
216. User Interface and serial port access but limited console access gt Default groups available on the console server include admin for administrator access and users for general user access Console Server amp RMM Gateway User Manual 197 Chapter 9 Authentication TomFraser Cleartext Password FraTom70 Framed Filter ld group_name admin AmandaJones Cleartext Password JonAma8g3 FredWhite Cleartext Password WhiFre62 Framed Filter ld group_name testgroup1 users JanetLong Cleartext Password LonJan57 Framed Filter Id group_name admin gt Additional local groups such as testgroup1 can be added via Users amp Groups Serial amp Network Add a New group sata testgroup 1 A group with predefined privileges the user will belong to Description A brief description of the groups role Accessible Hast s ubuntu ntp ubuntu com baytech 192 169 254 245 Accessible Portis Salet Unselect all Ports Cl Port 1 F Port 2 F Port 3 Accessible RPC Outlet s baytech Salat Unselect all outlets Outlet 1 Outlet 2 Outlet 2 Outlet 4 Outlet 5 Outlet 6 Outlet 7 Outlet 3 Caeci 9 1 8 Remote groups with LDAP authentication Unlike RADIUS LDAP has built in support for group provisioning which makes setting up remote groups easier The console server will retrieve a list of all the remote groups that the user is a direct member of and compare their names with local g
217. _description Host Ping service_description NRPE Daemon execution_failure_criteria W U C SSH Port define command command_name_ check_conn_via_opengear command_line USER1 check_nrpe H 192 168 254 147 p 5666 c host_SHOSTNAME ARG1 _ ARG2 define service service_description SSH Port host_name server Console Server amp Router User Manual 219 use check_command define service service_description generic service check_conn_via_opengear tcp 22 host port tcp 22 server host port lt protocol gt lt port gt lt host gt host_name use check_command active_checks_enabled 0 passive_checks_enabled define servicedependency name host_name dependent_host_name dependent_service_description service_description execution_failure_criteria server generic service check_conn_via_opengear tcp 22 1 opengear_nrpe_daemon_dep opengear server SSH Port NRPE Daemon W U C Chapter 10 Nagios Integration j 10 4 2 Basic Nagios plug ins Plug ins are compiled executables or scripts that can be scheduled to be run on the console server to check the status of a connected host or service This status is then communicated to the upstream Nagios server which uses the results to monitor the current status of the distributed network Each console server is preconfigured with a selection of the checks that are part of the Nagios plug ins package check_tcp and check_udp are used to check ope
218. able for IM4200 G with an internal cellular modem The NMEA data stream presents on ports 9 17 33 49 for the IM4208 16 32 48 models However GPS support is not available for devices with an externally attached cellular modem 4 2 Add Edit Users The Administrator uses this menu selection to set up edit and delete users and to define the access permissions for each of these users System Name im4216 Model IM4216 Firmware 3 5 2u1 oOopPengear Uptime 0 days 23 hours 21 mins 57 secs Current User root ha Backup Log Out Serial amp Network Users amp Groups Serial amp Network Serial Port Users amp Groups Name Description Authentication Network Hosts admin Provides users with unlimited configuration and management privileges Trusted Networks IPsec VPN pptpd Group to allow access to the PPTP VPN server Users in this group will have OpenVPN their password stored in clear text PPTP VPN Call Home dialin Group to allow dialin access via modems Users in this group will have their Cascaded Ports password stored in clear text UPS Connections RPC Connections ftp Group to allow ftp access and file access to storage devices Environmental Managed Devices pmshell Group to set default shell to pmshell Alerts amp Logging users Provides users with basic management privileges pete _Add Group Auto Response Add Group SMTP amp SMS SNMP Users Username Group Descriptio
219. active 32 port Management LAN Ethernet 1 32 switch plus have Network 2 configured for OoB or Failover e The IM4004 5 and AM5504 5 G I similarly is normally be configured with an active Management LAN This can be a 4 port ETH1 4 Management LAN switch or a 3 port ETH2 4 switch with ETH 1 configured for OoB Failover INMl4216 34 or IM4004 5 NETWORK 1 Operations Eth 1 32 or 2 4 network Met LAN NETWORK 2 OoB or Failover Serially connected consoles The above Management LAN features are all disabled by default To configure the Management LAN gateway gt Select the Management LAN Interface page on the System IP menu and uncheck Disable gt Configure the IP Address and Subnet Mask for the Management LAN but leave the DNS fields blank gt Click Apply System Name img4004 5 Model IMG4004 5 Firmware 2 7 0p1 opengear Uptime 0 days 23 hours 18 mins 49 secs Current User admin System IP Serial Port Network Interface Management LAN Out of Band Failover General Settings Users amp Groups Interface Interface Authentication Network Hosts Disable F gt Deactivate this network interface UPS Connections RPC Connections Environmental IP Settings Management LAN Currently Disabled Managed Devices z 9 Configuration DHCP Method Static The mechanism to acquire IP settings IP Address A statically assigned IP address System Subnet Mask Administrati
220. address address range to match This may be left blank IP address ranges use the format ip netmask where netmask is in bits 1 32 Administration SSL Certificates Destination Configuration Backup Address Address Firmware Range The destination IP address address range to match This may be left blank IP IP address ranges use the format ip netmask where netmask is in bits 1 32 Date amp Time Dial Protocol TCP s ia The protocol of the data Configure Dashboard s i Direction Ingress Port Access Active Users Statistics Support Report Syslog LIDS Gotic The direction of the data that the rule applies to Action Block The action to undertake Note Prior to firmware V3 4 this tab was labeled Port Rules and fewer firewall rules could be configured gt Click New Firewall Rule gt Fill in the following fields Name Interface Port Range Source MAC address Source Address Range Destination Range Protocol Direction Action Name the rule This name should describe the policy the firewall rule is being used to implement e g block ftp Allow Tony Select the interface that the firewall rule will be applied to i e Any Dialout Cellular VPN Network Interface Dial in etc Specify the Port or range of Ports e g 1000 1500 that the rule will apply to This may be left blank for Any Specify the source MAC address to be matched This may be
221. address which will appear on the sent email Username If this server requires authentication specify the username Password If this server requires authentication specify the password Confirm Re enter the password Subject Line If this server requires a specific subject line specify it here Apply Settings In the SMTP Settings field in the Alerts amp Logging SMTP amp SMS menu select SMS Gateway An SMS via Email Gateway field will appear Enter the IP address of the outgoing mail Server SMS gateway Select a Secure Connection if applicable and specify the SMTP port to be used if other than the default port 25 You may also enter a Sender email address which will appear as the from address in all email notifications sent from this console server Some SMS gateway service providers only forward email to SMS when the email has been received from authorized senders So you may need to assign a specific authorized email address for the console server You may also enter a Username and Password as some SMS gateway service providers use SMTP servers which require authentication Console Server amp RMM Gateway User Manual 161 Chapter 7 Alerts and Logging gt Similarly you can specify the specific Subject Line that will be sent with the email Generally the email subject will contain a truncated version of the alert notification message which is contained in full in the body of the email However some SMS g
222. ails in the Description field The User Name can contain from 1 to 127 alohanumeric characters however you can also use the special characters _ and There are no restrictions on the characters that can be used in the user Password which each can contain up to 254 characters However only the first eight Password characters are used to make the password hash Specify which Group or Groups you wish the user to be a member of Check specific Accessible Hosts and or Accessible Ports to nominate the serial ports and network connected hosts you wish the user to have access privileges to Accessible Host s DHCP Server Nagios Services Port Access 192 168 0 100 LinuxT1 Ubuntu test server 192 168 0 54 PDU R3C Baytech PDU Rack3C 192 168 252 31 PDU R4A Baytech PDU Rack4A 192 168 0 34 Powerpack Main TrippLite UPS gt Note Active Users Statistics Support Report Syslog UPS Status RPC Status Environmental Status Explicitly allow connections to hosts Accessible Port s Manage Select Unselect all Ports Devices Port 1 Port 2 Port 3 Port 4 Port Logs Host Logs Power _ Accessible RPC Outlet s PDD R3A Select Unselect all outlets Outlet 1 Outlet 2 Outlet 3 Outlet 4 Outlet 5 Outlet 6 Outlet 7 Outlet 8 If there are configured RPCs you can check Accessible RPC Outlets to specify which outlets the user is able to control i e
223. al Monitoring EMD devices Serial Port Redirection using the PortShare windows and Linux clients Managed Devices presents a consolidated view of all the connections IPSec enabling VPN connection OpenVPN PPTP 4 1 Configure Serial Ports The first step in configuring a serial port is to set the Common Settings such as the protocols and the RS232 parameters that are to be used for the data connection to that port e g baud rate Then you select what mode the port is to operate in Each port can be set to support one of five operating modes 1 Console Server mode is the default and this enables general access to serial console port on the serially attached devices 2 Device mode sets the serial port up to communicate with an intelligent serial controlled PDU UPS or Environmental Monitor Devices EMD SDT mode enables graphical console access with RDP VNC HTTPS etc to hosts that are serially connected Terminal Server mode sets the serial port to await an incoming terminal login session 50 Console Server amp RMM Gateway User Manual User Manual 5 Serial Bridge mode enables the transparent interconnection of two serial port devices over a network System Name img4216 25 Model IMG4216 25 Firmware 3 2 1 Ra 0 Uptime 0 days 0 hours 17 mins 39 secs Current User root Backup Log Out opPengear Serial amp Network Serial Port Serial amp Network Serial Port Ports 1 8 Ports 9 16
224. ame as given to the RPC will be created The console server will then configure the RPC with the number of outlets specified in the selected RPC Type or will query the RPC itself for this information Opengear s console servers support the majority of the popular network and serial PDUs If your PDU is not on the default list then support can be added directly as covered in Chapter 14 Advanced Configurations or by having the PDU supported added to either the Network UPS Tools or PowerMan open source projects IPMI service processors and BMCs can be configured so all authorized users can use the Management Console to remotely cycle power and reboot computers even when their operating system is unresponsive To set up IPMI power control the Administrator first enters the IP address domain name of the BMC or service processor e g a Dell DRAC in Serial amp Network Network Hosts then in Serial amp Network RPC Connections specifies the RPC Type to be IPMI1 5 or 2 0 Console Server amp RMM Gateway User Manual 171 Chapter 8 Power Environmental amp Digital I O 8 1 2 RPC access privileges and alerts You can now set PDU and IPMI alerts using Alerts amp Logging Alerts refer Chapter 7 You can also assign which user can access and control which particular outlet on each RPC using Serial amp Network User amp Groups refer Chapter 4 8 1 3 User power management The Power Manager enables both Users and Administrators to access a
225. amp Network Network Interface Management LAN Interface General Settings Route Settings Route Settings Administration Route Name New Route SSL Certificates Configuration Backup Meaningful name for the Route Firmware Destination gt I Network Host The destination network host that the route provides access to Destination netmask DHCP Server 24 Nagios The netmask of the destination network Configure Dashboard A number in the range 0 32 Route Gateway The IP address of a router that will route packets to the destination network Metric 0 The route metric which represents the cost of routing packets via this route Lower metric routes will be used in preference to higher metric routes Apply To add to the static route to the route table of the system gt gt 48 Select the Route Settings tab on the System IP General Settings menu Enter a meaningful Route Name for the route In the Destination Network Host field enter the IP address of the destination network host that the route provides access to Enter a value in the Destination netmask field that identifies the destination network or host Any number between 0 and 32 A subnet mask of 32 identifies a host route Console Server amp RMM Gateway User Manual User Manual gt Enter Route Gateway with the IP address of a router that will route packets to the destination network gt Enter a value in the Metric field that represents the metric of th
226. ands to build a specialized firewall This firewall script will be run whenever the LAN interface is brought up including initially and will override any automated system firewall settings Below is a simple example of a custom script which creates a firewall using the iptables command Only incoming connections from computers on a C class network 192 168 10 0 will be accepted when this script is installed at etc contig filter custom Note that when this script is called any preexisting chains and rules have been flushed from iptables bin sh Set default policies to drop any incoming or routable traffic and blindly accept anything from the 192 168 10 0 network iptables policy FORWARD DROP iptables policy INPUT DROP iptables policy OUTPUT ACCEPT Allow responses to outbound connections back in iptables append INPUT match state state ESTABLISHED RELATED jump ACCEPT Explicitly accept any connections from computers on 192 168 10 0 24 iptables append INPUT source 192 168 10 0 24 jump ACCEPT There s good documentation about using the iptables command at the Linux netfilter website htto nettilter org documentation index html There are also many high quality tutorials and HOWTOs available via the netfilter website in particular peruse the tutorials listed on the netfilter HOWTO page 15 5 SNMP Status Reporting All console servers contain an SNMP Service snmpd as well which can provide s
227. anual and Quick Start for details on installation and operation PortShare for Linux The PortShare driver for Linux maps the console server serial port to a host tty port Opengear has released the portshare serial client as an open source utility for Linux AIX HPUX SCO Solaris and UnixWare This utility can be freely downloaded from the ftp site This PortShare serial port redirector allows you to use a serial device connected to the remote console server as if it were connected to your local serial port The portshare serial client creates a pseudo tty port connects the serial application to the pseudo tty port receives data from the pseudo tty port transmits it to the console server through network and receives data from the console server through network and transmits it to the pseudo tty port 70 Console Server amp RMM Gateway User Manual User Manual The tar file can be freely downloaded from the ftp site Refer to the PortShare User Manual and Quick Start for details on installation and operation 4 8 Managed Devices Managed Devices presents a consolidated view of all the connections to a device that can be accessed and monitored through the console server To view the connections to the devices gt Select Serial amp Network Managed Devices System Name img4004 5 Model IMG4004 5 Firmware 2 7 0p1 opengedf Uptime 0 days 2 hours 0 mins 10 secs Current User root Serial amp Network Managed Devices Serial
228. any it with a written offer valid for at least three years to give any third party for a charge no more than your cost of physically performing source distribution a complete machine readable copy of the corresponding source code to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange or c Accompany it with the information you received as to the offer to distribute corresponding source code This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer in accord with Subsection b above The source code for a work means the preferred form of the work for making modifications to it For an executable work complete source code means all the source code for all modules it contains plus any associated interface definition files plus the scripts used to control compilation and installation of the executable However as a special exception the source code distributed need not include anything that is normally distributed in either source or binary form with the major components compiler kernel and so on of the operating system on which the executable runs unless that component itself accompanies the executable If distribution of executable or object code is made by offering access to copy from a designated place then offering equivalent access to copy the source code from the same place counts
229. apter 12 11 1 System Administration and Reset The Administrator can reboot or reset the gateway to default settings A soft reset is affected by gt Selecting Reboot in the System Administration menu and clicking Apply FIPS Mode Devices Enable FIPS mode on boot changing requires safe reboot Port Logs Host Logs Reboot Power Safely reboot the device Terminal Apply The console server reboots with all settings e g the assigned network IP address preserved However this soft reset does disconnect all users and ends any SSH sessions that had been established A soft reset will also be affected when you switch OFF power from the console server and then switch the power back ON However if you cycle the power and the unit is writing to flash you could corrupt or lose data so the software reboot is the safer option A hard erase hard reset is effected by gt Pushing the Erase button on the rear panel twice A ball point pen or bent paper clip is a suitable tool for performing this procedure Do not use a graphite pencil Depress the button gently twice within a couple of second period while the unit is powered ON This will reset the console server back to its factory default settings and clear the console servers stored configuration information i e the IP address will be reset to 192 168 0 1 You will be prompted to log in and must enter the default administration username and administratio
230. as it is configured Features such as Syslog and NFS logging use the system time for time stamping log entries while certificate generation depends on a correct Timestamp to check the validity period of the certificate System Name acm5003 m Model ACM5003 M Firmware 3 3 2 E 3 Uptime 1 days 0 hours 11 mins 40 secs Current User root opengear Backup Log Out System Date amp Time Serial amp Network Current System time 00 56 10 Dec 15 2010 Serial Port Users amp Groups Jime zone Authentication Time Zone c a Saba tate Africa Abidjan x Trusted Networks Select your timezone IPsec VPN OpenVPN Set Timezone Call Home Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices Date and Time Alerts amp Logging Hai 2000 Port Log Alerts Month January x SMTP amp SMS SNMP Day 01 i Hour 01 Administration z SSL Certificates Minute Configuration Backup 01 x Firmware IP Set Time Date amp Time Dial Firewall DHCP Server Nagios Configure Dashboard Network Time Protocol I O Ports Enable NTP F Enable Network Time Protocol Support Port Access Server Active Users akii Statistics Specify the address of the remote NTP Server Support Report Syslog UPS Status Apply Settings gt Select the System Date amp Time menu option gt Manually set the Year Month Da
231. ask A statically assigned gateway A statically assigned primary name server A statically assigned secondary name server Auto The Ethernet media type Disabled Configure a DHCP server for this interface Secondary address or comma separated list of addresses in CIDR notation e g 192 168 1 1 24 gt If you selected DHCP the console server will look for configuration details from a DHCP server This selection automatically disables any static address The console server MAC address can be found on a label on the base plate 34 Console Server amp RMM Gateway User Manual User Manual Note Note 3 3 1 In its factory default state with no Configuration Method selected the console server has its DHCP client enabled so it automatically accepts any network IP address assigned by a DHCP server on your network In this initial state the console server will then respond to both its Static address 192 168 0 1 and its newly assigned DHCP address You may also enter a secondary address or comma separated list of addresses in CIDR notation e g 192 168 1 1 24 as an IP Alias By default the console server LAN port auto detects the Ethernet connection speed However you can use the Media menu to lock the Ethernet to 10 Mb s or 100Mb s and to Full Duplex FD or Half Duplex HD If you have changed the console server IP address you may need to reconfigure your computer so it has an IP address that is in the same network rang
232. at work are not derived from the Program and can be reasonably considered independent and separate works in themselves then this License and its terms do not apply to those sections when you distribute them as separate works But when you distribute the same sections as part of a whole which is a work based on the Program the distribution of the whole must be on the terms of this License whose permissions for other licensees extend to the entire whole and thus to each and every part regardless of who wrote it Thus it is not the intent of this section to claim rights or contest your rights to work written entirely by you rather the intent is to exercise the right to control the distribution of derivative or collective works based on the Program In addition mere aggregation of another work not based on the Program with the Program or with a work based on the Program ona volume of a storage or distribution medium does not bring the other work under the scope of this License 3 You may copy and distribute the Program or a work based on it under Section 2 in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following 328 Console Server amp RMM Gateway User Manual a Accompany it with the complete corresponding machine readable source code which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange or b Accomp
233. ateway service providers require blank subjects or require specific authentication headers to be included in the subject line gt Click Apply Settings to activate SMS SMTP connection SMS via Cellular Modem To use an attached or internal cellular modem for SMS the Administrator must enable SMS Note SMS Settings SMS Gateway Use an external SMS gateway Cellular Modem Use an attached or internal Cellular Modem SMS via Cellular Modem Receive Messages Allows you to trigger custom alerts via SMS commands SMS Message Centre This is the phone number of the SMS Message Centre SMSC Only set this if asked to by support Apply Settings Select Cellular Modem In the SMS Settings field Check Receive Messages to enable incoming SMS messages to be received A custom script will be called on receipt of incoming SMS messages You may need to enter the phone number of the carrier s SMS Message Centre only if advised by your carrier or Support Click Apply Settings to activate SMS SMTP connection The option to directly send SMS alerts via the cellular modem was included in the Management GUI in V3 4 Advanced console servers have had the gateway software SMS Server Tools 3 embedded since V3 1 however you this could only be accessed from the command line to send SMS messages refer online FAQ 7 5 3 Send SNMP Trap alerts The Administrator can configure the Simple Network Management Protocol SNMP agent that resides on the
234. ather than use a browser and the Management Console this chapter describes using command line access and the config tool to manage the console server and configure the ports etc This config documentation in this chapter walks thru command line configuration to deliver the functions provided otherwise using the Management Console GUI For advanced and custom configurations and for details using other tools and commands refer to the next chapter When displaying a command the convention used in the rest of this chapter is to use single quotes for user defined values e g descriptions and names Element values without single quotes must be typed exactly as shown After the initial section on accessing the config command the menu items in this document follow the same structure as the menu items in the web GUI 14 1 Accessing config from the command line The console server runs a standard Linux kernel and embeds a suite of open source applications So if you do not want to use a browser and the Management Console tools you are free to configure the console server and to manage connected devices from the command line using standard Linux and Busybox commands and applications such as ifconfig gettyd stty powerman nut etc However without care these configurations may not withstand a power cycle reset or reconfigure So Opengear provides a number of custom command line utilities and scripts to make it simple to configure the console serv
235. ation 15 2 Advanced Portmanager Opengear s portmanger program manages the console server serial ports It routes network connection to serial ports checks permissions and monitors and logs all the data flowing to from the ports 15 2 1 Portmanager commands pmshell The pmshell command acts similar to the standard tip or cu commands but all serial port access is directed via the portmanager Example To connect to port 8 via the portmanager pmshell I port08 pmshell Commands Once connected the pmshell command supports a subset of the escape commands that tip cu support For SSH you must prefix the escape with an additional command i e use the escape send Break Typing the character sequence b will generate a BREAK on the serial port if you re doing this over ssh you ll need to type b History Typing the character sequence h will generate a history on the serial port Quit pmshell Typing the character sequence will exit from pmshell Set RTS to 1 run the command pmshell rts 1 Show all signals omshell signals DSR 1 DTR 1 CTS 1 RTS 1 DCD 0 Read a line of text from the serial port pmshell getline Note V3 5 2 and later firmware has includes pmshell chooser escape command so you can now hit m from connected serial port to drop back to pmshell pmchat The pmchat command acts similar to the standard chat command but all serial port access is directed via the portmanager
236. ational gt Select the System Dial menu option and the port to be configured Serial DB9 Port or PC Card or Internal Modem Port gt Select the Baud Rate and Flow Control that will communicate with the modem Note You can further configure the console modem port e g to include modem init strings by editing etc mgetty contig files as described in the Chapter 13 Advanced gt Check the Enable Dial Out Access box and enter the access details for the remote PPP server to be called Override DNS is available for PPP Devices such as modems Override DNS allows the use of alternate DNS servers from those provided by your ISP For example an alternative DNS may be required for OpenDNS used for content filtering gt To enable Override DNS check the Override returned DNS Servers box Enter the IP of the DNS servers into the spaces provided 98 Console Server amp RMM Gateway User Manual User Manual opengear System Name acm5002 Model ACM5002 Firmware 3 4 0u1 Ra O Uptime 0 days 0 hours 7 mins 15 secs Current User root Backup Log Out System Dial Serial Port Serial Console Port 1 Internal Cellular Modem Users amp Groups Authentication Internal Cellular Modem Dial Settings Network Hosts Trusted Networks Disable Dial IPsec VPN Disable modem communication OpenVPN Call Home Enable Dial In Cascaded Ports Allow incoming modem communication UPS Connections RP
237. atus RPC Status Environmental Status Dashboard Devices Port Logs Host Logs Power Terminal System Name acm5004 2 Model ACM5004 2 Firmware 3 5 1b0 SNMP Service Details Manager Protocol Manager Address Manager Trap Port Version SNMP vi amp v2c Community SNMP v3 Engine ID Security Level Username Auth Protocol Auth Password Confirm Password Privacy Protocol Privacy Password Confirm Password a Backup Log Out Uptime 0 days 0 hours 25 mins 59 secs Current User root Alerts amp Logging SNMP Primary SNMP Manager Secondary SNMP Manager UDP The transport protocol to use to connect to the SNMP Manager The address of the SNMP Manager to receive traps 162 The TCP UDP port number to send SNMP traps to The SNMP protocol to use for traps The SNMP Community to use for traps The SNMPv3 Engine ID for the trap manager noAuthNoPriv authNoPriv authPriv The SNMPv3 Security Level authPriv i recommended for enforcing both authentication and encryption The SNMPv3 user to send traps as SHA The SNMPv3 authentication protocol The SNMPv3 users authentication password Confirm the SNMPv3 users authentication password DES The SNMPv3 encryption protocol The SNMPv3 encryption password Confirm the SNMPv3 encryption password Select the Manager Protocol SNMP is generally a UDP based protocol though
238. ault is log level 2 default is 0 Shell power command menu Enabled RFC2217 access Enabled Limit pot to 1 connection Enabled SSH access Enabled TCP access Enabled telnet access Disabled Unauthorized telnet access Disabled contig s contig ports port5 delay 100 config s config ports port5 escapechar contig s contig ports port5 loglevel 2 contig s contig ports port5 powermenu on config s config ports port5 rfc2217 on config s config ports port5 singleconn on config s config ports port5 ssh on config s conftig ports port5 tcp on config d config ports port5 telnet config d config ports port5 unauthtel Device Mode For a device mode port set the port type to either ups rpc or enviro contig s conftig ports port5 device type ups roc enviro For port 5 as a UPS port contig s contig ports port5 mode reserved For port 5 as an RPC port config s config ports ports mode powerman For port 5 as an Environmental port contig s conftig ports port5 mode reserved Console Server amp Router User Manual 241 Chapter 14 Command Line Configuration SDT mode To enable access over SSH to a host connected to serial port 5 config s config ports port5 mode sat contig s config ports port5 sdt ssh on To configure a username and password when accessing this port with Username user1 and Password secret config s contig ports port sdt username user 1 config s conftig ports port sd
239. ay User Manual LIMITATION OF LIABILITY No action regardless of form arising from this warranty may be brought by either party more than two 2 years after the cause of action has occurred Purchaser expressly agrees that Opengear s liability if any shall be limited solely to the replacement or repair of the product in accordance with the warranties specifically and expressly set forth herein The remedies of the Purchaser are the exclusive and sole remedies available and in the event of a breach or repudiation of any provision of this agreement by Opengear the Purchaser shall not be entitled to receive any incidental damages as that term is defined in Section 2 715 of the Uniform Commercial Code Opengear waives the benefit of any rule that disclaimer of warranty shall be construed against Opengear and agrees that such disclaimers herein shall be construed liberally in favor of Opengear THE FOREGOING WARRANTIES ARE THE SOLE ANDEXCLUSIVE WARRANTIES GIVEN IN CONNECTION WITH THE PRODUCT AND THE HARDWARE OPENGEAR DISCLAIMS ALL OTHER WARRANTIES EXPRESS OR IMPLIED INCLUDING WITHOUT LIMITATION ANY WARRANTIES AS TO THE SUITABILITY OR MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS OPENGEAR DOES NOT PROMISE THAT THE PRODUCT IS ERROR FREE OR WILL OPERATE WITHOUT INTERRUPTION IN NO EVENT SHALL OPENGEAR BE LIABLE FOR ANY LOST OR ANTICIPATED PROFITS OR ANY INCIDENTAL EXEMPLARY SPECIAL OR CONSEQUENTIAL
240. be found at http linux die net man 5 powerman dev The Network UPS Tools NUT project has recently moved on from its UPS management origins to also cover SNMP PDUs and embrace PowerMan Opengear progressively includes the updated PowerMan and NUT build into the console server firmware releases The second path is to directly add support for the new RPC devices or to customize the existing RPC device support on your particular console server The Manage Power page uses information contained in etc oowerstrips xml to configure and control devices attached to a serial port The configuration also looks for and loads etc config powerstrips xm if it exists The user can add their own support for more devices by putting definitions for them into etc config powerstrips xml This file can be created on a host system and copied to the Management Console device using scp Alternatively login to the Management Console and use ftp or wget to transfer files Here is a brief description of the elements of the XML entries in etc config powerstrips xml lt powerstrip gt lt id gt Name or ID of the device support lt id gt lt outlet port port id 1 gt Display Port 1 in menu lt outlet gt lt outlet port port id 2 gt Display Port 2 in menu lt outlet gt lt on gt script to turn power on lt on gt lt off gt script to power off lt off gt Console Server amp Router User Manual 297 Chapter 16 KCS Client Configuration lt cycle gt scr
241. ble this internal sensor Cascaded Ports A descriptive name for the environmental monitor UPS Connections RPC Connections Connected Via internal Environmental i A Managed Devices Specify the serial port for the environmental monitor Description Alerts amp Logging on A brief description for the environmental monitor Port Log Alerts Temperature Offset SMTP amp SMS 0 SNMP Fine tuning adjustment for the Temperature Sensor Saran Alarm 1 Label alarm1 Administration A label for this environmental monitor alarm e g Door Open SSL Certificates Configuration Backup Alarm 2 Label alarm2 i e A label for this environmental monitor alarm e g Door Open a mri amp Time Alarm 3 Label dan Services A label for this environmental monitor alarm e g Door Open Nagios Configure Dashboard Alarm 4 Label alarm4 Console Server amp RMM Gateway User Manual 187 Chapter 8 Power Environmental amp Digital I O 8 3 4 Environmental alerts You can now set temperature humidity and probe status alerts using Alerts amp Logging Alerts refer Chapter 7 8 3 5 Environmental status You can monitor the current status of all any configured external EMDs and their sensors and any internal or directly attached sensors gt Select the Status Environmental Status menu and a table with the summary status of all connected EMD hardware will be displayed System Name img4004 5 Model IMG4004 5 Firm
242. ble to browse to your Nagios server and see its web UI and the local services it monitors by default you are ready to continue 10 2 2 Set up distributed Opengear console servers Each distributed console server must be running firmware 2 4 1 or later Refer to Chapter 11 for details on upgrading Opengear firmware This section provides a brief walkthrough on configuring a single Opengear console server to monitor the status one attached network host a Windows IIS server running HTTP and HTTPS services and one serially attached device the console port of a network router and to send alerts back to the Nagios server when an Administrator connects to the router or IIS server This walkthrough provides an example however details of the configuration options are described in the next section This walkthrough also assumes the network host and serial devices are already physically connected to the console server First step is to set up the Nagios features on the console server System Name im4216 Model IM4216 Firmware 2 5 0 opengeaf Uptime 0 days 0 hours 44 mins 35 secs Current User root System Nagios Serial Port Enabled Switch on the Nagios service Authentication i Network Hosts Nagios Host Name W Tie Mea Name of this system in Nagios Generated from System Name if unspecified Cascaded Ports Nagios Host Alerts amp Logging Address qo Address for Nagios to find this device at Defaults to Network 1
243. box Enter the IP of the DNS servers into the spaces provided 96 Console Server amp RMM Gateway User Manual User Manual opengcear Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks Call Home Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices Alerts amp Logging Port Log Alerts SMTP amp SMS SNMP Administration SSL Certificates Configuration Backup Firmware IP Date amp Time Dial Configure Dashboard Port Access Active Users Statistics Support Report Syslog UPS Status RPC Status Environmental Status Dashboard Manage System Name cm4001 Model CM4001 Firmware 3 4 0 Aa O Uptime 5 days 6 hours 46 mins 58 secs Current User root Backup Log Out System Dial Serial DB9 Port Dial Settings Disable Dial 5 Disable modem communication Enable Dial In Allow incoming modem communication Enable Dial Out Allow outgoing modem communication Serial Settings Baud Rate 115200 x The port speed in characters per second None x The method of flow control to use Flow Control Dial Out Settings Always On Out of Band Phone Number The phone number to call to establish the connection The username for authentication The secret to use when authenticating the user Confirm
244. buted Nagios monitoring enabled then you will also be presented with Nagios Settings options to enable nominated services on the Host to be monitored refer Chapter 10 Nagios Integration 4 1 1 There are a number of common settings that can be set for each serial port These are independent of the mode in which the port is being used These serial port parameters must be set so they match the serial port parameters on the device you attach to that port Common Settings System Name img4216 25 Model IMG4216 25 Firmware 3 2 1 Aa O Uptime 0 days 0 hours 19 mins 14 secs Current User root Backup Log Out opengear Serial amp Network Serial Port Common Settings for Port 4 Serial Port ng gt Specify a label for the port Administration SSL Certificates Configuration Backup Firmware IP Date amp Time Signaling Protocol Users amp Groups Label Authentication 8 Port Server Tech PDU Network Hosts The serial ports unique identifier Trusted Networks IPsec VPN Baud Rate 9600 OpenVPN Call Home The serial ports speed Cascaded Ports z UPS Connections octet 8 RPC Connections The number of data bits to use Environmental Managed Devices Parity TEN Alerts amp Logging The serial ports parity Port Log Stop Bits Alerts 7 1 l SMTP amp SMS The number of stop bits to use SNMP Flow Control None i The flow control
245. by the vendor This generally runs on a remote Windows PC and you could configure the console server serial port to operate with a serial COM port redirector in the PC as detailed in Chapter 4 Similarly network attached PDUs can be controlled with a browser e g with SDT as detailed in Chapter 6 3 or an SNMP management package or using the vendor supplied control software Also servers and network attached appliances with embedded IPMI service processors or BMCs invariably are supplied with their own management tools like SoL that will provide secure management when connected using with SDT Connector However for simplicity all these devices can now all be controlled through the one window using the Management Console s RPC remote power control tools 8 1 1 RPC connection Serial and network connected RPCs must first be connected to and configured to communicate with the console server gt For serial RPCs connect the PDU to the selected serial port on the console server and from the Serial and Network Serial Port menu configure the Common Settings of that port with the RS232 properties etc required by the PDU refer Chapter 4 1 1 Common Settings Then select RPC as the Device Type gt Similarly for each network connected RPC go to Serial amp Network Network Hosts menu and configure the RPC as a connected Host by specifying it as Device Type RPC and clicking Apply refer Chapter 4 4 Network Hosts System Name img4004 5 Model IMG
246. c DNS list on the System IP or System Dial menu Statistics Dynamic DNS Support Report a Syslog Dynamic DNS None DDNS disabled UPS Status None DDNS disabled address is changed RPC Status 3322 Environmental Status DDNS Hostname dyns cx Dashboard me assigned to this interface gnudip DDNS Username ods tzo Devices to manage this interface Port Logs Host Logs Power Terminal The password for the account to manage this interface DDNS Password Confirm DDNS Password Re enter the password for confirmation Maximum interval between updates Maximum interval between updates in days DDNS update will be sent even if the address has not changed Minimum interval between checks Minimum interval between checks for changed addresses in seconds Updates will still only be sent if the address has changed Apply In DDNS Hostname enter the fully qualified DNS hostname for your console server e g your hostname dyndns org Enter the DDNS Username and DDNS Password for the DDNS service provider account Specify the Maximum interval between updates in days A DDNS update will be sent even if the address has not changed Specify the Minimum interval between checks for changed addresses in seconds Updates will still only be sent if the address has changed Specify the Maximum attempts per update i e the number of times to attempt an update b
247. cStatusName 6 STRING baytech qgHhpcStatusMaxTemp 46 INTEGER O STATUS MI qghpcStatusAlertCount 6 INTEGER OG STATUS MI qEmnd tatusName 6 STRING EMD_test OG STATUS MI qEmdStatusTemp 46 INTEGER amp OG STATUS HAI qgEmnd tatusHumidity 46 INTEGER amp OG STATUS MI qgEmnd tatusAlertCount 6 INTEGER amp 0G STATUS MI gsiqgnalAlertStatusPort 6 INTEGER 4 OG STATUS HAI qgsignalAlertStatusLabel W STRING porth4 OG STATUS MI qgsignalAlertStatusS ignalMName 6 STRING DSR OG STATUS HAI qgsignalAlertStatusState H6 INTEGER ont1 gt OG STATUS MI STRING EMND_test OG STATUS MI STRING EMD_test OG TATUS MI STRING a OG STATUS HAI qkEnvAlertStatusSensor 1 STRING temp OG STATUS TAI qEnvAalertStatusOut let INTEGER 8 qinvAlertStatusOut let 1 INTEGER 8 O STATUS MI qgEnvAlertStatusYalue 46 INTEGER i OG STATUS AI qEnvAlertStatusVYalue 1 INTEGER 21 OGO STATUS MI qEnvAlertStatusOldWalue 46 INTEGER OG STATUS AI qEnvAlertStatusOldWalue 1 INTEGER 3 OG STATUS MI OG STATUS MI qEinvAalertStatus Device A qEnvAalertStatusDevice 1 qEnvAalertStatusSensor qinvAlertStatusS tatus 6 INTEGER 1 qEnvAalert amp StatusStatus 1 INTEGER 5 snmpget Oa v1 M usr share snmp mibs c public im4004 OG STATUSMIB ogSerialPortStatusSpeed 2 OGO STATUS MIB ogSerialPort tatus peed 2 INTEGER 19268 noauth
248. checked 4pr 1 15 58 09 RXDATA Send4rp 192 168 00 01 ea sg565 a B PING OK Packet loss 0 RTA 1 05 ms Configuration sglite Cee Nagios demo Services Device ready to accept data Terminal Connect via SDT Empty Log win2k3 TCP OK 0 010 second response time on port 23 Connect P OK 0 008 mebort 3389 Connect via SDT 17 Matching Service Entries Displayed SDT Connector launches and starts up a Terminal Services session to the IIS Server securely tunneled through the distributed Opengear server gt Likewise locate the row for the router s serial console port and the service check beginning with check_serial and click the link to Connect via SDT Note that these actions will also trigger the a ert_login alerts that you added 10 3 Configuring Nagios distributed monitoring To activate the console server Nagios distributed monitoring Nagios integration must be enabled and a path established to the central upstream Nagios server If the console server is to periodically report on Nagios monitored services then the NSCA client embedded in the console server must be configured the NSCA program enables scheduled check ins with the remote Nagios server and is used to send passive check results across the network to the remote server fthe Nagios server is to actively request status updates from the console server then the NRPE server embedded in the console server must be configu
249. clock systohc Alternatively to change the hardware clock bin hwclock set date 092216452005 05 Format is MMDDhhmm CC YY ss Then the following command will save this new hardware clock time as the system time bin hwclock hctosys To change the timezone contig s contig system timezone US Eastern The following command will synchronize the live system with the new configuration config r time 14 1 19 Dial in settings To enable dial in access on the DB9 serial port from the command line with the following attributes Local IP Address 172 24 1 1 Remote IP Address 172 24 1 2 Authentication Type MSCHAPv2 Serial Port Baud Rate 115200 Serial Port Flow Control Hardware Custom Modem Initialization ATQOV1HO Callback phone 0800223665 User to dial as user1 Password for user secret Run the following commands config s contig console ppp localip 1 72 24 1 1 config s config console ppp remoteip 1 72 24 1 2 contig s contig console ppp auth MSCHAPv2 contig s contig console speed 1 15200 config s contig console flow Hardware config s config console initstring A TQO0V1HO contig s contig console ppp enabled on contig s contig console ppp callback enabled on 262 Console Server amp RMM Gateway User Manual contig s contig console ppp callback phone 1 0800223665 contig s contig console ppp username user 1 contig s contig console ppp password secret To make the dialed connection
250. config alerts alert2 sensor temp contig s contig alerts alert2 signal DSR config s conftig alerts alert2 tyoe pattern UPS Power Status Alert To trigger an alert when myUPS on localhost or thatUPS on remote host 192 168 0 50 power status changes between on line on battery and low battery contig s contig alerts alert2 sensor temp contig s contig alerts alert2 signal DSR contig s contig alerts alert2 type ups contig s contig alerts alert2 ups 1 myUPS localhost contig s contig alerts alert2 ups2 thatUPS 192 168 0 50 Environmental and Power Sensor Alert 258 Console Server amp RMM Gateway User Manual contig s contig alerts alert2 enviro high critical critical value contig s contig alerts alert2 enviro high warning warning value contig s contig alerts alert2 enviro hysteresis value config s config alerts alert2 enviro low critical critical value contig s contig alerts alert2 enviro low warning warning value config s contig alerts alert2 enviro1 Enviro sensor name config s contig alerts alert2 outlet RPCname outlet alert2 outlet increments sequentially with each added outlet The second outlet refers to the specific RPC power outlets contig s contig alerts alert2 roc RPC name config s contig alerts alert2 sensor temp humid load charge config s config alerts alert2 signal DSR contig s contig alerts alert2 type enviro
251. config ports port5 charsize 8 config s config ports port5 stop 1 config s config ports port5 label myport config s config ports port5 loglevel 0 246 Console Server amp RMM Gateway User Manual contig s conftig ports port5 protocol RS232 config s config ports port5 flowcontrol None The following command will synchronize the live system with the new configuration config r serialconftig Note Supported serial port baud rates are 50 75 110 134 150 200 300 600 1200 1800 2400 4800 9600 19200 38400 57600 115200 and 230400 Supported parity values are None Odd Even Mark and Space Supported data bits values are 8 7 6 and 5 Supported stop bits values are 1 1 5 and 2 Supported flow control values are Hardware Software and None Additionally before any port can function properly the mode of the port needs to be set Any port can be set to run in one of the five possible modes refer Chapter 4 for details Console Server mode Device mode SDT mode Terminal server mode Serial bridge mode All these modes are mutually exclusive Console Server mode The command to set the port in portmanager mode config s contig ports ports mode portmanager To set the following optional config elements for this mode Data accumulation period 100 ms Escape character def
252. console server A Ona Windows client PC gt Click Start Point to Programs then to Accessories then Communications and click Remote Desktop Connection ts Remote Desktop Connection Remote Desktop Connection Computer 192 168 2 19 Username WINSERVER 2 Bill You will be asked for credentials when you connect gt In Computer enter the appropriate IP Address and Port Number Where there is a direct local or enterprise VPN connection enter the IP Address of the console server and the Port Number of the SDT Secure Tunnel for the console server serial port that is attached to the Windows computer to be controlled e g if the Windows computer is connected to serial Port 3 on a console server located at 192 168 0 50 then you would enter 192 168 0 50 7303 Where there is an SSH tunnel over a dial up PPP connection or over a public internet connection or private network connection simply enter the localhost as the IP address i e 127 0 0 1 For Port Number enter the source port you created when setting SSH tunneling port forwarding in Section 6 1 6 e g 1234 gt Click Option In the Display section specify an appropriate color depth e g for a modem connection it is recommended you not use over 256 colors In Local Resources specify the peripherals on the remote Windows computer that are to be controlled printer serial port etc 136 Console Server amp RMM Gateway User Manual User Manual 2 Remote
253. ctor File Edit Help Local Address localhost Local TCP Port 5900 UDP Port 0K 3 cance Note SDT Connector can also tunnel UDP services SDT Connector tunnels the UDP traffic through the TCP SSH redirection so in effect it is a tunnel within a tunnel Enter the UDP port on which the service is running on the host This will also be the local UDP port that SDT Connector binds as the local endpoint of the tunnel Console Server amp RMM Gateway User Manual 127 Chapter 6 Secure SSH Tunneling amp SDT Connector Note that for UDP services you still need to specify a TCP port under General This will be an arbitrary TCP port that is not in use on the gateway An example of this is the SOL Proxy service It redirects local UDP port 623 to remote UDP port 623 over the arbitrary TCP port 6667 6 2 7 Adding a client program to be started for the new service Clients are local applications that may be launched when a related service is clicked To add to the pool of client programs gt Select Edit Preferences and click the Client tab Click Add Ga Opengear SDTConnector g Cee SDTConnector Preferences S Add Client Client name Path to client executable file Browse Command line format for client executable amp OK 3 Cancel gt Enter a Name for the client Enter the Path to the executabl
254. d pVv command arg compgen abcdefjkvu o option complete abcdefjkvu pr o o continue n declare afFrxi p name value dirs clpv N N disown h ar jobspec echo neE arg enable pnds a f filename local name value logout popd N N n printf format arguments pushd dir N N n pwd PL read ers t timeout p promp readonly anf name or read return n select NAME in WORDS do COMMANDS set abefhkmnptuvxBCHP o opti shift n shopt pqsu o long option opt source filename suspend f test expr time p PIPELINE eval arg times exec cl a name file redirec trap arg signal_spec exit n true export nf name or export false fc e ename nlr first last fg job spec for NAME in WORDS do COMMA type apt name name typeset afFrxi p name value ulimit SHacdflmnpstuv limit umask p S mode unalias a name Console Server amp RMM Gateway User Manual function NAME COMMANDS or unset f v name NA until COMMANDS do COMMANDS getopts optstring name arg done hash r p pathname name variables Some variable names an help s pattern wait n history c d offset n or hi while COMMANDS do COMMANDS if COMMANDS then COMMANDS done COMMANDS elif jobs
255. d 6 When he attempts to log in a new user will be created for him and he will be able to access ports 5 and 6 If the TACACS server is down he will have no access Example 3 User Paul is defined on a RADIUS server only He has access to all serial ports and network hosts Example 4 User Don is locally defined on an appliance using RADIUS for AAA Even if Don is also defined on the RADIUS server he will only have access to those serial ports and network hosts he has been authorized to use on the appliance If a no local AAA option is selected then root will still be authenticated locally Remote users may be added to the admin group via either RADIUS or TACACS Users may have a set of authorizations set on the remote TACACS server Users automatically added by RADIUS will have authorization for all resources whereas those added locally will still need their authorizations specified LDAP has not been modified and will still need locally defined users Note To interact with RADIUS TACACS and LDAP with console server firmware pre 2 4 2 you must also set up the user accounts on the local console server All resource authorizations must be added to the local appliance With this release if remote AAA is selected it is used for password checking only Root is always authenticated locally Any changes to PAM configurations will be destroyed next time the authentication configurator is run 9 1 6 Group support with remote authentication
256. d Managed UPS Cascaded Ports UPS Connections PS RPC Connections R teu Environmental UPS Name Description Address Managed Devices APC750_North_End APCNorth 192 168 1 55 Edit Delete Port Log l Add Remote UPS gt Select the Serial amp Network UPS Connections menu The Managed UPSes section will display all the UPS connections that have already been configured gt Click Add Managed UPS System Name acm5004 3g e Model ACM5004 3G E Firmware 3 3 2u1 Aa O Uptime 0 days 1 hours 38 mins 47 secs Current User root Backup Log Out opengear Serial amp Network UPS Connections Edit M ed UPS Serial Port Users amp Groups Connected Via USB Authentication The UPS may be connected via USB serial or network HTTP HTTPS or SNMP Network Hosts ra UPS Name APC750_East_End IPsec Th f this UPS OpenVPN e name of this UPS om a ra Description Upstairs Closet Cascaded Po aN UPS Connections An optional description RPC Connections Username Environmental Managed Devices Allow slaves to connect using this username Alerts amp Logging Password Port Log Allow slaves to connect using this password Alerts SMTP amp SMS Confirm On Critical Power Re enter the password Shut down this UPS only SSL Certificates Shut down all Managed UPSes Configuration Backup Run until failure Firmware The action to take when bat
257. d by Livingston Enterprises as an access server authentication and accounting protocol The RADIUS server can support a variety of methods to authenticate a user When it is provided with the username and original password given by the user it can support PPP PAP or CHAP UNIX login and other authentication mechanisms Further information on configuring remote RADIUS servers can be found at the following sites http www microsoft com technet prodtechnol windowsserver2003 library DepKit d4fe8248 eecd 49e4 88f6 9e304f9 7fefc mspx http www cisco com en US tech tk59 technologies tech note09186a00800945cc shtml http www freeradius org 9 1 4 LDAP authentication Perform the following procedure to configure the LDAP authentication method to be used whenever the console server or any of its serial ports or hosts is accessed gt Select Serial and Network Authentication and check LDAP or LocalLDAP or LDAPLocal or 194 LDAPDownLocal Console Server amp RMM Gateway User Manual User Manual gt gt Note LDAP 9 1 5 LDAP Server Address Comma separated list of remote servers The shared secret allowing access to the authentication server Confirm Password Re enter the above password for confirmation LDAP Base DN The distinguished name of the search base For example dc my company dc com LDAP Bind DN The distinguished name to bind to the server with The default is to bind anonymously LDAP Username Attribute The LD
258. d information can be found online at http www opengear com cabling html For Local Console connection These adapters connect the console server LOCAL Console port via standard UTP Cat 5 cable to modem devices for out of band access 319000 DB9F to RJ45 straight console server LOCAL Console Port to Modem 319002 DB25M to RJ45 straight console server LOCAL Console Port to Modem For console server Serial Port connection The Opengear connectors and adapters tabulated below are specified to work with standard UTP Cat 5 cable For console servers with Opengear classic pinouts 319000 DB9F to RJ45 straight Console server with Opengear classic pinout to IP Power and other serial device 319001 DB9F to RJ45 crossover DCE Adapter Console server with Opengear classic pinout to X86 and other 319002 DB25M to RJ45 straight DTE Adapter for console server with Opengear classic pinout 319003 DB25M to RJ45 crossover DCE Adapter Console server with Opengear classic pinout to Sun and other 319004 DB9M to RJ45 straight DTE Adapter Console server with Opengear classic pinout to Netscreen and Dell and OoB modem connection 319005 DB25F to RJ45 crossover DCE Adapter Console server with Opengear classic pinout to Cisco 7200 AUX 440016 5ft Cats RJ 45 to RJ 45 Extension cables cables 449016 RJ 45 plug to RJ 45 jack Adapter for console server with Opengear classic pinout to Cisco console and to Netscreen with reversing cable 449017 RJ 45 plug to
259. d password from the remote system You will then be logged on to the console server 3 6 Management Network Configuration The IM4200 IM4004 5 ACM5500 and ACM5004 2 console servers have additional network ports that can be configured to provide management LAN access and or failover or out of band access 3 6 1 Enable the Management LAN The IM4200 family ACM5508 2 I M and ACM5004 2 console servers can be configured so the second Ethernet port provides a management LAN gateway The gateway has firewall router and DHCP server features However you need to connect an external LAN switch to Network LAN 2 to attach hosts to this management LAN Gateway to the Management LAN Operatloms e nelwork Management Serially network connected consoles Note The second Ethernet port Network LANZ2 on the IM4200 ACM5508 2 I M and ACM5004 2 can be configured as either a Management LAN gateway port or it can be configured as an OoB Failover port It cannot be both So ensure you did not allocate Network LAN 2 as the Failover Interface when you configured the principal Network connection on the System IP menu Console Server amp RMM Gateway User Manual 41 Chapter 3 Initial System Configuration The ACM5504 5 G l IM4216 34 and IM4004 5 console server models have an integrated four or thirty two port management LAN switches with firewall router DHCP server and switch functions e The IM4216 34 is normally configured to have an
260. d signs and issues a SSL certificate to you To create and install a SSL certificate for the console server gt Select System SSL Certificate and fill out the fields as explained below Common name This is the network name of the console server once it is installed in the network usually the fully qualified domain name It is identical to the name that is used to access the console server with a web browser without the http prefix In case the name given here and the actual network name differ the browser will pop up a security warning when the console server is accessed using HTTPS Console Server amp RMM Gateway User Manual 203 Chapter 9 Authentication Organizational Unit This field is used for specifying to which department within an organization the console server belongs Organization The name of the organization to which the console server belongs Locality City The city where the organization is located State Province The state or province where the organization is located Country The country where the organization is located This is the two letter ISO code e g DE for Germany or US for the USA Note the country code has to be entered in CAPITAL LETTERS Email The email address of a contact person that is responsible for the console server and its security Challenge Password Some certification authorities require a challenge password to authorize later changes on the certificate e g revocation of the
261. d specify the services you will be checking with Nagios HTTP and HTTPS gt gt gt Y Y VV WV gt Select Network Hosts from the Serial amp Network menu and click Add Host Enter the IP Address DNS Name of the network server e g 192 168 1 10 and enter a Description e g Windows 2003 IIS Server Remove all Permitted Services This server will be accessible using Terminal Services so check TCP Port 3389 and log level 1 and click Add It is important to remove and re add the service to enable logging Nagios Settings Enable F Nagios Switch Nagios on for this host Host Name Name of host in Nagios Generated using host description if unspecified 1 H Checks Check NRPE vJ Use Default Args Check Permitted TCP Check Permitted UDP l New Check TCP Check UDP Scroll down to Nagios Settings and check Enable Nagios Click New Check and select Check Ping Click check host alive Click New Check and select Check Permitted TCP Select Port 3389 Click New Check and select Check TCP Select Port 80 Click New Check and select Check TCP Select Port 443 Click Apply Similarly you now must configure the serial port to the router to be monitored by Nagios gt V Y VY WV V v Select Serial Port from the Serial amp Network menu Locate the serial port that has the router console port attached and click Edit Ensure the serial port settings under Common Settings are correct and match the attached
262. d to translate private network traffic onto public networks such as the Internet This is generally required when using the interface as an Internet gateway OGG that the static IP and subnet mask fields are set Console Server amp RMM Gateway User Manual Network Interface Management LAN Dialout Cellular Dial in VPN 113 Chapter 5 Firewall Failover and Out of Band System Name acm5002 Model ACM5002 Firmware 3 3 0 Ra A opPengear Uptime 0 days 4 hours 5 mins 44 secs Current User root Backup Log Out System IP Serial Port Network Interface General Settings Users amp Groups Authentication IP Settings Network Network Hosts Trusted Networks Configuration Method DHCP IPsec VPN f OpenVPN Static Call Home The mechanism to acquire IP settings Cascaded Ports UPS Connections IP Address 192 168 254 35 RPC Connections 3 sE A statically assigned IP address Managed Devices Subnet Mask 255 255 255 0 Alerts amp Logging A statically assigned network mask Port Log Alerts Gateway 192 168 254 254 SMTP amp SMS A statically assigned gateway Primary DNS System Administration A statically assigned primary name server SSL Certificates Secondary DNS Configuration Backup d g ee A statically assigned secondary name server Date amp Time Media Anto Dial The Ethernet media type DHCP Server Nagios DHCP Server Disabl
263. daemon_dep host_name opengear dependent_host_name server dependent_service_description Serial Status service_description NRPE Daemon execution _failure_criteria W U C Port Log define command command_name_ check_port_log command_line USER1 check_nrpe H 192 168 254 147 p 5666 c port_log SHOSTNAME define service service_description Port Log host _name server use generic service check_command check_port_log 218 Console Server amp RMM Gateway User Manual define service service_description port log server host_name server use generic service check_command check_port_log active _checks_enabled 0 passive_checks_enabled 1 j define servicedependency name opengear_nrpe_daemon_dep host_name opengear dependent_host_name server dependent_service_description Port Log service_description NRPE Daemon execution_failure_criteria W U C Ping define command command_name_ check_ping_via_opengear command_line USER1 check_nrpe H 192 168 254 147 p 5666 c host_ping_ SHOSTNAME define service service_description Host Ping host_name server use generic service check_command check_ping_via_opengear define service service_description host ping server host_name server use generic service check_command check_ping_via_opengear active checks _enabled 0 passive_checks_enabled 1 j define servicedependency name opengear_nrpe_daemon_dep host_name opengear dependent_host_name server dependent_service
264. dd new users with access privileges to the Slave serial ports or to extend existing users access privileges Select the appropriate Serial amp Network Trusted Networks to specify network addresses that can access nominated Slave serial ports Select the appropriate Alerts amp Logging Alerts to configure Slave port Connection State Change or Pattern Match alerts The configuration changes made on the Master are propagated out to all the Slaves when you click Apply Managing the slaves The Master is in control of the Slave serial ports So for example if change a User access privileges or edit any serial port setting on the Master the updated configuration files will be sent out to each Slave in parallel Each Slave will then Console Server amp RMM Gateway User Manual 69 Chapter 4 Serial Port Device and User Configuration automatically make changes to their local configurations and only make those changes that relate to its particular serial ports You can still use the local Slave Management Console to change the settings on any Slave serial port such as alter the baud rates However these changes will be overwritten next time the Master sends out a configuration file update Also while the Master is in control of all Slave serial port related functions it is not master over the Slave network host connections or over the Slave console server system itself So Slave functions such as IP SMTP amp SNMP Settings Date amp
265. dded Linux operating system So Administrator class users can configure the console server and monitor and manage attached serial console and host devices from the command line using Linux commands and the config utility as described in Chapter 14 The Linux kernel in the console server also supports GNU bash shell script enabling the Administrator to run custom scripts This chapter presents a number of useful scripts and scripting tools including delete node which is a general script for deleting users groups hosts UPS s etc ping detect which will run specified commands when a specific host stops responding to ping requests This chapter then details how to perform advanced and custom management tasks using Opengear commands Linux commands and the open source tools embedded in the console server portmanager serial port management raw data access to the ports and modems iptables modifications and updating IP filtering rules retrieving status information using SNMP and modifying SNMP with net snmpd public key authenticated SSH communications SL configuring HTTPS and issuing certificates using pmpower for NUT and PowerMan power device management using PMItools CDK custom development kit sms server tools disable multicasting 15 1 Custom Scripting The console server supports GNU bash shell commands refer Appendix A enabling the Administrator to run custom scripts 15 1 1 Custom script to run w
266. ddress where the first 24 bits are used as the network address This is the same as 255 255 255 0 If the VPN access is only to the console server itself and to its attached serial console devices then leave Left Subnet blank If there is a VPN gateway at the remote end enter the private subnet details in Right Subnet Again use the CIDR notation and leave blank if there is only a remote host Select Initiate Tunnel if the tunnel connection is to be initiated from the Left console server end This can only be initiated from the VPN gateway Left if the remote end was configured with a static or dyndns IP address Click Apply to save changes lt is essential the configuration details set up on the advanced console server referred to as the Left or Local host exactly matches the set up entered when configuring the Remote Right host gateway or software client Refer to the htto www opengear com fag html for details on configuring these remote ends OpenVPN The ACM5500 ACM5000 IM4004 5 and IM4200 family of advanced console servers with Firmware V3 2 and later include OpenVPN which is based on TSL Transport Layer Security and SSL Secure Socket Layer With OpenVPN it Console Server amp RMM Gateway User Manual 19 Chapter 4 Serial Port Device and User Configuration is easy to build cross platform point to point VPNs using x509 PKI Public Key Infrastructure or custom configuration files OpenVPN allows secure tunneling of data
267. device driver or a remote system using IPMI V1 5 and IPMI v2 0 These functions include printing FRU information LAN configuration sensor readings and remote chassis power control IPMI management of a local system interface requires a compatible IPMI kernel driver to be installed and configured On Linux this driver is called Open PMI and it is included in standard distributions On Solaris this driver is called BMC and is inclued in Solaris 10 Management of a remote station requires the IPMl over LAN interface to be enabled and configured Depending on the particular requirements of each system it may be possible to enable the LAN interface using jomitool over the system interface OPTIONS a Prompt for the remote server password A lt authtype gt Specify an authentication type to use during IPMlv1 5 an session activation Supported types are NONE PASSWORD MD5 or OEM C Present output in CSV comma separated variable format This is not available with all commands C lt ciphersuite gt The remote server authentication integrity and encryption algorithms to use for IPMIv2 lanplus connections See table 22 19 in the IPMIv2 specification The default is 3 which specifies RAKP HMAC SHA1 authentication HMAC SHA1 96 integrity and AES CBC 128 encryption algorightms E The remote server password is specified by the environment variable I IPMI_PASSWORD f lt password_file gt Specifies a file containing the remote server password If
268. dial up ppp connection is automatically established These advanced console server models can also be accessed out of band using an alternate broadband link and also offer transparent broadband failover Models with an internal or external cellular modem can be configured for OoB cellular access or for cellular transparent failover or can be configured as a cellular router Dialup Modem Connection To enable dial in or dial out you must first ensure there is a modem attached to the console server 5 2 All IM4200 models ACM5508 2 M and ACM5003 M come with an internal modem which can provide for OoB dial in access These models will display a Internal Modem Port tab under System gt Dial as well as the Serial DB9 Port tab The other ACM5500 and ACM5000 models and IM4004 5 also support external USB modems We recommend the US Robotics 56K USB Modem USR5637 or Opengear Part OGUSR5637 The USB modem will be auto detected and an External USB Modem Port tab will come up under System gt Dial in addition to the Serial DB9 Port tab All console server models supports an external modem any brand attached via a serial cable to the console modem port for OoB dial in access The CM4000 and SD4000 console servers need to have an external modem attached via a serial cable to their DB9 port This port is marked Local and is located on the back of the SD4002 CM4001 and CM4008 units and on the front of the CM4116 4148 units The serial ports on
269. ding on the console server Serial Port that is connected to the Windows computer COM port gt gt 144 Select the Serial amp Network Serial Port menu option and click Edit for the particular Serial Port that is connected to the Windows computer COM port On the SDT Settings menu select SDT Mode which will enable port forwarding and SSH tunneling and enter a Username and User Password Console Server amp RMM Gateway User Manual User Manual SDT Settings SDT Mode D Enable access over SSH to a host connected to this serial port usemame COO The login name for PPP The default is port01 user Password The login secret for PPP The default is port01 confirm C Password Re type the password for confirmation Note When you enable SDT this will override all other Configuration protocols on that port Note If you leave the Username and User Password fields blank they default to portXX and portXX where XX is the serial port number So the default username and password for Secure RDP over Port 2 is port02 gt Ensure the console server Common Settings Baud Rate Flow Control are the same as were set up on the Windows computer COM port and click Apply gt RDP and VNC forwarding over serial ports is enabled on a Port basis You can add Users who can have access to these ports or reconfigure User profiles by selecting Serial amp Network User amp Groups menu tag as described earlier in Chapter
270. disk titpboot Ping This allows the console server to respond to incoming ICMP echo requests Ping is enabled by default however for security reasons this service should generally be disabled post initial configuration Nagios Access to the NUT UPS management daemons NUT Access to the Nagios NRPE monitoring daemons gt And there are some serial port access parameters that can be configured on this menu Base The console server uses specific default ranges for the TCP IP ports for the various access services that Users and Administrators can use to access devices attached to serial ports as covered in Chapter 4 Configuring Serial Ports The Administrator can also set alternate ranges for these services and these secondary ports will then be used in addition to the defaults The default TCP IP base port address for telnet access is 2000 and the range for te net is IP Address Port 2000 serial port i e 2001 2048 So if the Administrator were to set 8000 as a secondary base for telnet then serial port 2 on the console server can be telnet accessed at IP Address 2002 and at IP Address 8002 The default base for SSH is 3000 for Raw TCP is 4000 and for RFC2217 it is 5000 RAW Direct You can also specify that serial port devices can be accessed from nominated network interfaces using Raw TCP direct Telnet SSH unauthenticated Telnet services etc gt Click Apply As you apply your services selections the screen will be updated w
271. dresses are not available it will bring up the cellular connection and connect back to the cellular carrier Note 108 gt Configure Dashboard Failover Interface be configured and enabled for Port Access Serial Console Port 1 sercon DISABLED Active Users E Internal Cellular Modem cellmodem01 Statistics ibe ary Probe hs a Report The address of the first peer to probe for connectivity detection UPS Status Secondary Probe RPC Status parand Environmental Status The address of the second peer to probe for connectivity detection oe ee ee Navigate back to the Network Interface on the System IP menu specify Internal Cellular modem cell modem 01 as the Failover Interface to be used when a fault has been detected Specify the Probe Addresses of two sites the Primary and Secondary that the console server is to ping to determine if the principal network is still operational In event of a failure of the principal network the 3G network connection is activated as the access path to the console server and its Managed Devices Only HTTPS and SSH access is enabled on the failover connection which should enable the administrator to connect and fix the problem By default the advanced console server supports automatic failure recovery back to the original state prior to failover V3 1 0 firmware and later The advanced console server continually pings probe addresses whilst in Original and failover state
272. ds after the Auto Response trigger event to wait before performing the action So you can add follow on actions to create a sequence of actions that will be taken in the event of the one trigger condition To edit or delete an existing action click the Modify or Delete icon in the Scheduled Trigger Action table Trigger Actions Add Trigger Action F i z 2 3 A Send Email Time Name Type Send SMS 5 0 Field sms Action Delay 4800 SMS Time El Perform RPC Action Run Custom Script wl Send SNMP Trap 1800 Elevate email Time after the Auto Response triggers to perform this action 600 Help snmp E esl Phon 18012353873 nu z Send Nagios Event ber in international format without the 1 5400 Shut rpc Message Text sTIMESTAMP Critical UPS at G7 oii shed Graceful shutdown pending The text of the SMS to send Longer messages will be split up Save New Action A message text can be sent with Email SMS and Nagios actions This configurable message can include selected values AR_TRIGGER_VAL the trigger value for the check e g for UPS Status it could be onbatt or battlow AR_VAL the value returned by the check e g for ups status it could be online onbatt battlow AR_CHECK_DEV the device name of the device being checked e g for Alarm the alarm name TIMESTAMP the current timestamp HOSTNAME the hostname of the console server The default message text is STIM
273. e All passwords are saved in plaintext except the user passwords and the system passwords which are encrypted Note The config command does not verify whether the nodes edited added by the user are valid This means that any node may be added to the tree If a user were to run the following command bin config s config fruit apple sweet The configurator will not complain but this command is clearly useless When the configurators are run to turn the config xml file into live config they will simply ignore this lt fruit gt node Administrators must make sure of the spelling when typing config commands Incorrect spelling for a node will not be flagged Most configurations made to the XML file will be immediately active To make sure that all configuration changes are active especially when editing user passwords run all the configurators bin config a For information on backing up and restoring the configuration file refer Chapter 15 Advanced Configuration 14 1 1 Serial Port configuration The first set of configurations that needs to be made to any serial port are the RS232 common seitings For example to setup serial port 5 to use the following properties Baud Rate 9600 Parity None Data Bits 8 Stop Bits 1 label Myport log level 0 protocol RS232 flow control None To do this use the following commands config s config ports port5 speed 9600 config s config ports port5 parity None config s
274. e TCP Administration UDP Port SSL Certificates Configuration Backup level 0 Disabled Firmware Add IP Date amp Time The TCP services available from this host Dial gt Add the new Users using Serial amp Network Users amp Groups menu as detailed in Network Hosts Chapter 4 4 Users can be authorized to access the console server ports and specified network attached hosts To simplify configuration the Administrator can first set up Groups with group access permissions then Users can be classified as members of particular Groups 6 2 SDT Connector Client Configuration The SDT Connector client works with all Opengear console servers Each of these remote console servers have an embedded OpenSSH based server which can be configured to port forward connections from the SDT Connector client to hosts on their local network as detailed in the previous chapter The SDT Connector can also be pre configured with the access tools and applications that will be available to be run when access to a particular host has been established SDT Connector can connect to the console server using an alternate OoB access It can also access the console server itself and access devices connected to serial ports on the console server 6 2 1 SDT Connector client installation gt The SDT Connector set up program SDTConnector Setup 1 n exe or sdtcon 1 n tar gz is included on the CD supplied with your Opengear console
275. e DC power lines to a power plug that plugs into the 12VDC PWR jack Similarly the ACM5500 can be powered by connecting an external 9V AC to 24V AC power source to this jack The industrial ACM5508 2 and ACM5504 5 G I models also can be powered externally by connecting a 9 to 30V DC power source to the EXT 9 30V DC and GND connectors on the green screw terminal ne I block on the side of the unit DIO1 GNDO DIO2 GNO OUT1 GNO OUT2 EXT 9 30V DC The ACM5504 2 P can be PoE powered using 802 3af compliant power sources Note An external DC DC power converter can be ordered as an accessory with any ACM5500 RMM gateway This converter has an integrated power cable connector that plugs into the 12VDC PWR connector on the ACM5500 The input voltage for the DC DC converter is plus or minus 36V DC to 72V DC 2 2 7 IM4216 34 DDC IM4208 2 DDC IM4216 2 DDC IM4232 2 DDC and IM4248 2 DDC power The IM42xx and IM4216 34 DDC console servers all have dual DC power supplies with auto failover built in To connect to the DC input supply gt Strip the DC wire insulation to expose approximately 0 4 inch 10 mm of conductor Console Server amp RMM Gateway User Manual 29 Chapter 2 Installation gt Connect the safety ground wire to the E safety ground terminal on the terminal block first The DDC is floating w r t Earth however the safety terminal on the three way screw terminal block connects to Earth or Chassis Grou
276. e SDT Connector to access the gateway itself by setting the Console server up as a host and then configuring the appropriate services gt 130 Launch SDT Connector on your PC Assuming you have already set up the console server as a Gateway in your SDT Connector client with username password etc select this newly added Gateway and click the Host icon to create a host Alternatively select File New Host Enter 127 0 0 1 as the Host Address and give some details in Descriptive Name Notes Click OK G5 Edit SDT Host Host Address 127 0 0 1 Services Y HTTP 7 HTTPS V Telnet v SSH VNC RDP Dell RAC Dell Server Administrator Dell IT Assistant SOL IBM RSA II IBM Director IBM AMM HP iLO 2 VMWare Server TCP Port 1494 Serial 2 SSH Serial 2 Telnet Serial 3 SSH Serial 3 Telnet Serial 4 SSH Serial 4 Telnet TCP Port 903 Descriptive Name Local Host Description Notes Manual entry connections to the console server itself sooo ED i a he a a amp OK 3 Cancel gt Click the HTTP or HTTPS Services icon to access the gateway s Management Console and or click SSH or Telnet to access the gateway command line console Note To enable SDI access to the gateway console you must configure the console server to allow port forwarded network access to itself With V3 3 firmware and later this can be done using the console server Management Console Simply browse t
277. e as this new address as detailed in an earlier note in this chapter Click Apply You will need to reconnect the browser on the computer that is connected to the console server by entering http new IP address IPv6 configuration By default the console server Ethernet interfaces support IPv4 however they can also be configured for IPv6 operation gt On the System IP menu select General Settings page and check Enable IPv6 System Name img4004 5 Model IMG4004 5 Firmware 2 8 0p0 Aa opengedr Uptime 0 days 16 hours 33 mins 25 secs Current User root Backup Log Out System IP Serial amp Network Serial Port Network Interface Management LAN Interface Out of Band Failover General Settings Users amp Groups terface Authentication Network Hosts General Settings Trusted Networks T Enable Bridgin Cascaded Ports gng CH UPS Connections Bridge between all interfaces RPC Connections Enable IPv6 Environmental Managed Devices Alerts amp Logging Enable IPv6 for all interfaces gt You will then need to configure the IPv6 parameters on each interface page 3 3 2 IPv6 Settings Network ras O Stateless only Static The mechanism to acquire IP settings IPv6 Address aaaa 21 3 c6fffe66 7789 A statically assigned IPv6 address IPv6 Subnet 64 Mask L A statically assigned IPv6 network mask Apply Dynamic DNS DDNS configuration With Dynamic DNS DDNS
278. e backup file remotely on your PC and you can restore configurations from remote locations gt Click Save Backup in the Remote Configuration Backup menu gt The config backup file System Name_date_config opg will be downloaded to your PC and saved in the location you nominate Console Server amp Router User Manual 229 er 11 System Management To restore a remote backup gt Click Browse in the Remote Configuration Backup menu and select the Backup File you wish to restore gt Click Restore and click OK This will overwrite all the current configuration settings in your console server Alternately with some console servers you can save the backup file locally onto the USB storage To do this your console server must support USB and you must have an internal or external USB flash drive installed To backup and restore using USB gt Ensure the USB flash is the only USB device attached to the console server gt Select the Local Backup tab and click here to proceed This will set a Volume Label on the USB storage device This preparation step is only necessary the first time and will not affect any other information you have saved onto the USB storage device However it is recommended that you back up any critical data from the USB storage device before using it with your console server If there are multiple USB devices installed you will be warned to remove them System Name acm5003 m Model ACM5003 M Firmware 3 3 2 re op
279. e external network being routed to does not have routing information about the internal network behind the console server IP Masquerading performs Source Network Address Translation SNAT on outgoing packets to make them appear like they ve come from the console server rather than devices on the internal network When response packets come back devices on the external network the console server will translate the packet address back to the internal IP so that it is routed correctly This allows the console server to provide full outgoing connectivity for internal devices using a single IP Address on the external network By default IP Masquerading is disabled for all networks To enable masquerading gt Select Forwarding amp Masquerading panel on the System Firewall menu gt Check Enable IP Masquerading SNAT on the network interfaces where masquerading is be enabled Generally this masquerading would be applied to any interface that is connecting with a public network such as the Internet e g for the ACM5004 G cellular router the IP masquerading would be enabled on Dialout Cellular H2 Console Server amp RMM Gateway User Manual User Manual opengear Serial amp Network Alerts amp Logging Administration SSL Certificates Configuration Backup Firmware IP Date amp Time Dial Firewall DHCP Server Nagios Configure Dashboard 5 8 2 Configuring client devices Client d
280. e file for the client or click Browse to locate the executable gt Enter a Command Line associated with launching the client application SDT Connector typically launches a client using command line arguments to point it at the local endpoint of the redirection There are three special keywords for specifying the command line format When launching the client SDT Connector substitutes these keywords with the appropriate values path is path to the executable file i e the previous field host is the local address to which the local endpoint of the redirection is bound i e the Local Address field for the Service redirection Advanced options port is the local port to which the local endpoint of the redirection is bound i e the Local TCP Port field for the Service redirection Advanced options If this port is unspecified i e Any the appropriate randomly selected port will be substituted For example SDT Connector is preconfigured for Windows installations with a HTTP service client that will connect with whichever local browser the local Windows user has configured as the default Otherwise the default browser used is Firefox 128 Console Server amp RMM Gateway User Manual User Manual E Opengear SDTConnector File Edit Help Client name HTTP browser Path to client executable file rundll32 url dll FileProtocolHandler Command line format for client executable epath http host port
281. e g etc config test sh bin sh logger A test script logger Argument 1 logger Argument2 2 logger Argument3 3 logger Argument4 4 if f etc contig customscript 0 then rm etc contig customscript 0 exit 7 fi touch etc config customscript 0 exit 1 Refer online FAQ for a sample web page html check and other script file templates Enter the Script Executable file name e g etc config test sh Set the Check Frequency i e the time in seconds between re running the script and the Script Timeout i e the maximum run time for the script Specify the Successful Return Code An Auto Response is triggered if the return code from the script is not this value Enter Arguments that are to be passed to the script e g with a web page html check script these Arguments might specify the web page address DNS and user logins Check Save Auto Response Console Server amp RMM Gateway User Manual User Manual opengear Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks IPsec VPN OpenVPN Call Home Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices Alerts amp Logging Port Log Auto Response SMTP amp SMS SNMP Administration SSL Certificates Configuration Backup Firmware IP Date amp Time Dial Firewall DHCP Server
282. e powered from an external 9V DC to 30V DC power source by connecting the DC power lines to a power plug that plugs into the 12VDC PWR jack similarly the ACM5000 can be powered by connecting an external 9V AC to 24V AC power source to this jack The industrial ACM5004 2 I model also can be powered externally by connecting a 9 to 30V DC power source to the DC PWR and GND connectors on the green screw terminal block on the side of the unit Note ttt All ACM5000 models can also be ordered with the SDC option These units are supplied with an external DC DC power converter This converter has an integrated power cable connector that plugs into the 12VDC PWR connector on the ACM5000 The input voltage for the DC DC converter is plus or minus 36V DC to 72V DC 2 2 6 ACM5508 2 M ACM5508 2 I ACM5504 5 G I ACM5504 5 GV I and ACM5504 2 P power All the ACM5500 models are supplied with an external AC 12VDC wall mount power supply This comes with a selection of wall socket adapters for each geographic region North American Europe UK Japan or Australia The 12V DC connector from the power supply unit plugs into the 12VDC PWR power jack on the side of the console server casing gt Plug in the power supply AC power cable and the DC power cable gt Turn on the AC power and confirm the console server Power LED PWR is lit The ACM5500 models can also be powered from an external 9V DC to 30V DC power source by connecting th
283. e probe addresses during failover The failover state will be removed once the original state has been re established 5 4 OoB Broadband Ethernet Access The ACM5500 ACM5000 IM4004 5 and IM4200 family of advanced console servers have a second Ethernet port LAN2 on the ACM5004 2 ACM5508 2 I M and ACM5504 3 P Network 2 on the IM4200 2 or ETH 1 on the IM4004 5 IM4216 34 and ACM5504 5 G l that can be configured for alternate and OoB out of band broadband access With two active broadband access paths to these advanced console servers in the event you are unable to access through the primary management network LAN7 Network or Network1 you can still access it through the alternate broadband path IM42xx 2 High Availability Site Cale OoB broadband failover network Management network Console Server amp RMM Gateway User Manual 99 5 5 Chapter 5 Firewall Failover and Out of Band gt On the System IP menu select Network 2 ACM5004 2 and IM42xx or Out of Band Failover IM4004 5 and configure the IP Address Subnet Mask Gateway and DNS with the access settings that relate to the alternate link gt Ensure when configuring the principal Network 1 Settings eth0 connection the Failover Interface is set to None Broadband Ethernet Failover The second Ethernet port on the ACM5500 ACM5000 IM4004 5 and IM4200 family of advanced console servers can also be configured for failover to ensure transparent high
284. e random data used by PUTTYGEN to generate secure keys Key generation will occur once PUTTYGEN has collected sufficient random data ct Pull Key Generator File Key Conversions Help kep Public key for pasting into OpenSSH authorized_kens file gS hrs 4d AAAAB SN zal pce AAAABIOASAIBI N OAgk Gr zoky ORY coWbk 272 yuGsT LEP Ze Sanmba1 GsyvutT daydi ligas FAJ DFB PAdal2TRTHHS1 31 bFHSsNECnT Srl bp T TpLNALYHOB Dx yLIFnEAppLGmktiZpneF ik 7yaedgns TY CYTO farebDuhNPudhw fsa key 70061212 kep fingerprint ssh isa 1023 91 18 30 1408664 f2 ca 4a 9b feck 184b kep comment rsa key 2 0061212 Key passphrase Confirm passphrase Actions Generate a public private key pair Generate Load an existing private key file Load Save the generated key Save public key Save private key Parameters Type of key to generate 55H 1 RSA SSH2RSA O S5H 2 DSA Number of bits in a generated key 1024 Create a new file authorized_keys with notepad and copy your public key data from the Public key for pasting into OpenSSH authorized_keys file section of the PUTTY Key Generator and paste the key data to the authorized_keys file Make sure there is only one line of text in this file Use WinSCP to copy this authorized_keys file into the users home directory eg etc contig users testuser ssh authorized_keys of the Opengear gateway which will be the SSH server You will need to make sure this file is in the correct f
285. e server itself or to attached hosts To change the default settings for this access you will to need to edit the Ptables rules as described in the Chapter 14 Advanced gt Click Apply 4 6 Serial Port Cascading Cascaded Ports enables you to cluster distributed console servers so a large number of serial ports up to 1000 can be configured and accessed through one IP address and managed through the one Management Console One console server the Master controls other console servers as Slave units and all the serial ports on the Slave units appear as if they are part of the Master Opengear s clustering connects each Slave to the Master with an SSH connection This is done using public key authentication so the Master can access each Slave using the SSH key pair rather than using passwords This ensures Console Server amp RMM Gateway User Manual 65 Chapter 4 Serial Port Device and User Configuration secure authenticated communications between Master and Slaves enabling the Slave console server units to be distributed locally on a LAN or remotely around the world The Master Slaves l Local or Remote Administration S Distributed 4 6 1 Automatically generate and upload SSH keys To set up public key authentication you must first generate an RSA or DSA key pair and upload them into the Master and Slave console servers This can all be done automatically from the Master Sai ee img4004 5 An ID f
286. e specify the Resolve Actions i e actions performed when trigger conditions have been resolved Section 7 4 All console server models can maintain log records of all access and communications with the console server and with the attached serial devices A log of all system activity is also maintained as is a history of the status of any attached environmental monitors Some models also log access and communications with network attached hosts and maintain a history of the UPS and PDU power status e If port logs are to be maintained on a remote server then the access path to this location need to be configured Then you need to activate and set the desired levels of logging for each serial and or network port Section 7 6 and or power and environment UPS refer Chapter 8 7 1 Configure Auto Response With the Auto Response facility a sequence of Trigger Actions is initiated in the event of a specified trigger condition Check Condition Subsequent Resolve Actions can also be performed when the trigger condition has been resolved To configure first set the general parameters that will be applied to all Auto Responses gt Check Log Events on Alerts amp Logging Auto Response to enable logging all Auto Response activities gt Check Delay after Boot to set any general delay to be applied after console server system boot before processing events System Name acm5004 2 Model ACM5004 2 Firmware 3 5 1b0 re 0 opPengear Uptime 0 days 3 ho
287. e uses ping to keep the OpenVPN session alive Keepalive 10 120 pings every 10 seconds and assumes the remote peer is down if no ing has been received over a 120 second time period http proxy lt proxy lf a proxy is required to access the server enter the proxy server DNS server gt lt proxy port gt name or IP and port number ca lt file name gt Enter the CA certificate file name and location The same CA certificate file can be used by the server and all clients Note Ensure each in the directory path is replaced with For example c openvpnkeys ca crt will become c openvponkeys ca crt Enter the client s or servers s certificate file name and location Each client should have its own certificate and key files Note Ensure each in the directory path is replaced with Enter the file name and location of the clients or server s key Each client should have its own certificate and key files Note Ensure each in the directory path is replaced with dh lt file name gt This is used by the server only Enter the path to the key with the Diffie Hellman parameters Nobind Nobind is used when clients do not need to bind to a local address or specific local port number This is the case in most client configurations oersist ke This option prevents the reloading of keys across restarts persist tun This option prevents the close and reopen of TUN TAP devices across re
288. e with no traffic detected Fast Blink Active service with traffic blink rate is proportional to traffic detected 2 6 3 IM42xx 2 DAC X2 G and IM42xx 2 DAC X0 G The IM42xx 2 DAC X2 G and IM42xx 2 DAC X0 G models have an internal 3G GSM HSUPA UMTS cellular modem and an internal 16GB flash memory and an additional USB port at the rear They are also supplied with an external antenna with extension cable and a USB adapter cable 28 Console Server amp RMM Gateway User Manual User Manual Before powering on the console server gt Your carrier will provide you with a SIM card Insert the SIM card with contacts facing upward It will lock into place gt Screw the external antenna coax cable onto the MAIN screw mount SMA connector on the rear of the console server gt The AUX connector can be used either for receive diversity requires external antenna Part 569006 and cable Part 449041 or for GPS requires external GPS passive antenna with cable Part 569008 2 6 4n External USB cellular modems All the IM42xx X models support external USB GSM HSPA or CDMA EV DO cellular modems from Sierra Wireless The USB modem attaches to one of the rear USB 2 0 ports on the IM4200 DAC X2 via the modem s USB adapter cable Similarly external USB cellular modem can be attached to the USB ports on any ACM5000 or an IM4004 5 External modems have their own internal antennas however they generally benefit from an external antenna 2 7 Di
289. eaches critical the console server signals and waits for slaves to shutdown then powers off the UPS Serial and network connected UPSes must first be connected to and configured to communicate with the console server 174 Console Server amp RMM Gateway User Manual User Manual gt For serial UPSes attach the UPS to the selected serial port on the console server From the Serial and Network Serial Port menu configure the Common Settings of that port with the RS232 properties etc required by the UPS refer Chapter 4 1 1 Common Settings Then select UPS as the Device Type Similarly for each network connected UPS go to Serial amp Network Network Hosts menu and configure the UPS as a connected Host by specifying it as Device Type UPS and clicking Apply Device Settings Device Type Specify the device type Apply this setting then use the UPS Connections page to configure the attached UPS No such configuration is required for USB connected UPS hardware System Name acm5004 3g e Model ACM5004 3G E Firmware 3 3 2u1 Aa 0 Uptime 0 days 1 hours 31 mins 22 secs Current User root Backup Log Out opengear Serial amp Network UPS Connections Serial amp Network Serial Port Masagadi Users amp Groups UPS Name Description Driver Username Connected Authentication Via Network Hosts Trusted Networks APC750_East_End Upstairs Closet usbhid ups USB Edit Delete IPsec VPN OpenVPN ori Ad
290. ection is established Again you can select any address for the Local IP Address but it must both be in the same network range as the Remote IP Address The Default Route option enables the dialed PPP connection to become the default route for the console server The Custom Modem Initialization option allows a custom AT string modem initialization string to be entered e g AT amp C1 amp D38 amp K3 Console Server amp RMM Gateway User Manual 93 94 opengear Serial Port Users amp Groups Authentication Network Hosts Trusted Networks IPsec VPN OpenVPN PPTP VPN Call Home Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices Alerts amp Logging Port Log Auto Response SMTP amp SMS SNMP System Administration SSL Certificates Configuration Backup Firmware IP Date amp Time Dial Firewall DHCP Server Nagios Configure Dashboard Port Access Active Users Statistics Support Report Syslog UPS Status RPC Status Environmental Status Power Supply Status Dashboard Devices Port Logs Host Logs Power Terminal Chapter 5 Firewall Failover and Out of Band System Name im4216 Model IM4216 Firmware 3 5 2u1 E 3 0 Uptime 1 days 0 hours 14 mins 40 secs Current User root z Backup Log Out System Dial
291. ectly to the UPS equipment and run on the same host as the NUT network server upsd Drivers are provided for a wide assortment of equipment from most of the popular UPS vendors and understand the specific language of each UPS They communicate to serial USB and SNMP network connected UPS hardware and map the communications back to a compatibility layer This means both an expensive smart protocol UPS and a simple power strip model can be handled transparently The NUT network server program upsd is responsible for passing status data from the drivers to the client programs via the network upsd can cache the status from multiple UPSes and then serve this status data to Console Server amp RMM Gateway User Manual 181 Chapter 8 Power Environmental amp Digital I O many clients upsd also contains access control features to limit the abilities of the clients e g so only authorized hosts may monitor or control the UPS hardware There are a number of NUT clients that connect to upsd to check on the status of the UPS hardware and do things based on the status These clients can run on the same host as the NUT server or they can communicate with the NUT server over the network enabling them to monitor any UPS anywhere The upsc client provides a quick way to poll the status of a UPS server It can be used inside shell scripts and other programs that need UPS data but don t want to include the full interface The upsmon client enables
292. ed Configure Dashboard Configure a DHCP server for this interface I O Ports Failover Interface None gt Click on the Disabled link next to DHCP Server which will bring up the System DHCP Server page System Name acm5002 Model ACM5002 Firmware 3 3 0 a Oo opengear Uptime 0 days 4 hours 8 mins 59 secs Current User root Backup Log Out System DHCP Server Serial Port Network Interface Users amp Groups Authentication Network DHCP Server Settings Subnet 192 168 254 0 255 255 255 0 Network Hosts Trusted Networks DHCP Server E IPsec VPN OpenVPN Enable DHCP Server Call Home Gateway Cascaded Ports UPS Connections The Default Gateway to assign RPC Connections Environmental Use interface address E Managed Devices as gateway Use this interface as the DHCP Gateway Alerts amp Logging Primary DNS Port Log The primary DNS to assign Secondary DNS The secondary DNS to assign Administration Domain Kame SSL Certificates Configuration Backap The Domain Name to assign Firmware Default Lease IP Date amp Time The Default Lease Time Dial Firewall Maximum Lease DHCP Server Nagios The Maximum Lease Time Configure Dashboard WO Ports gt Check Enable DHCP Server gt To configure the DHCP server tick the Use interface address as gateway check box gt Set the DNS server address es to be the sa
293. ed e s 0 9 1 if LOSS eq 100 then COUNTER expr COUNTER 1 else COUNTER 0 sleep 30s fi if COUNTER eq 5 then COUNTER 0 Console Server amp Router User Manual 211 Chapter 16 KCS Client Configuration E sleep 2s fi done 15 1 7 Running custom scripts when a configurator is invoked A configurator is responsible for reading the values in etc config config xml and making the appropriate changes live Some changes made by the configurators are part of the Linux configuration itself such as user passwords or ipconfig Currently there are nineteen configurators each one responsible for a specific group of config e g the users configurator makes the user configurations in the config xmI file live To see all the available configurators type the following from a command line prompt config When a change is made using the Management Console web GUI the appropriate configurator is automatically run This can be problematic as if another user administrator makes a change using the Management Console the configurator could possibly overwrite any custom CLlI linux configurations you may have set The solution is to create a custom script that runs after each configurator has run So after each configurator runs it will check whether that appropriate custom script exists You can then add any commands to the custom script and they will be invoked after the configurator runs The custom script
294. ed Networks IPsec VPN OpenVPN Call Home Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices Alerts amp Logging Port Log Alerts SMTP amp SMS SNMP Administration SSL Certificates Configuration Backup Firmware IP Date amp Time Dial Firewall DHCP Server Nagios Configure Dashboard Port Access Network Interface IP Settings Network Configuration Method IP Address Subnet Mask Gateway Primary DNS Secondary DNS Media DHCP Server Failover Interface Chapter 5 Firewall Failover and Out of Band System Name img4004 5 Model IMG4004 5 Firmware 3 4 1u1 Uptime 27 days 23 hours 18 mins 24 secs Current User root a Backup Log Out System IP Management LAN Out of Band Failover General Settings Route Settings Interface Interface DHCP 5 Static The mechanism to acquire IP settings A statically assigned IP address A statically assigned network mask A statically assigned gateway A statically assigned primary name server A statically assigned secondary name server Auto x Management LAN lan DISABLED Out of Band Failover oobfo DISABLED Serial DB9 Port sercon DISABLED oe gt Specify the Probe Addresses of two sites the Primary and Secondary that the IM console server is to ping to determine if Network Network1 is still oper
295. ed correctly etc scripts backup usb list If this command does not display config 20May then there was an error saving the configuration The set default command takes an input file as an argument and renames it to default opg This default configuration remains stored on the USB disk The next time you want to load the default config it will be sourced from the new default opg file To set a config file as the default etc scripts backup usb set default contig 20May To load this default etc scripts backup usb load default To load any other config file etc scripts backup usb load filename The etc scripts backup usb script can be executed directly with various COMMANDS or called from other custom scripts you may create However it is recommended that you do not customize the etc scripts backup usb script itself at all 15 1 9 Backing up the configuration off box If you do not have a USB on your console server you can back up the configuration to an off box file Before backing up you need to arrange a way to transfer the backup off box This could be via an NFS share a Samba Windows share to USB storage or copied off box via the network If backing up directly to off box storage make sure it is mounted tmp is not a good location for the backup except as a temporary location before transferring it off box The tmp directory will not survive a reboot The etc config directory is not a good place either as it will
296. ed hosts that will be accessed through that console server and for each host specify the services that will used in communicating with the host gt Select the newly added gateway and click the Hosticon to create a host that will be accessible via this gateway Alternatively select File New Host Ga New SDT Host Host Address Services HTTP HTTPS Telnet D SSH E VNC E RDP F Dell RAC Dell Server Administrator Dell IT Assistant E SOL IBM RSA II IBM Director IBM AMM E HP iLO 2 VMWare Server TCP Port 1494 Serial 2 SSH Serial 2 Telnet Serial 3 SSH Serial 3 Telnet Serial 4 SSH Serial 4 Telnet TCP Port 903 Descriptive Name Description Notes g amp OK 3 Cancel gt Enter the IP or DNS Host Address of the host if this is a DNS address it must be resolvable by the gateway Console Server amp RMM Gateway User Manual 125 gt gt 6 2 6 Chapter 6 Secure SSH Tunneling amp SDT Connector Select which Services are to be used in accessing the new host A range of service options are pre configured in the default SDT Connector client RDP VNC HTTP HTTPS Dell RAC VMware etc However if you wish to add new services the range then proceed to the next section Adding a new service then return here Optionally enter a Descriptive Name for the host to display instead of the IP or DNS address and any Notes or a Description of this
297. efore giving up defaults to 3 System Firewall Service Access service Access specifies which access protocols services can be used to access the console server and connected serial ports and managed devices The Administrator can access and configure the console server and connected 36 Console Server amp RMM Gateway User Manual User Manual devices using a range of access protocols services and for each such access the particular service must be running with access through the firewall enabled By default HTTP HTTPS Telnet and SSH services are running and these services are enabled on all network interfaces However again by default only HTTPS and SSH access to the console server is enabled while HTTP and Telnet access is disabled For other services such as SNMP Nagios NRPE NUT the service must first be started on the relevant network interface using Port Firewall Rules refer Chapter 5 Then the Services Access can be set to allow or block access To change the access settings gt Select the Service Access tab on the System Firewall page This will displays the services currently enabled for the console server s network interfaces Depending on the particular console server model the interfaces displayed may include Network interface for the principal Ethernet connection Dial out V90 and cellular modem Dial in internal or external V90 modem Wi Fi 802 11 wireless OOoB Failo
298. ehind Ure vlther end of Uie Lunnel in CIDR nulalivn e g Port Logs 192 168 123 0 24 leave blank to connect to a single host Host Logs Initiate Tunnel wi Power Terminal Initiate the tunnel connection from this end Apply gt Select the Authentication Method to be used either RSA digital signatures or a Shared secret PSK o If you select RSA you will asked to click here to generate keys This will generate an RSA public key for the console server the Left Public Key You will need to find out the key to be used on the remote gateway then cut and paste it into the Right Public Key Console Server amp RMM Gateway User Manual User Manual Note 4 10 System Name img4004 5 Model IMG4004 5 Firmware 2 8 1 3 4 opengear Uptime 0 days 2 hours 4 mins 30 secs Current User root Backup Log Out Serial amp Network IPsec VPN Serial Port Add IPsec Tunnel Users amp Groups Authentication Network Hosts Trusted Networks IPsec VPN Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices Tunnel Name A descriptive name for the IPsec tunnel ee RSA digital signatures Shared secret PSK Authenticate using RSA digital signatures or a shared secret PSK oe OsAQO3fKVgaPga6i2F 7MuQhePGugQ3Dok056jSRmxNoF 214 Generated RSA public key of this end of the tunnel Port Log Right Public Key Alerts SMTP amp SMS RSA public key o
299. el for this alarm sensor e g Door Open or Smoke Alarm gt a I O port 1 must be configured as an Input for this alarm to function correctly DHCP Server This is done on the J O Ports page Nagios Configure Dashboard Alarm 2 Label I O Ports A label for this alarm sensor e g Door Open or Smoke Arm I O port 2 must be configured as an Input for this alarm to function correctly This is done on the J O Ports page Port Access Active Users Log Status V Statistics Periodically log environmental status Support Report Syslog Log Rate 1 UPS Status RPC Status Minutes between samples Environmental Status Dashboard 8 3 3 Adding EMDs and configuring the sensors gt Select the Serial amp Network Environmental menu This will display any external EMDs or any internal EMD i e sensors that may be directly attached to an ACM that have already been configured System Name cm4001 Model CM4001 Firmware 3 1 0b1 EN O opengear Uptime 6 days 6 hours 37 mins 3 secs Current User root Backup Log Out Serial amp Network Environmental Serial amp Network Serial Port Environmental Monitors Users amp Groups Authentication Name Description Connected Log Enabled Network Hosts Via Status Trusted Networks Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices No environmental monitors have been configured
300. elect the action type to be taken Note Resolve Actions are configured exactly the same as Trigger Actions except the designated Resolve Actions are all executed on resolution of the trigger condition and there are no Action Delay Times set Resolve Actions Add Resolve Action SMS Action Scheduled Resolve Actions Send Email Action Name Action Name Action Modify Delete Send SMS Unique name for this action Type Perform RPC Action Phone Notify cient emai oO Run Custom Script soe Phone number in international format without the Cace hoy desk nagios o BS Send SNMP Trap Message Text STIMESTAMP This action was run Check details value AR_VAL vs trigger value SAR_TRIGGER_VAL Send Nagios Event The text of the SMS to send Longer messages will be split up 7 5 Configure SMTP SMS SNMP and or Nagios service for alert notifications The Auto Response facility enables remote alerts to be sent as Trigger and Resolve Actions notifications can be sent you must configure the nominated alert service 7 5 1 Send Email alerts The console server uses SMTP Simple Mail Transfer Protocol for sending the email alert notifications Administrator must configure a valid SMTP server for sending the email gt Select Alerts amp Logging SMTP amp SMS System Name acm5002 Model ACM5002 Firmware 3 4 0u4 Ra O oOpPengear Uptime 0 days 0 hours 23 mins 28 secs Current User root Backup Log Out Alerts amp Logging SMTP amp SMS S
301. elp opengear secure server M Monitoring H Tactical Overview Service Detail Host Detail Q hostname B Host Group Summary Grid B Service Group E Summary Grid E Status Map a D Problems E4 Comments 3 Downtime Reporting a Trends a Availability a Alerts A Notifications E4 Event Log Configuration i Current Network Status Last Updated Fri Apr 4 15 30 28 EST 2008 Updated every 90 seconds Nagios www nagios org Logged in as nagiosadmin View History For all hasts View Notifications For All Hosts View Host Status Detail For All Hosts Host Central Nagios server Service Current Load Current Users Disk Space HTTP SSH Total Processes check_tcp_22_img check_tcp_25_ima check_tcp_443_img img Management console ippower alert_login_ippower port_log_img PING check_serial_img Status OK OK OK OK OK OK OK OK OK PENDING OK OK OK Host Status Totals Up Down z 0 0 Al Problems 0 Service Status Details For All Hosts Last Check Duration 2008 04 04 15 28 17 29d Oh 38m 29s 2008 04 04 15 30 10 29d Oh 36m 36s 2008 04 04 15 27 02 29d Oh 34m 44s 2008 04 04 15 28 36 29d 0h 38m 10s 2008 04 04 15 25 28 29d Oh 36m 18s 2008 04 04 15 27 21 29d Oh 34m 25s 2008 04 04 15 28 55 Od Oh 27m 3s 2008 04 04 15 25 47 Od Oh 26m 19s 2008 04 04 15 26 06 Od Oh 21m 23s 2008 04 04 15 25 42 Od Oh 14m 46s N A Od Oh 19m 3s 2008
302. em Administration Enter a new System Password then re enter it in Confirm System Password This is the new password for root the main administrative user account so it is important that you choose a complex password and keep it Safe At this stage you may also wish to enter a System Name and System Description for the console server to give ita unique ID and make it simple to identify The System Name can contain from 1 to 64 alohanumeric characters however you can also use the special characters _ and There are no restrictions on the characters that can be used in the System Description or the System Password which each can contain up to 254 characters However only the first eight Password characters are used to make the password hash The MOTD Banner can be used to display a message of the day text to authenticating users when the ssh ftp or web access the console server Click Apply As you have changed the password you will be prompted to log in again This time use the new password If you are not confident your console server has been supplied with the current release of firmware you can upgrade Refer Upgrade Firmware Chapter 10 Set up new administrator lt is also recommended that you set up a new Administrator user aS Soon as convenient and log in as this new user for all ongoing administration functions rather than root This Administrator can be configured in the admin group with full access privileg
303. email etc Syslog Settings Syslog Facility Default v Syslog Priority Default v Syslog priority level to use on logging messages For example if the computer attached to serial port 3 should never send anything out on its serial console port the Administrator can set the Facility for that port to local0 local0 local7 are meant for site local values and the Priority to critical At this priority if the console server syslog server does receive a message it will automatically raise an alert Refer to Chapter 7 Alerts amp Logging 4 1 8 NMEA Streaming The ACM5004 G and ACM5504 5 G I can provide GPS NMEA data streaming from the internal GPS cellular modem This data stream presents as a serial data steam on port 5 NMEA Streaming NMEA Streaming F Enable GPS NMEA data streaming Fix Frequency 5 The GPS fix rate from 1 255 seconds If changed this field will not be applied until the device restarts or NMEA streaming is disabled and re enabled The Common Settings baud rate etc are ignored for the NMEA virtual serial port However you can specify the Fix Frequency i e this GPS fix rate determines how often GPS fixes are obtained You can also apply all the Console Server Mode Syslog and Serial Bridging settings to this port Note The NMEA Streaming menu item should display on the Serial amp Network Serial Port menu However for earlier revision ACM5004 G I units you may need to update the setfset settings f
304. emote administrators to access the Opengear advanced console server and Managed Devices securely over the Internet The administrator can establish an encrypted authenticated VPN connections between advanced console serves distributed at remote sites and a VPN gateway such as Cisco router running OS Psec on their central office network Users and administrators at the central office can then securely access the remote console servers and connected serial console devices and machines on the Management LAN subnet at the remote location as though they were local All these remote console servers can then be monitored with a CMS6000 on the central network With serial bridging serial data from controller at the central office machine can be securely connected to the serially controlled devices at the remote sites refer Chapter 4 1 The road warrior administrator can use a VPN IPsec software client such as TheGreenBow www thegreenbow com vpn_gateway html or Shrew Soft www shrew net support to remotely access the advanced console server and every machine on the Management LAN subnet at the remote location IPsec VPN Client as seen on Management LAN Opengear ACMSO004G VPN gateway or 1M4200 IMG4000 or any other ACM500x model with external internet gateway IPsec VPN Client Remote Configuration of IPsec is quite complex so Opengear provides a simple GUI interface for basic set up as described below However
305. engeaf Uptime 1 days 0 hours 26 mins 4 secs Current User root Backup Log Out System Configuration Backup Serial amp Network Serial Port Remote Backup Local Backup XML Configuration Users amp Groups Network Hosts Trusted Networks Before saving configuration locally you must prepare the USB storage device for use IPsec VPN ot Disconnect all USB storage devices except for the storage device you wish to prepare then click Cascaded Ports here to proceed After the USB storage device has been prepared you may reconnect other USB UPS Connections storage devices gt To backup to the USB enter a brief Description of the backup in the Local Backup menu and select Save Backup gt The Local Backup menu will display all the configuration backup files you have stored onto the USB flash gt To restore a backup from the USB simply select Restore on the particular backup you wish to restore and click Apply After saving a local configuration backup you may choose to use it as the alternate default configuration When the console server is reset to factory defaults it will then load your alternate default configuration instead of its factory settings gt Tosetan alternate default configuration check Load On Erase and click Apply Note Before selecting Load On Erase please ensure you have tested your alternate default configuration by clicking Restore If for some reason your alternate default c
306. engear SDTConnector File Edit Help 2 2 4B Sj 208 64 91 182 Services m HP iLO 2 HTTPS IBM RSAIl i VMWar Ip Power Web Management Dell Server 2003 DRAC4 HP 2003 Server iLO 2 Dell 2003 Server Dell 2003 Server BMC HP 2003 Server Local Services E E DD htt i Logging in to gateway 208 64 91 182 Note The SDT Connector client can be configured with unlimited number of Gateways Each Gateway can be configured to port forward to an unlimited number of locally networked Hosts Similarly there is no limit on the number of SDT Connector clients who can be configured to access the one Gateway Nor are there limits on the number of Host connections that an SDT Connector client can concurrently have open through the one Gateway tunnel However there is a limit on the number of SDT Connector SSH tunnels that can be open at the one time ona particular Gateway SD4001 40022 4008 and CM4001 4008 devices support at least 10 simultaneous client tunnels ACM5000 ACM5500 IM4216 4248 and CM4116 4148 each support at least 50 such concurrent connections So for a site with a CM4116 gateway you can have at any time up to 50 users securely controlling an unlimited number of network attached computers and appliances servers routers etc at that site 6 2 5 Manually adding hosts to the SDT Connector gateway For each gateway you can manually specify the network connect
307. er Support Report The sequence to dial to establish the connection defaults to 777 Syslog UPS Status RPC Status Environmental Status Dashboard Custom Modem Initialization An optional AT command sequence to initialize the modem OTASP Activation Before this can be achieved you need both a working account and an activated device in that the Opengear s ESN Electronic Serial Number needs to be registered with an appropriate plan on your Carriers account gt Select Internal Cellular Modem panel on the System Dial menu gt A particular phone number will need to be dialed to complete OTASP e g Verizon uses 22899 Telus uses 22886 gt Click Activate to initiate the OTASP call The process is successful if no errors are displayed and you no longer see the CDMA Modem Activation form If OTASP is unsuccessful you can consult the System Logs for clues to what went wrong at Status Syslog gt When OTASP has completed successfully you can proceed to enabling the Internal Cellular Modem by entering the carriers phone number which defaults to 777 and clicking Apply gt The Cellular statistics page on Status Statistics will display the current state of the modem System Name acm5004 g Model ACM5004 G Firmware 3 3 0 Aa 0 Uptime 0 days 0 hours 55 mins 35 secs Current User root Backup Log Out opengear Status Statistics Serial amp Network Serial Port Users amp Grou
308. er 2 4 1 These alternate pinouts need to be specified in the part number at the time of order e g to order an IM4248 2 dual power supply AC USA model specify IM4248 2 DAC US X0 for a unit equipped with standard Opengear Classic RJ pinouts 1IM4248 2 DAC US X1 for a unit equipped with Cyclades RJ pinouts rolled cable connection IM4248 2 DAC US X2 for a unit equipped with Cisco Ru pinouts straight through cable Some console server models support RS 422 and RS 485 as well as RS 232 The four RJ45 serial ports on the ACM5004 2 and ACM5504 5 G I are each RS 232 422 485 software selectable as are the eight RJ45 serial ports on the ACM5508 2 The SD4002 has one DBY RS 232 serial port Port 1 and one DB9 connector block RS 232 422 485 software selectable serial port Port 2 Similarly the SD4001 has one DBY RS 232 serial port which can be hardware selected to be RS 232 or RS422 485 Console Server amp RMM Gateway User Manual 25 Chapter 2 Installation Refer Appendix D Connectivity and Serial I O for RS422 485 pinout and connection details So in summary Serial Port Dedicated Console Pinout RS232 RS422 485 Modem port Connectors ACM500x 2 3 4 ACM5004 I 4 ACM550x 48 ACM550x 48 IM42xx 2 8 16 32 48 IM4216 34 IM4004 5 CM41xx CM4008 CM4001 D4001 D4002 X2 Cisco X2 Cisco X2 Cisco X2 Cisco XO Classic or X1 Avocent or X2 Cisco X2 Cisco X0 Classic X0 Classic X0 Classic DB9
309. er Manual Connectivity TCP Ports amp Serial I O Appendix D Connectivity TCP Ports amp Serial I O Pin out standards exist for both DB9 and DB25 connectors however there are not pin out standards for serial connectivity using RJ45 connectors Most console servers and serially managed servers router switches power devices have adopted their own unique pin out so custom connectors and cables may be required to interconnect your console server Serial Port Pinout Opengear s console servers come with one to forty eight serial connectors notated SERIAL or SERIAL PORTS for the RS232 serial ports The SD4001 and SD4002 CM4001 models have DB9 serial port connectors All other models have RJ45 serial port connectors The RJ45 serial ports are located on the rear panel of the IM4004 5 and CM4008 on the front face of the ACM500x and on the front panel of the rack mount CM41xx and IM42xx The ACM5000 and ACM550 models and the IM4216 34 have Cisco serial pinouts on its RJ45 connectors The other IM42xx console servers are available with a selection of alternate RJ45 pinouts which must be specified in the part number at the time of order The IM4208 2 IM4216 2 IM42032 2 and IM4248 2 console servers have three RJ45 pinout configurations available Opengear Classic default Cisco or Cyclades The CM4xxx and IM4004 models have Opengear Classic RJ45 pinout Opengear Classic RJ45 pinout This is the same RJ45 pinout as the Avocen
310. er and ensure the changes are stored in the console servers flash memory etc In particular the config utility allows manipulation of the system configuration from the command line With config a new configuration can be activated by running the relevant configurator which performs the action necessary to make the configuration changes live To access config from the command line gt Power up the console server and connect the terminal device o If you are connecting using the serial line plug a serial cable between the console server local DB 9 console port and terminal device Configure the serial connection of the terminal device you are using to 115200bps 8 data bits no parity and one stop bit o If you are connecting over the LAN then you will need to interconnect the Ethernet ports and direct your terminal emulator program to the IP address of the console server 192 168 0 1 by default gt Log onto the console server by pressing return a few times The console server will request a username and password Enter the username root and the password default You should now see the command line prompt which is a hash This chapter is not intended to teach you Linux We assume you already have a certain level of understanding before you execute Linux kernel level commands The config tool Syntax config ahv d id g id p path r configurator s id value P id Description 244 Console Se
311. erbose logging to assist in debugging connection problems Apply Settings Environmental Status Power Supply Status Dashboard Authenticated PPTP VPN Connections Authentication is required to track PPTP connections gt Select the Enable check box to enable the PPTP Server gt Select the Minimum Authentication Required Access is denied to remote users attempting to connect using an authentication scheme weaker than the selected scheme The schemes are described below from strongest to weakest e Encrypted Authentication MS CHAP v2 The strongest type of authentication to use this is the recommended option e Weakly Encrypted Authentication CHAP This is the weakest type of encrypted password authentication to use It is not recommended that clients connect using this as it provides very little password protection Also note that clients connecting using CHAP are unable to encrypt traffic e Unencrypted Authentication PAP This is plain text password authentication When using this type of authentication the client password is transmitted unencrypted e None gt Select the Required Encryption Level Access is denied to remote users attempting to connect not using this encryption level Strong 40 bit or 128 bit encryption is recommended gt In Local Address enter IP address to assign to the server s end of the VPN connection gt In Remote Addresses enter the pool of IP addresses to assign to the incoming client s VPN con
312. erial amp Network Serial Port Users amp Groups Authentication Network Hosts The outgoing mail server address Trusted Networks IPsec VPN Secure Connection None a i oe If this server uses a secure connection specify its type Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices Sender Specify the SMTP port Default is 25 Alerts amp Logging The from address which will appear on the sent email Port Log Username Alerts th amp SMS If this server requires authentication specify the username Password If this server requires authentication specify the password Administration SSL Certificates Confirm Configuration Backup cas Re enter the password Date amp Time Subject Line Dial If this server requires a specific subject line specify it here DHCP Server Nagios Configure Dashboard 1 0 Ports SMS Settings gt Inthe SMTP Server field enter the IP address of the outgoing mail Server Before such alert To use SMTP the gt If this mail server uses a Secure Connection specify its type You may also specify the IP port to use for SMTP The default SMTP Port is 25 160 Console Server amp RMM Gateway User Manual User Manual gt gt gt 7 5 2 You may enter a Sender email address which will appear as the from address in all email notifications sent from
313. erial ports settings and enable supported protocols on the Seria amp Network Seral Port page Environmental Configure users with access to serial ports on the Sera amp Network Users page Managed Devices Welcome to the OpenGear Management Console To configure celu r router features Alerts amp Logging scala Configure the cellular modem connection on the System Da page Port Log Allow forwarding to the Dialout Cellular destination network on the System Firewal page Alerts Enable IP masquerading for Dialout Cellular on the System Firewall page SMTP amp SMS If your system has a cellular modem you will also be given the steps to configure cellular router features gt Configure the cellular modem connection System Dial page Refer Chapter 5 gt Allow forwarding to the cellular destination network System Firewall page Refer Chapter 5 gt Enable IP masquerading for cellular connection System Firewall page Refer Chapter 5 After completing each of the above steps you can return to the configuration list by clicking the Opengear logo in the top left corner of the screen Note If you are not able to connect to the Management Console at 192 168 0 1 or if the default Username Password were not accepted then reset your console server refer Chapter 10 3 2 Administrator Password For security reasons only the administration user named root can initially log into your console server So o
314. erred to as Users These Users when authorized can access serial or network connected devices and control these devices using the specified services e g Telnet HHTPS RDP IPMI Serial over LAN Power Control An authorized User also has a limited view the Management Console and can only access authorized configured devices and review port logs In this manual when the term user lower case is used it is referring to both the above classes of users This document also uses the term remote users to describe users who are not on the same LAN segment as the console server These remote users may be Users who are on the road connecting to managed devices over the public Internet or it may be an Administrator in another office connecting to the console server itself over the enterprise VPN or the remote user may be in the same room or the same office but connected on a separate VLAN to the console server Management Console The Management Console runs in a browser and provides a view of the console server and all the connected devices Administrators can use the Management Console either locally or from a remote location to manage the console server users ports hosts power devices and associated logs and alerts System Name im4216 Model IM4216 Firmware 3 5 2u1 Ra O oNPengear Uptime 0 days 1 hours 6 mins 45 secs Current User root Backup Log Out System Administration Serial amp Network Serial Port a im4216
315. erver amp RMM Gateway User Manual T Add OpenVPN Tunnel Tunnel Name Device Driver Protocol Tunnel Mode Configuration Method Compression Server Details Local Port IP Pool Network IP Pool Netmask Chapter 4 Serial Port Device and User Configuration A descriptive name for the OpenVPN tunnel Tun IP Select the tap or tun driver to use UDP Use a UDP or TCP protocol server Is this the Client or Server end of the tunnel PKI X 509 Certificates Authenticate using certificates or use a custom configuration Enable or disable compression sd The TCP IP port to listen on Defaults 1194 10 700 0 0 Network addresses to allocate Network mask for IF Pool gt Toenter authentication certificates and files Edit the OpenVPN tunnel gt Select the Manage OpenVPN Files tab Upload or browse to relevant authentication certificates and files Manage OpenVPN Files Configuration File Po Browse File is not NorthstoOutlet custom VPN cont Root CA 2ar Testing Certificates ca crt EE No file Certificate pai Certificate File ing Certificates acm clientc No file available Private Key File g Certificates acm clientkey No file available eae gt Apply to save changes Saved files will be displayed in red on the right hand side of the Upload button 18 Console Server amp RMM Gateway User Manual User Manual Manage OpenVPN Files Configuration File Po g
316. ervice Access Port Protocol Firewall Rules Forwarding amp Users amp Groups Forwarding Masquerading Authentication Network Hosts Create Modify Port Protocol Forward Trusted Networks My M pathy Name New Forward Rule PPTP VPN Name for the rule Call Home Cascaded Ports Interface Any x a anian The interface that the rule applies to Environmental Source Managed Devices Address Address Range The source IP address or IP address range of the data This may be left blank Alerts amp Logging IP address ranges use the format ip netmask where netmask is in bits 1 32 Port Log Ere Auto Response pere d a i _ Range The destination IP address address range to match This may be left blank IP address ranges use the format ip netmask where netmask is in bits 1 32 Input Port Range 0 Administration SSL Certificates A port or range of ports Configuration Backup Ranges use the format start finish Firmware Only valid for TCP and UDP protocols IP amp Time Protocol TCP a Dia The protocol of the data DHCP Server Nagios Output Address Configure Dashboard The IP address that the data should be redirected to Output Port 0 Range hon hiran A port or range of ports Statistics Ranges use the format start finish Support Report Only valid for TCP and UDP protocols Syslog UPS Status For example to forward port 8443 to an internal HTTPS server on 192 168 10 2 the
317. es Then Service Access Rules can be set for connecting to the console server router itself Configuring network forwarding and IP masquerading To use a console server as an Internet or external network gateway requires establishing an external network connection e g for the ACM5004 G setting up the 3G cellular link as detailed in Chapter 5 and then setting up forwarding and masquerading Console Server amp RMM Gateway User Manual 111 Chapter 5 Firewall Failover and Out of Band Note Network forwarding allows the network packets on one network interface i e LAN1 ethO to be forwarded to another network interface i e LAN2 eth1 or dial out cellular So locally networked devices can IP connect through the console server to devices on remote networks IP masquerading is used to allow all the devices on your local private network to hide behind and share the one public IP address when connecting to a public network This type of translation is only used for connections originating within the private network destined for the outside public network and each outbound connection is maintained by using a different source IP port number By default all console server models are configured so that they will not route traffic between networks To use the console server as an Internet or external network gateway forwarding must be enabled so that traffic can be routed from the internal network to the Internet external network gt Navigate t
318. es level1 v DHCP Server level 0 Disabled Nagios level 1 Userconnects disconnects tothe service UPS Connections level 2 Input Output logging on services level 1 gt Specify the logging level that is to be maintained for that particular TDC UDP port service on that particular Host Level 0 Turns off logging for the selected TDC UDP port to the selected Host Level 1 Logs all connection events to the port Level 2 Logs all data transferred to and from the port gt Click Add then click Apply 7 6 4 Auto Response event logging gt Check Log Events on Alerts amp Logging Auto Response to enable logging all Auto Response activities 166 Console Server amp RMM Gateway User Manual User Manual System Name acm5004 2 i Model ACM5004 2 I Firmware 3 5 1b1 a O opPengear Uptime 0 days 1 hours 12 mins 56 secs Current User root Backup Log Out Alerts amp Logging Auto Response Configured Auto Responses Serial Port Users amp Groups Name Check Type Status Modify Delete Cancel Authentication Network Hosts asdasd serial_signal Disabled B x Trusted Networks New Auto Response UPS Connections Global Auto Response Settings RPC Connections Environmental HEL SoS v Managed Devices Log Events and actions related to Auto Responses Alerts amp Logging Tn mE aiii 120 Port Log Dely after system boot before processing events Auto Response SMT
319. es ports hosts power and environment Includes port controls and reports that can accessed by Users Command line installation and configuration using the config command More advanced command line configuration activities where you will need to use Linux commands The latest update of this manual can be found online at www opengear com download html 12 Console Server amp RMM Gateway User Manual User Manual Types of users The console server supports two classes of users Firstly there are the administrative users who will be authorized to configure and control the console server and to access and control all the connected devices These administrative users will be set up as members of the admin user group and any user in this class is referred to generically in this manual as the Administrator An Administrator can access and control the console server using the config utility the Linux command line or the browser based Management Console By default the Administrator has access to all services and ports to control all the serial connected devices and network connected devices hosts The second class of users embraces those who have been set up by the Administrator with specific limits of their access and control authority These users are set up as members of the users user group or some other user groups the Administrator may have added They are only authorized to perform specified controls on specific connected devices are ref
320. es this should be left as Any Source Address Address Range This allows the user to restrict access to a port forward to a specific source IP address or IP address range of the data This may be left blank IP address ranges use the format ijp netmask where netmask is in bits 1 32 Destination Address Address Range The destination IP address address range to match This may be left blank IP address ranges use the format ip netmask where netmask Is in bits 1 32 Input Port Range The range of ports to forward to the destination IP These will be the port s specified when accessing the port forward These ports need not be the same as the output port range Protocol The protocol of the data being forwarded The options are TCP or UDP or TCP and UDP or ICMP or ESP or GRE or Any Console Server amp RMM Gateway User Manual 115 Chapter 5 Firewall Failover and Out of Band Output Address The target of the port forward This is an address on the internal network where packets sent to the Input Interface on the input port range are sent Output Port Range The port or range of ports that the packets will be redirected to on the Output Address Ranges use the format start finish Only valid for TCP and UDP protocols System Name im4216 Model IM4216 Firmware 3 5 2u1 Ra 0 opengear Uptime 1 days 0 hours 55 mins 18 secs Current User root Backup Log Out System Firewall Serial amp Network Serial Port S
321. es a myriad of secure tunneling capabilities as well as a variety of authentication methods OpenSSH is the port of OpenBSD s excellent OpenSSH 0 to Linux and other versions of Unix OpenSSH is based on the last free version of Tatu Ylonen s sample implementation with all patent encumbered algorithms removed to external libraries all Known security bugs fixed new features reintroduced and many other clean ups hittp www openssh com The only changes in the Opengear SSH implementation are PAM support EGD 1 PRNGD 2 support and replacements for OpenBSD library functions that are absent from other versions of UNIX pale config files are now in etc config e g etc contig sshd_config instead of etc sshd_config etc config ssh_config instead of etc ssh_config etc config users lt username gt ssh instead of home lt username gt ssh 15 6 2 Generating Public Keys Linux To generate new SSH key pairs use the Linux ssh keygen command This will produce an RSA or DSA public private key pair and you will be prompted for a path to store the two key files e g id_dsa pub the public key and id_dsa the private key For example ssh keygen t rsa dsa Generating public private rsa dsa key pair Enter file in which to save the key home user ssh id_ rsa dsa Enter passphrase empty for no passphrase Enter same passphrase again Your identification has been saved in home user ssh id_ rsa dsa Your public
322. es an administrator For RADIUS administrators are indicated via the Framed Filter ID See the example configuration files below for example gt Authorization via TACACS for both serial ports and host access Permission to access resources may be granted via TACACS by indicating an Opengear Appliance and a port or networked host the user may access See the example configuration files below for example TACACS Example user tim service raccess priv lvl 11 port cm4001 port02 port2 192 168 254 145 port05 global cleartext mit RADIUS Example paul Cleartext Password luap Service Type Framed User Fall Through No Framed Filter ld group_name admin The list of groups may include any number of entries separated by a comma If the admin group is included the user will be made an Administrator If there is already a Framed Filter ld simply add the list of group_names after the existing entries including the separating colon 9 3 SSL Certificate The console server uses the Secure Socket Layer SSL protocol for encrypted network traffic between itself and a connected user During the connection establishment the console server has to expose its identity to the user s browser using a cryptographic certificate The default certificate that comes with the console server device upon delivery is for testing purpose only and should not be relied on for secured global access The System Administrator sho
323. es through the Serial amp Network Users amp Groups menu refer Chapter 4 for details Console Server amp RMM Gateway User Manual 33 opengear Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks IPsec VPN OpenVPN Call Home Cascaded Ports UPS Connections Groups RPC Connections Environmental Managed Devices Add a New user Username Description Alerts amp Logging Port Log Alerts SMTP amp SMS SNMP Administration 3 3 Network IP Address Chapter 3 Initial System Configuration System Name acm5003 m Model ACM5003 M Firmware 3 3 2 Uptime 0 days 0 hours 21 mins 56 secs Current User root a Backup Log Out Serial amp Network Users amp Groups pem A unique name for the user Bruce J Central Services A brief description of the user s role V admin Provides users with unlimited configuration and management privileges users Provides users with basic management privileges A group with predefined privileges the user will belong to The users authentication secret Note A password may not be required if remote authentication is being used Re enter the users password for confirmation The next step is to enter an IP address for the principal Ethernet LAN Network Network1 port on the console server or enable its DHCP client so that it a
324. ese ports you can select the System I O Ports menu and a table with the summary status of the four digital I O ports will be displayed O Port1 DIO1 or SENSOR71 I O Port2 DIO2 or SENSOR2 I O Port3 SENSORS and I O Port4 SENSOR 4 System Name les1204a Model LES1204A Firmware 3 1 0u1 Aa O opPengear Uptime 1 days 6 hours 50 mins 24 secs Current User root Backup Log Out System I O Ports Serial amp Network vo Pati Serial Port 4 Users amp Groups 1 O Port 1 default Input Authentication direction Network Hosts Output Trusted Networks IPsec VPN The direction of the I O port at power on Cascaded Ports UPS Connections 1 0 Port 1 default Low RPC Connections ical state Environmental High Managed Devices If the port is configured as an output this is the electrical state of the port at power on Alerts amp Logging Port Log Alerts I O Port 2 1 0 Port 2 default Input direction Output Administration SSL Certificates The direction of the I O port at power on Configuration Backup Firmware 1 0 Port 2 default Low electrical state High Services If the port is configured as an output this is the electrical state of the port at power on DHCP Server Nagios Configure Dashboard 1O Ports 1 0 Port 3 Console Server amp RMM Gateway User Manual 185 Chapter 8 Power Environmental amp Digital I O gt Screw the bare wires on an
325. esolve actions will not be run Save Auto Response Before configuring serial port checks in Auto Response you first must configure the serial port in Console server mode Also most serial port checks are not resolvable so resolve actions will not be run 7 2 6 ICMP Ping To use a ping result as the Auto Response trigger event gt Click on ICMP Ping as the Check Condition gt Specify which Address to Ping i e IP address or DNS name to send ICMP Ping to and which Interface to send ICMP Ping from e g Management LAN or Wireless network gt Set the Check Frequency i e the time in seconds between checks and the Number of ICMP Ping packets to send gt Check Save Auto Response opengear Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks IPsec VPN OpenVPN Call Home Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices Alerts amp Logging Port Log Auto Response SMTP amp SMS Administration SSL Certificates Configuration Backup Firmware IP NHCP Server Console Server amp RMM Gateway User Manual System Name img4004 5 Model IMG4004 5 Firmware 3 5 1b1 Uptime 0 days 2 hours 37 mins 42 secs Current User root Auto Response Settings Name Reset Timeout Repeat Trigger Actions Check Conditions Environmental Alar
326. ess and control authorized devices View serial port logs and host logs for those devices Use SDT Connector or the Web Terminal to access serially attached consoles Control of power devices where authorized All other Management Console menu items are available to Administrators only 13 1 Device Management To display the Managed Devices and their associated serial network and power connections gt Select Manage Devices The Administrator will be presented with a list of all configured Managed Devices whereas the User will only see the Managed Devices they or their Group has been given access privileges for System Name img4004 5 Model IMG4004 5 Firmware 2 7 0p1 opengear Uptime 0 days 0 hours 12 mins 34 secs Current User user 13 Manage Devices Manage Devices Managed Devices Network Serial Power Port Logs Host Logs Device Description Connections Power Terminal IBM X 324 Asterisk PBX Network Host 192 168 0 44 UPS MainUPS RPC PDU R7D outlet 3 PowerEdgeR9000 5 Dell mail Network Host 192 168 0 70 UPS MainUPS server MainUPS Computer UPS MainUPS room battery PDU R7D Baytech RPC PDU R7D PDU EMD PBX PBX cabinet EMD EMD PBX gt Select Serial Network or Power for a view of the specific connections The user can then take a range of actions using these serial network or power connections by selecting the Action icon or the related Manage menu item 13 2 Port and Host Logs Administrators
327. ess the system with RDP click Add on the Remote Desktop Users dialog box Note If you need to set up new users for Remote Desktop access open User Accounts in the Control Panel and proceed through the steps to nominate the new user s name password and account type Administrator or Limited Note With Windows XP Professional and Vista you have only one Remote Desktop session and it connects directly to the Windows root console With Windows Server 2008 you can have multiple sessions and with Server 2003 you have three sessions the console session and two other general sessions So more than one user can have active sessions on a single computer Console Server amp RMM Gateway User Manual 135 Chapter 6 Secure SSH Tunneling amp SDT Connector When the remote user connects to the accessed computer on the console session Remote Desktop automatically locks that computer so no other user can access the applications and files When you come back to your computer at work you can unlock it by typing CTRL ALT DEL 6 8 2 Configure the Remote Desktop Connection client Now you have the Client PC securely connected to the console server either locally or remotely thru the enterprise VPN or a secure SSH internet tunnel or a dial in SSH tunnel you can establish the Remote Desktop connection from the Client To do this you simply enable the Remote Desktop Connection on the remote client PC then point it to the SDT Secure Tunnel port in the
328. et hostname or DNS domain name Listen for incoming HT TP requests Query and set hardware clock RTC Network super server daemon Network echo utility Process control initialization Show or manipulate routing devices policy routing and tunnels Linux IPMI manager Administration tool for IPv4 packet filtering and NAT Administration tool for IPv6 packet filtering Restore IP Tables Save IP Tables Send a signal to a process to end gracefully Make links between files Begin session on the system Opengear loopback diagnostic command Opengear loopback diagnostic command Opengear loopback diagnostic command Opengear loopback diagnostic command Opengear loopback diagnostic command Opengear loopback diagnostic command List directory contents Send and receive mail Make directories Create an MS DOS file system under Linux Make block or character special files File perusal filter for crt viewing Mount a file system SMTP mail client Move rename files TCP IP Swiss army knife Upgrade firmware on ucLinux platforms using the bIlkmem interface Print network connections routing tables interface statistics etc Network Time Protocol NTP daemon Display process es selected by regex pattern Find the process ID of a running program send ICMP ECHO_REQUEST packets to network hosts IPV6 ping Sends a signal to process es selected by regex pattern Opengear command similar to the standard chat command via portmanager Cons
329. ete node config users user2 The following command will synchronize the live system with the new configuration config r users 14 1 3 Adding and removing user Groups The console server is configured with a few default user groups even though only two of these groups are visible in the Management Console GUI To find out how many groups are already present config g config groups total Assume this value is six Make sure to number any new groups you create from seven onwards To add a custom group to the configuration with Group name Group 7 Group description MyGroup and Port access 1 5 you d issue the commands config s config groups group7 name Group7 contig s contig groups group7 description MyGroup config s config groups total 7 contig s contig groups group port1 on contig s contig groups group 7 port5 on Assume we have an RPC device connected to port 1 on the console manager and the RPC is configured To give this group access to RPC outlet number 3 on the RPC device run the two commands below contig s conftig ports port1 power outlet3 groups group1 Group7 config s config ports port1 oower outlet3 groups total 1 total number of groups that have access to this outlet lf more groups are given access to this power outlet then increment the config ports port1 oower outlet3 groups total element accordingly To give this group access to network host 5 config s contig sdt hosts host5 group
330. ettings Disable modem communication Allow incoming modem communication Allow outgoing modem communication The username for authentication The secret to use when authenticating the user Re enter the user s password for confirmation The IP address to assign a dial in client The IP address for the dial in server The dialed connection is to become a default route for the system An optional AT command sequence to initialize the modem D None D PAP CHAP D MSCHAPv2 The method to use when checking the dial in users credentials E Allow dial in from phone numbers matching the permitted calling number only A complete phone number or regular expression to match against the calling number None DDNS disabled Update a DNS server when IP address is changed The DDNS server to push updates to Opengear console servers and cellular routers with Version 3 3 firmware and beyond have basic routing NAT Network Address Translation packet filtering and port forwarding support on all network interfaces 110 Console Server amp RMM Gateway User Manual User Manual LAN 1 Network interface p Opengear Console Server Router OUTGOING IP ae ici TRAFFIC MASQUERADE _ FILTERING a a RULES Modem Dial in Dialout INCOMING NETWORK TRAFFIC Fi FORWARD 36 Cellular SERVICE s ACCESS DNS SD s u ac Sm CONTROL ll
331. etwork Port then Edit the Network Host to be monitored and select New Checks The additional check option will have been included in the updated Nagios Checks list and you can again customize the arguments Console Server amp Router User Manual 221 Chapter 10 Nagios Integration Check by SSH gs Check CLAMD hange then edit and click update Click Apply te commit changes te configuration Check Dummy Check FTP Check HP JetDirect Check HTTP bwer device Power Device Username Power Device Password ower device Confirm Password confirmation Log Level this power device Nagios Settings Enable Nagios sfaults te host name if unset anne user Command 1 Check by SSH Use Default Args w a Default Args i SUSER H HOST C COMMAND Nagios Checks If you need other plug ins to be loaded into the IM42xx firmware If the plug in in a Perl script it must be rewritten as the console server does not support Perl at this point However if you do require Perl support please make a feature request to support opengear com Individual compiled programs may be generated using gcc for ARM Again contact support opengear com for details 10 4 4 Number of supported devices Ultimately the number of devices that can be supported by any particular console server is a function of the number of checks being made and how often they are performed Access method will also play a part The table below sh
332. evices on the local network must be configured with Gateway and DNS settings This can be done statically on each device or using DHCP on IM and ACM models Manual Configuration Manually set a static gateway address being the address of the console server and set the DNS server address to be the same as used on the external network i e if the console server is acting as an internet gateway or a cellular router Service Access Source Networks Network Interface Management LAN Dialout Cellular VPN Enable IP Masquerading SNAT Apply then use the ISP provided DNS server address DHCP Configuration IM ACM families only gt Navigate to the System IP page gt Click the tab of the interface connected to the internal network To use DHCP a static address must be set check System Name im4216 Model IM4216 Firmware 3 3 0p3 Aa 0 Uptime 0 days 3 hours 9 mins 47 secs Current User root Backup Log Out System Firewall Port Forwarding Port Rules Forwarding amp Masquerading Network Forwarding and Masquerading Allowed Destination Networks IG Ol E Management LAN E Dialout Cellular Dialin VPN Network Interface Dialout Cellular Dial in E VPN Network Interface Management LAN Dial in VPN 7 Network Interface Management LAN Dialout Cellular VPN Network Interface Management LAN Dialout Cellular 7 Dial in IP Masquerading is use
333. ew Host i l B Import Preferences A Export Preferences e Exit Enter the IP or DNS Address of the console server and the SSH port that will be used typically 22 lf SDT Connector is connecting to a remote console server through the public Internet or routed network you will need to Determine the public IP address of the console server or of the router firewall that connects the console server to the Internet as assigned by the ISP One way to find the public IP address is to access http checkip dyndns org or http www whatismyip com from a computer on the same network as the console server and note the reported IP address Set port forwarding for TCP port 22 through any firewall NAT router that is located between SDT Connector and the console server so it points to the console server http www portforward com has port forwarding instructions for a range of routers Also you can use the Open Port Check tool from http www canyouseeme org to check if port forwarding through local firewall NAT router devices has been properly configured Enter the Username and Password of a user on the gateway that has been enabled to connect via SSH and or create SSH port redirections G New SDT Gateway Gateway Address Port 22 Gateway Username Gateway Password Descriptive Name Description Notes amp OK 96 Cancel gt Optionally enter a Descriptive Name to display instead of the IP
334. f O is returned or nothing is done on exit as in the above script the user is permitted otherwise the user is denied access Console Server amp Router User Manual 215 Chapter 16 KCS Client Configuration Here is a more complex script which reads from configuration to display the port label if available and denies access to the root user lt etc config omshell start sh gt bin sh PORT 1 USER 2 LABEL contig g config ports port PORT label cut f2 d if USER root then echo Permission denied for Super User exit 1 fi if z LABEL J then echo Welcome USER you are connected to Port PORT else echo Welcome USER you are connected to Port SPORT LABEL fi lt etc config omshell start sh gt 15 3 Raw Access to Serial Ports 15 3 1 Access to serial ports You can use tip and stty to completely bypass the portmanager and have raw access to the serial ports When you run tio on a portmanager controlled port portmanager closes that port and stops monitoring it until tip releases control of it With sity the changes made to the port only stick until that port is closed and opened again So it is doubtful that people will want to use stty for more than initial debugging of the serial connection If you want to use stty to configure the port you can put sity commands in etc config scripts portXx init which gets run whenever portmanager opens the port Otherwise any setup you do with
335. f other CLI commands related to other open source tools embedded in the console server including e PowerMan provides power management for many preconfigured remote power controller RPC devices For CLI details refer http linux die net man 1 oowerman e Network UPS Tools NUT provides reliable monitoring of UPS and PDU hardware and ensure safe shutdowns of the systems which are connected with a goal to monitor every kind of UPS and PDU For CLI details refer http www networkupstools org e Nagios is a popular enterprise class management tool that provides central monitoring of the hosts and services in distributed networks For CLI details refer http www nagios org Many components of the console server software are licensed under the GNU General Public License version 2 which Opengear supports You may obtain a copy of the GNU General Public License at http www fsf org copyleft gpl html Opengear will provide source code for any of the components of the software licensed under the GNU General Public License upon request Console Server amp Router User Manual 307 Linux Commands amp Source Code Note The software included in each Opengear console server contains copyrighted software that is licensed under the GPL refer Appendix F for a copy of the GPL license You may obtain the latest snapshot source code package on a CD by sending a money order or check for 5 to Opengear Support 630 West 9560 South Suite A Sandy UT 8
336. f that system it is up to the author donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License 8 If the distribution and or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries so that distribution is permitted only in or among countries not thus excluded In such case this License incorporates the limitation as if written in the body of this License 9 The Free Software Foundation may publish revised and or new versions of the General Public License from time to time Such new versions will be similar in spirit to the present version but may differ in detail to address new problems or concerns Each version is given a distinguishing version number If the Program specifies a version number of this License which applies to it and any later version you have the option of following the terms and conditions either of that version or of any later version published by Console Server amp Router User Manual 329 License Agreement the Free Software Foundation If the Program does not specify a version number of this License you may choose any version ever publis
337. f the other end of the tunnel o Ifyou select Shared secret you will need to enter a Pre shared secret PSK The PSK must match the PSK configured at the other end of the tunnel In Authentication Protocol select the authentication protocol to be used Either authenticate as part of ESP Encapsulating Security Payload encryption or separately using the AH Authentication Header protocol Enter a Left ID and Right ID This is the identifier that the Local host gateway and remote host gateway use for IPsec negotiation and authentication Each ID must include an and can include a fully qualified domain name preceded by e g jeft example com Enter the public IP or DNS address of this Opengear VPN gateway or if not an ACM5004 G or ACM5504 5 G enter the address of the gateway device connecting it to the Internet as the Left Address You can leave this blank to use the interface of the default route In Right Address enter the public IP or DNS address of the remote end of the tunnel only if the remote end has a Static or dyndns address Otherwise leave this blank If the Opengear VPN gateway is serving as a VPN gateway to a local subnet e g the console server has a Management LAN configured enter the private subnet details in Left Subnet Use the CIDR notation where the IP address number is followed by a slash and the number of one bits in the binary notation of the netmask For example 192 168 0 0 24 indicates an IP a
338. f you selected SNMP protocol you will need to enter the SNMP v1 or v2c Community for Read Write access by default this would be private RPC Type None a APC 24 Port APPv2 6 5 AOSv2 6 4 24 outlets APC 24 Port APPv3 3 3 AO0Sv3 4 4 24 outlets APC 7900 8 outlets APC 8 Port AP9210 8 outlets APC 8 Port APP v2 0 0 A0Sv2 5 4 8 outlets APC 8 Port APPv2 0 2 A0Sv2 5 3 8 outlets APC 8 Port APP v2 2 0 A0Sv3 0 3 8 outlets APC PDU 24 outlets Appro 48 outlets Baytech Serial Devices 8 outlets Cyclades PM10 10 outlets Cyclades PM20 20 outlets Cyclades PM8 8 outlets Dataprobe CP 815 8 outlets Digital Loggers 8 outlets HP 3488 1 outlets IBM Blade Center 15 outlets IBM H8 1 outlets ICS 8064 16 outlets IP Power 9258 via RS232 4 outlets Linux Networx ICE Box v2 x 10 outlets Linux Networx ICE Box v3 x v4 x 10 outlets del IMG4004 5 Firmware 2 7 0p1 9 mins 40 secs Current User root k RPC Connections MicroEnergetics WP Phantom v3 v4 1 outlets Rose UltraPower 12 outlets J Server Technology Sentry Switched CDU 8 outlets Sun Integrated Lights Out Management 1 outlets WTI NetPowerSeries 8 outlets M None X Specify the type of the connected power device ir device User Manual Note Edit RPC Name PDU R4A A descriptive name for the power device Description PDU Rack 4A A brief description for the power device Connec
339. firewalled not routable or otherwise unreachable from the CMS the SSH connections are initiated by the Managed Console Server via an initial Call Home connection This ensures secure authenticated communications and enables Managed Console Servers units to be distributed locally on a LAN or remotely around the world 4 12 1 Set up Call Home candidate To set up the console server as a Call Home management candidate on the CMS gt Select Call Home on the Serial amp Network menu System Name img4216 25 Model IMG4216 25 Firmware 3 2 0u1 Aa opengear Uptime 0 days 23 hours 28 mins 33 secs Current User root Backup Log Out Serial amp Network Call Home Serial amp Network Port forwards cannot be added until SSH keys have been generated Serial Port Users amp Groups Click here to go back or here to upload or generate keys Authentication Network Hosts Trusted Networks IPsec VPN OpenVPN Call Home gt If you have not already generated or uploaded an SSH key pair for this console server you will need to do so before proceeding refer Chapter 3 gt Click Add System Name cm4116 Model CM4116 Firmware 3 2 0u1 re 0 opengear Uptime 1 days 23 hours 37 mins 13 secs Current User root Backup Log Out Serial amp Network Call Home Serial amp Network z Edit Connection Serial Port Users amp Groups Server Address 192 168 254 56 Authentication
340. following command will switch on the led ioc p 4 d 0 v 1 OUT1 and OUT2 transistors can operate with a supply of gt 5V to lt 30V 100mA This means to drive a relay circuit you must guarantee it doesn t provide more than 100mA when set to 1 190 Console Server amp RMM Gateway User Manual Chapter 9 Authentication AUTHENTICATION The console server platform is a dedicated Linux computer and it embodies a myriad of popular and proven Linux software modules for networking secure access OpenSSH and communications OpenSSL and sophisticated user authentication PAM RADIUS TACACS Kerberos and LDAP This chapter details how the Administrator can use the Management Console to establish remote AAA authentication for all connections to the console server and attached serial and network host devices This chapter also covers establishing a secure link to the Management Console using HTTPS and using OpenSSL and OpenSSH for establishing secure Administration connection to the console server More details on RSA SecurlD and working with Windows IAS can be found on the online FAQs 9 1 Authentication Configuration Authentication can be performed locally or remotely using an LDAP Radius Kerberos or TACACS authentication server The default authentication method for the console server is Local System Name img4004 5 Model IMG4004 5 Firmware 3 5 2u3 opengear Uptime 0 days 9 hours 18 mins 15 secs Current User root z
341. following settings would be used Input Interface Any Input Port Range 8443 Protocol TCP Output Address 192 168 10 2 Output Port Range 443 5 8 4 Firewall rules Firewall rules can be used to block or allow traffic through an interface based on port number the source and or destination IP address range the direction ingress or egress and the protocol This can be used to allow custom on box services or block traffic based on policy To setup a firewall rule gt Navigate to the System Firewall page and click on the Firewall Rules tab 116 Console Server amp RMM Gateway User Manual User Manual System Name cm4001 Model CM4001 Firmware 3 4 0 a O oOpPengear Uptime 4 days 6 hours 1 mins 33 secs Current User root Backup Commit Log Out Config System Firewall Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks Call Home Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices Alerts amp Logging Port Log Alerts SMTP amp SMS PRE NMP aia Address Address Service Access Port Forwarding Firewall Rules Forwarding amp Masquerading Create Modify Firewall Rule Name New Firewall Rule Name for the rule Interface Any The interface that the rule applies to Destination Port Port Range A port or range of ports Ranges use the format start finish Range The source IP
342. for more detailed information on configuring Openswan IPsec at the command line and interconnecting with other IPsec VPN gateways and road warrior IPsec software refer http wiki openswan org and http opengear com fag html 4 9 1 Enable the VPN gateway gt Select IPsec VPN on the Serial amp Networks menu Console Server amp RMM Gateway User Manual 13 Chapter 4 Serial Port Device and User Configuration System Name img4004 5 Model IMG4004 5 Firmware 2 8 1 n Uptime 0 days 1 hours 41 mins 22 secs Current User root Aa opengear Backup Log Out Serial amp Network IPsec VPN Serial Port IPsec Tunnels Users amp Groups F z i a Antheniaiiis Tunnel Name Left Subnet Right Address Right Subnet Network Hosts No IPsec tunnels have been configured Trusted Networks IPsec VPN Add Cascaded Ports gt Click Add and complete the Add IPsec Tunnel screen gt Enter any descriptive name you wish to identify the IPsec Tunnel you are adding such as WestStOutlet VPN System Name Img4004 5 Model IMG4004 5 Firmware 2 8 1 O Uptime 0 days 1 hours 59 mins 45 secs Current User root i opengear B ckup Log Out Serial amp Network IPsec VPN Serial Port Add IPsec Tunnel lisers amp Groups Tunnel Name Authentication Network Husls A descriptive name for the IPsec tunnel Trusted Networks IPsec VPN Authentication f RSA digital signatures Cascaded Ports Method sca in UPS Con
343. g Connections Properties ajx General Users Networking Users allowed to connect E E Administrator O We Guest E gi opengear OpenGear ppp connection E gi potgs O i fi SUPPORT _ 38694580 CN Microsott Corporation L A edre 2 Hew Delete Properties Mote that other factors such as a disabled user account may affect a user s ability to connect T Always allow directly connected devices such as palmtop computers to connect without providing a password x e You need to put a check in the box for Always allow directly connected devices such as palmtop Also the option for to Set up an advanced connection is not available in Windows 2003 if RRAS is configured If RRAS has been configured it is a simply task to enable the null modem connection for the dial in configuration C For earlier version Windows computers again follow the steps in Section B above however to get to the Make New Connection button 6 10 2 For Windows 2000 click Start and select Settings then at the Dial Up Networking Folder click Network and Dial up Connections and click Make New Connection Note you may need to first set up connection over the COM port using Connect directly to another computer before proceeding to Set up an advanced connection For Windows 98 you double click My Computer on the Desktop then open Dial Up Networking and double Set up SDT Serial Ports on console server To set up RDP and VNC forwar
344. get or the maximum number of Managed Devices to be displayed in the devices widget gt Click Apply System Name acm5003 m Model ACM5003 M Firmware 3 3 2 Ra O opengear Uptime 1 days 1 hours 33 mins 34 secs Current User root Backup Log Out System Configure Dashboard Serial Port Dashboard Layout Configure Widgets Users amp Groups Authentication Configuring Dashboard for User Radmin Network Hosts Sein Trusted Networks IPsec VPN OpenVPN Call Home Widget 1 Alerts Cascaded Ports Amount UPS Connections RPC Connections Maximum number of alerts to display in dashboard Environmental Managed Devices Alerts E Connection Alert Signal Alert Pattern Match Alert UPS power status alert J Environmental and Power Sensor Alert Alarm Sensor Alert Choose which alerts to display in the dashboard Administration SSL Certificates Configuration Backup Firmware Widget 2 Managed Devices IP Date amp Time Amount Dial Firewall Maximum number of managed devices to display in dashboard DHCP Server Note Dashboard configuration is stored in the etc config config xml file Each configured dashboard will increase the config file If this file gets too big you can run out of memory space on the console server 12 5 2 Creating custom widgets for the Dashboard T o run a custom script inside a dashboard
345. gital I O and Environmental Sensors Any ACM5000 or ACM5500 model with an I in the model number or any ACM5000 with the E option all ship with an external green connector block for attaching environmental sensors and digital I O devices Plug in this block and screw in any external devices On the ACM5508 2 I ACM5504 5 G l ACM5004 2 and ACM5004 G I models this block can also be used for connecting the external DC power source Refer Chapter 8 for further details Console Server amp RMM Gateway User Manual 29 Chapter 3 Initial System Configuration SYSTEM CONFIGURATION This chapter provides step by step instructions for the initial configuration of your console server and connecting it to the Management or Operational LAN This involves the Administrator Activating the Management Console Changing the Administrator password Setting the IP address console servers principal LAN port Selecting the network services to be supported This chapter also discusses the communications software tools that the Administrator may use in accessing the console server and the configuration of the additional LAN ports 3 1 Management Console Connection Your console server comes configured with a default IP Address 192 168 0 1 Subnet Mask 255 255 255 0 gt Directly connect a Computer to the console server Note For initial configuration it is recommended that the console server be connected directly to a single Computer However if you
346. gt gt gt gt gt gt Launch SDT Connector on your PC Select Edit Preferences and click the Services tab Click Add Enter Serial Port 2 in Service Name and click Add Select Telnet client as the Client Enter 2002 in TCP Port Click OK then Close and Close again 5 Opengear SDTConnector File Edit Help Era SDTConnector Preferences Clien Ee Add Service Service Name Serial Port 2 G Add Port Redirection General Advanced Client Telnet client TCP Port Mii amp OK 3 Cancel Assuming you have already set up the target console server as a gateway in your SDT Connector client with username password etc select this gateway and click the Host icon to create a host Alternatively select File New Host Enter 127 0 0 1 as the Host Address and select Serial Port 2 for Service In Descriptive Name enter something along the lines of Loopback ports or Local serial ports Click OK Click Serial Port 2 icon for Telnet access to the serial console on the device attached to serial port 2 on the gateway To enable SDT Connector to access to devices connected to the gateway s serial ports you must also configure the Console server itself to allow port forwarded network access to itself and enable access to the nominated serial port gt gt Browse to the Console server and select Serial Port from Serial amp Network Click Edit next to selected Port
347. hat enables effective management of large networks of clustered console servers and the connected devices Enter the full number of serial ports on the Slave unit in Number of Ports Click Apply This will establish the SSH tunnel between the Master and the new Slave ee Serial amp Network Cascaded Ports Serial amp Network San IP Address DNS Description Number Locally Users amp Groups Port Authentication Numbers Network Hosts Trusted Networks Cascaded Ports 201 234 24 3 Denver branch DBIMS 17 24 i Delete IM4208 201 234 35 2 Eng IMG7000 3G EngVM03 25 40 i Delete Alerts amp Logging 168 34 78 4 Eng hosting site RIM4216ED 41 i Delete Port Log Alerts SIP Add Slave The Serial amp Network Cascaded Ports menu displays all the Slaves and the port numbers that have been allocated on the Master If the Master console server has 16 ports of its own then ports 1 16 are pre allocated to the Master so the first Slave added will be assigned port number 17 onwards Once you have added all the Slave console servers the Slave serial ports and the connected devices are configurable and accessible from the Master s Management Console menu and accessible through the Master s IP address e g gt gt gt gt gt 4 6 4 Select the appropriate Serial amp Network Serial Port and Edit to configure the serial ports on the Slave Select the appropriate Serial amp Network Users amp Groups to a
348. he Active Server to gain access to the console server Additionally a user must be a member of the LDAP Administration Group DN in order to gain administrator access to the console server For example the user must be a member of AdminGroup on the Active Server to receive administration privileges on the console server gt Click Apply LDAP Server Address Server Password Confirm Password LDAP Base DN LDAP Bind DN LDAP Username Attribute LDAP Group Membership Attribute LDAP Console Server Group DN LDAP Administration Group DN 192 168 254 18 Comma separated list of remote servers The shared secret allowing access to the authentication server Re enter the above password for confirmation cn Users dc opengear dc c The distinguished name of the search base For example dc my company dc com cn Administrator cn Users d The distinguished name to bind to the server with The default is to bind anonymously sAMAccountName The LDAP attribute corresponding to the login name On Active Directory servers the attribute is sAMAccountName memberOf The LDAP attribute that is used to indicate group memberships On Active Directory servers the attribute is memberOf cn MyGroup cn Users dc o The distinguished name of a group existing on the server which all users with access to the console server must belong to cn AdminGroup cn Users dc The distinguished name of a group exis
349. he console server will vary One aspect may be to upload check results through NSCA Another may be to provide an SSH tunnel to allow the Nagios server to run NRPE commands eee OOH travel initiated for remote site eee HRPE Server at branch server s request Internet Console server Remote site with no network access In this scenario the console server allows dial in access for the Nagios server Periodically the Nagios server will establish a connection to the console server and execute any NRPE commands before dropping the connection 224 Console Server amp RMM Gateway User Manual Chapter 11 System Management SYSTEM MANAGEMENT This chapter describes how the Administrator can perform a range of general console server system administration and configuration tasks such as Applying Soft and Hard Resets to the gateway Re flashing the Firmware Configuring the Date Time and NTP Setting up Backup of the configuration files Delayed configuration commits Configuring the console server in FIPS mode System administration and configuration tasks that are covered elsewhere include Resetting System Password and entering new System Name Description for the console server Chapter 3 2 Setting the console server s System IP Address Chapter 3 3 Setting the permitted Services by which to access the console server Chapter 3 4 Setting up OoB Dial in Chapter 5 Configuring the Dashboard Ch
350. he initial configuration of the console server you must connect a computer to the console servers principal network port This port is labeled NETWORK on IM4004 5 NETWORK7 on IM4200 LAN on ACM5500 CM4000 and SD4000 LAN USB1 on ACM5000 24 Console Server amp RMM Gateway User Manual User Manual 2 4 Serial Port Connection Console servers all come with one to forty eight serial ports marked SERIAL or SERIAL PORTS These ports connect to serially Managed Devices Each console server also has either a dedicated Local Console or modem port marked LOCAL or CONSOLE or one or its SERIAL ports can be software configured in Local Console mode This Local Console port can be used for local command line access or external serial modem out of band connection All console server models except the SD4001 ACM5000 and ACM5500 have a dedicated DB9 Local Console port This DB9 connector is located on the front of the CM4100 IM4004 5 and IM4200 models and on the rear of the CM4001 and CM4008 The ACM5002 and ACM5003 5004 model has two or three or four SERIAL PORTS presented as RJ45 ports 1 4 Similarly the ACM5504 and ACM5508 models have four or eight SERIAL PORTS presented as RJ45 ports 1 8 Port 1 on all these models by default is configured in Local Console mode The SD4002 has two DB9 serial ports Ports 1 2 By default Port 1 is configured in Local Console modem mode Similarly the SD4001 has one DB9 serial port and by default i
351. hed by the Free Software Foundation 10 If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different write to the author to ask for permission For software which is copyrighted by the Free Software Foundation write to the Free Software Foundation we sometimes make exceptions for this Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally NO WARRANTY 11 BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE THERE IS NO WARRANTY FOR THE PROGRAM TO THE EXTENT PERMITTED BY APPLICABLE LAW EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND OR OTHER PARTIES PROVIDE THE PROGRAM AS IS WITHOUT WARRANTY OF ANY KIND EITHER EXPRESSED OR IMPLIED INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU SHOULD THE PROGRAM PROVE DEFECTIVE YOU ASSUME THE COST OF ALL NECESSARY SERVICING REPAIR OR CORRECTION 12 INNO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER OR ANY OTHER PARTY WHO MAY MODIFY AND OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE BE LIABLE TO YOU FOR DAMAGES INCLUDING ANY GENERAL SPECIAL INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM
352. hen booting The etc config rc local script runs whenever the system boots By default this script file is empty You can add any commands to this file if you want them to be run at boot time e g if you wanted to display hello world bin sh echo Hello World If this script has been copied from a Windows machine you may need to run the following command on the script before bash can run it successfully dos2unix etc contig rc local Another scenario would be to call another custom script from the etc config rc local file ensuring that your custom script will run whenever the system is booted 15 1 2 Running custom scripts when alerts are triggered Whenever an alert gets triggered specific scripts get called These scripts all reside in etc scripts Below is a list of the default scripts that get run for each applicable alert 266 Console Server amp RMM Gateway User Manual For a connection alert when a user connects or disconnects from a port or network host etc scripts oortmanager user alert for port connections or etc scripts sadt user alert for host connections Fora signal alert when a signal on a port changes state etc scripts oortmanager signal alert Fora pattern match alert when a specific regular expression is found in the serial ports character stream etc scripts oortmanager pattern alert Fora UPS status alert when the UPS power status changes between on line on battery and low batter
353. hen deleting a managed device To delete the above managed device contig d config devices device amp The following command will synchronize the live system with the new configuration config a 14 11 12 Port Log To configure serial network port logging config s config eventlog server address remote server ip address config s contig eventlog server logfacility facility facility can be Daemon Local 0 7 Authentication Kernel User Syslog Mail News UUCP config s config eventlog server logpriority priority priority can be Info Alert Critical Debug Emergency Error Notice Warning Assume the remote log server needs a username name1 and password secret config s config eventlog server username name 1 config s config eventlog server password secret To set the remote path as opengear logs to save logged data config s config eventlog server path opengear logs config s config eventilog server type none syslog nfs cifs usb If the server type is set to usb none of the other values need to be set The mount point for storing on a remote USB device is var run portmanager logair The following command will synchronize the live system with the new configuration config a 14 1 13 Alerts You can add an email SNMP or NAGIOS alert by following the steps below The general settings for all alerts Console Server amp Router User Manual 257 Chapter 14 Command
354. ial Out Settings Always On Out of Band The access point name The sequence to dial to establish the connection defaults to 99 1 Optional user name to authenticate the connection Optional secret to use when authenticating the user Re enter the user s password for confirmation An optional AT command sequence to initialize the modem Automatic Select the Radio Access Technology for this connection Use the following DNS servers instead of the PPP provided servers The primary DNS server The secondary DNS server None DDNS disabled Update a DNS server when IP address is changed Note Your 3G carrier may have provided you with details for configuring the connection including APN Access Point Name Pin Code optional PIN code which may be required to unlock the SIM card Phone Number the sequence 102 Console Server amp RMM Gateway User Manual User Manual to dial to establish the connection defaults to 99 1 Username Password optional and Dial string optional AT commands However you generally will only need to enter your provider s APN and leave the other fields blank gt Enter the carrier s APN e g for AT amp T USA simply enter i2gold for T Mobile USA enter eoc tmobile com for InterNode Aust enter internode and for Telstra Aust enter te stra internet If the SIM Card is configured with a PIN Code you will be required to unlock the Card by entering the PIN Code If the PIN Code is
355. ients O O O O OSXvnc http www redstonesoftware com vnc html is a robust full featured VNC server for Mac OS X that allows any VNC client to remotely view and or control the Mac OS X machine OSXvnc is supported by Redstone Software Console Server amp RMM Gateway User Manual 139 Chapter 6 Secure SSH Tunneling amp SDT Connector D Most other operating systems Solaris HPUX PalmOS etc either come with VNC bundled or have third party VNC software that you can download 6 9 2 Install configure and connect the VNC Viewer VNC is truly platform independent so a VNC Viewer on any operating system can connect to a VNC Server on any other operating system There are Viewers and Servers from a wide selection of sources e g UltraVNC TightVNC or RealVNC for most operating systems There are also a wealth of Java viewers available so that any desktop can be viewed with any Java capable browser http en wikipedia org wiki VNC lists many of the VNC Viewers sources gt Install the VNC Viewer software and set it up for the appropriate speed connection Note To make VNC faster when you set up the Viewer Set encoding to ZRLE if you have a fast enough CPU Decrease color level e g 64 bit Disable the background transmission on the Server or use a plain wallpaper Refer to http doc uvnc com for detailed configuration instructions gt To establish the VNC connection first configure the VNC Viewer entering the VNC Serve
356. ill default to the first network port s IP Network 1 as entered in System IP gt In Nagios Server Address enter the IP address or DNS name that the console server will use to reach the upstream Nagios monitoring server gt Check the Disable SDT Nagios Extensions option if you wish to disable the SDT Connector integration with your Nagios server at the head end this would only be checked if you want to run a vanilla Nagios monitoring gt If not enter the IP address or DNS name the SDT Nagios clients will use to reach the console server in SDT Gateway Address gt When NRPE and NSCA are both enabled NSCA is preferred method for communicating with the upstream Nagios server check Prefer NRPE to use NRPE whenever possible i e for all communication except for alerts Console Server amp Router User Manual 213 Chapter 10 Nagios Integration 10 3 2 Enable NRPE monitoring Nagios Remote Remote i Monitoring Host Console Server Managed Devices Enabling NRPE allows you to execute plug ins such as check_tcp and check_ping on the remote Console server to monitor serial or network attached remote servers This will offload CPU load from the upstream Nagios monitoring machine which is especially valuable if you are monitoring hundreds or thousands of hosts To enable NRPE NRPE NRPE Enabled Switch on the NRPE service NRPE Port Port to listen on for NRPE Defaults to 5666 User to run as Defaults to nrpe
357. imary function of the wizard is to connect to each distributed Opengear console server and import configuration into the central Nagios server This effectively adds the hosts and service checks you set up on the distributed Opengear console servers into your central Nagios server The wizard is a Linux command line script and can be downloaded from http www opengear com download html Copy or download the wizard to the central Nagios server and open a command line terminal gt Download the wizard to a location on the central Nagios server gt Open a command line terminal and change directory to the location of the wizard gt Ensure the wizard script is executable by executing chmod x sdtnagios config gt Ensure you are running as a user with write permissions to Nagios configuration and web UI files and directories gt Execute the wizard script e g sdtnagios contig The wizard will prompt you for the location of some Nagios configuration files with the option to search and the IP addresses and login credentials of the distributed Opengear console servers After the distributed configuration has been imported the wizard will ask if you want to apply the Opengear SDT Nagios Ul theme This is not required and simply changes the look and feel of the Nagios UI to that pictured below 210 Console Server amp RMM Gateway User Manual Opengear Nagios Management Console Mozilla Firefox File Edit View History Bookmarks Yahoo Tools H
358. ing Service Access Services Network Management Dialout Cellular Dial in VPN Interface LAN HTTP Web F F al Management HTTPS Web 7 T T E T Management Telnet command E E E E E shell SSH command 7 W v W m shell Telnet direct to v7 FA E W W serial ports SSH direct to 7 v 7 iv iV serial ports RAW TCP access v E 7 m to serial ports RFC 2217 access 7 W F Vv v to serial ports Unauthenticated 7 T E W telnet access to serial ports Nagios NRPE F Vv F Fj FJ daemon NUT UPS 7 T E 7 7 monitoring daemon SNMP daemon F Fa F v iv FIP Server E a a a TFIP Server E E F ia NTP Server v m v v DNS E E E E E Server Relay Respond to 7 T m V W ICMP echos Enable Web Terminal E Allow web browser access to the system command line shell via Manage gt Terminal Alternate Telnet Base A secondary TCP port range for Telnet access to serial ports Thi amp in addition to the default port 2000 A secondary TCP port range for SSH access to serial ports This amp in addition to the default port 3000 A secondary TCP port range for Raw TCP access to serial ports Thi amp in addition to the default port 4000 A secondary TCP port range for RFC 2217 access to serial ports 7his amp in addition to the default port 5000 A secondary TCP port range for Unauthenticated Telnet access to serial ports This amp in addition to the default port 6000 You have configured access protocols for the Administrato
359. ing UPS checks in Auto Response you first must configure the attached UPS UPS Status To use the alert state of any attached UPS as the Auto Response trigger event gt gt gt Note 7 2 5 Click on UPS Status as the Check Condition Select the reported UPS State to trigger the Auto Response either On Battery or Low Battery The Auto Response will resolve when the UPS state returns to the Online state Select which connected UPS Device to monitor and check Save Auto Response Before configuring UPS state checks in Auto Response you first must configure the attached UPS Serial Login Logout To monitor serial ports and check for login logout or pattern matches for Auto Response triggers events gt 154 Click on Serial Login Logout as the Check Condition Then in the Serial Login Logout Check menu select Trigger on Login to trigger when any user logs into the serial port or Trigger on Logout and specify Serial Port to perform check on and or Click on Serial Signal as the Check Condition Then in the Serial Signal Check menu select the Signal CTS DCD DSR to trigger on the Trigger condition either on serial signal change or check level and specify Serial Port to perform check on and or Click on Serial Pattern as the Check Condition Then in the Serial Pattern Check menu select the PCRE pattern to trigger on and the serial line TX or RX and Serial Port to pattern check on Check Save Auto Response Conso
360. ion only An authentication protocol SHA or MD5 and password will be required authPriv Uses both authentication and encryption This is the highest level of security and requires an encryption protocol DES or AES and password in addition to the authentication protocol and password o Complete the Username This is the Security Name of the SNMPv3 user sending the message This field is mandatory and must be completed when configuring the console server for SNMPvs o An Authentication Protocol SHA or MD5 and Authentication Password must be given for a Security Level of either authNoPriv or authPriv The password must contain at least 8 characters to be valid o A Privacy Protocol DES or AES must be specified for the authPriv level of security to be used as the encryption algorithm AES is recommended for stronger security A password of at least 8 characters must be provided for encryption to work gt Click Apply Note Console servers with V3 0 firmware and later also embed the net snmpd daemon which can accept SNMP requests from remote SNMP management servers and provides information on serial port and device status refer Chapter 15 5 for more details Console servers with firmware earlier than V3 3 could only configure a Primary SNMP server from the Management Console Refer Chapter 15 5 for details on configuring the snmptrap daemon to send traps notifications to multiple remote SNMP servers 7 5 4 Send Nagios Event alerts
361. ion to a manager RFC 2217 compliant serial port redirector OpenSSH SSH client remote login program Authentication key generation management and conversion OpenSSH SSH daemon Program that allows plain services to be accessed via SSL Change and print terminal line settings Universal SSL tunnel Flush file system buffers Configure kernel parameters at runtime System logging utility The tar archiving utility Show traffic control settings Dump traffic on a network Telnet protocol server Client to transfer a file from to tftp server Trivial file Transfer Protocol tftp server Simple terminal emulator cu program for connecting to modems and serial devices Provide a view of process activity in real time Change file timestamps Console Server amp RMM Gateway User Manual traceroute Print the route packets take to network host traceroute6 Traceroute for IPv6 true Returns an exit code of TRUE 0 umount Unmount file systems uname Print system information usleep Delay for a specified amount of time vconfig Create and remove virtual ethernet devices vi Busybox clone of the VI text editor Ww Show who is logged on and what they are doing zcat Identical to gunzip c Commands above which are appended with come from BusyBox the Swiss Army Knife of embedded Linux http www busybox net downloads BusyBox html Others are generic Linux commands and most commands the h or help argument to provide a ter
362. ipt to cycle power lt cycle gt lt Status gt script to write power status to var run power status lt status gt lt speed gt baud rate lt speed gt lt charsize gt character size lt charsize gt lt stop gt stop bits lt stop gt lt parity gt parity setting lt parity gt lt powerstrip gt The id appears on the web page in the list of available devices types to configure The outlets describe targets that the scripts can control For example a power control board may control several different outlets The port id is the native name for identifying the outlet This value will be passed to the scripts in the environment variable outlet allowing the script to address the correct outlet There are four possible scripts on off cycle and status When a script is run it s standard input and output is redirected to the appropriate serial port The script receives the outlet and port in the outlet and port environment variables respectively The script can be anything that can be executed within the shell All of the existing scripts in etc oowerstrips xml use the pmchat utility pmchat works just like the standard unix chat program only it ensures interoperation with the port manager The final options speed charsize stop and parity define the recommended or default settings for the attached device 15 10 IPMItool The console server includes the ipmitool utility for managing and configuring devices that support the Intelligent
363. is connection This generally only has to be set if two or more routes conflict or have overlapping targets Any number equal to or greater than 0 gt Click Apply Console Server amp RMM Gateway User Manual 49 Chapter 4 Serial Port Device and User Configuration SERIAL PORT HOST DEVICE amp USER CONFIGURATION The Opengear console server enables access and control of serially attached devices and network attached devices hosts The Administrator must configure access privileges for each of these devices and specify the services that can be used to control the devices The Administrator can also set up new users and specify each user s individual access and control privileges Network connected HTTP HTTPS IPMI ALOM SOL VNC RDP SSH X Teinet Serial connected This chapter covers each of the steps in configuring network connected and serially attached devices Serial Ports setting up the protocols to be used in accessing serially connected devices Users amp Groups setting up users and defining the access permissions for each of these users Authentication this is covered in more detail in Chapter 9 Network Hosts configuring access to local network connected computers or appliances hosts Configuring Trusted Networks nominate specific IP addresses that trusted users access from Cascading and Redirection of Serial Console Ports Connecting to Power UPS PDU and IPMI and Environment
364. ister the Public Key as an Authorized Key on the Slave In the simple case with only one Master with multiple Slaves you need only upload the one RSA or DSA public key for each Slave Note The use of key pairs can be confusing as in many cases one file Public Key fulfills two roles Public Key and Authorized Key For a more detailed explanation refer the Authorized Keys section of Chapter 15 6 Also refer to this chapter if you need to use more than one set of Authorized Keys in the Slave gt Select System Administration on the Slave s Management Console gt Browse again to the stored RSA or DSA Public Key and upload it to Slave s SSH Authorized Key gt Click Apply The next step is to Fingerprint each new Slave Master connection This once off step will validate that you are establishing an SSH session to who you think you are On the first connection the Slave will receive a fingerprint from the Master which will be used on all future connections gt To establish the fingerprint first log in the Master server as root and establish an SSH connection to the Slave remote host ssh remhost Once the SSH connection has been established you will be asked to accept the key Answer yes and the fingerprint will be added to the list of known hosts For more details on Fingerprinting refer Chapter 15 6 gt If you are asked to supply a password then there has been a problem with uploading keys The keys should remove any need to supply
365. it Note 106 The ACM5004 G I and ACM5504 5 G lIhas two cellular status LEDs The WWAN LED on top of unit is OFF when in reset mode or not powered When powered it will go ON and while searching for service it will flash off briefly every 5sec Once a radio connection has been established with your cellular carrier i e after an APN has been properly configured the WWAN LED will blink at a rate proportional to traffic signal strength detected i e OFF Low lower than 100 dBm Blinking Slow Low to Medium 99 to 90 dBm Blinking Fast Medium to High 89 to 70 dBm and ON High 69 dBm or higher Console Server amp RMM Gateway User Manual User Manual 5 7 Cellular Operation When set up as a console server the 3G cellular modem can be set up to connect to the carrier in either Failover mode In this case a dial out cellular connection is only established in event of a ping failure OOoB mode In this mode the dial out connection to the carrier cellular network is always on awaiting any incoming access from a remote site wanting to access to the console server or attached serial consoles network hosts Cellular router mode Again in this case the dial out connection to the carrier cellular network is always on but IP traffic is routed between the cellular connected network and the console server s local network ports Circuit Switched Data CSD mode In this dial in mode the cellular modem can receive incoming call
366. ith a confirmation message Message Changes to configuration succeeded Console Server amp RMM Gateway User Manual User Manual opengedr Serial Port Users amp Groups Authentication Network Hosts Trusted Networks IPsec VPN OpenVPN PPTP VPN Call Home Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices Alerts amp Logging Port Log Auto Response SMTP amp SMS SNMP Administration SSL Certificates Configuration Backup Firmware IP Date amp Time Dial DHCP Server Nagios Configure Dashboard Port Access Active Users Statistics Support Report Syslog UPS Status RPC Status Environmental Status Power Supply Status Dashboard Manage Devices Port Logs Host Logs Power Terminal 3 5 Alternate SSH Base Alternate Raw TCP Base Alternate RFC 2217 Base Alternate Unauthenticated Telnet Base Communications Software System Name im4216 Model IM4216 Firmware 3 5 2u1 Uptime 0 days 1 hours 32 mins 35 secs Current User root a Backup Log Out System Firewall Service Access Port Protocol Forwarding Firewall Rules Forwarding amp Masquerad
367. iting for TUN TAP interface to come up TEST ROUTES 0 0 succeeded len 1 ret 0 a 0 u d down Route Waiting for TUN TAP interface to come up TEST ROUTES 1 1 succeeded len 1 ret 1 a 0 u d up gt Once established the OpenVPN icon will display a message notifying of the successful connection and assigned IP This information as well as the time the connection was established is available anytime by scrolling over the OpenVPN icon i 1M4216_client is now connected Assigned IP 10 100 10 6 Note An alternate OpenVPN Windows client can be downloaded from htto www openvpn net index php openvpn client downloads html Refer to http www openvpn net index php openvpn client howto openvpn client html for help Console Server amp RMM Gateway User Manual 83 Chapter 4 Serial Port Device and User Configuration M OpenVPN Client PENVPN Access Status Settings Server Address WU Connection Profiles 4 11 PPTP VPN The ACM5500 ACM5000 IM4004 5 and IM4200 family of IM42xx advanced console servers with Firmware V3 5 2 and later include a PPTP Point to Point Tunneling Protocol server PPTP is typically used for communications over a physical or virtual serial link The PPP endpoints define a virtual IP address to themselves Routes to networks can then be defined with these IP addresses as the gateway which results in traffic being sent across the tunnel PPTP establishes a tunnel between the
368. k Configuration Method DHCP SSL Certificates Static Configuration Backup The mechanism to acquire IP settings Firmware IP IP Address Date amp Time Dial A statically assigned IP address Subnet Mask Nagios Configure Dashboard A statically assigned network mask 3 6 5 Wireless LAN Some console server models support 802 11 wireless LAN connections The ACM5003 W has an internal 802 11g wireless client LAN adapter The other ACM5000 models and IM4004 5 models can be fitted externally with a Opengear WUBR 101 802 119 USB dongle gt To configure the wireless LAN connection LAN card you must first install the USB dongle in the console server The wireless device will then be auto detected on power up and you will be presented with a Wireless LAN Interface menu in the System IP menu gt The wireless LAN is deactivated by default so to activate it first uncheck Disable 46 Console Server amp RMM Gateway User Manual User Manual opengear System Name img4004 5 Model IMG4004 5 Firmware 2 8 0p0 Uptime 0 days 0 hours 5 mins 0 secs Current User root a Backup Log Out System IP Serial amp Network Serial Port Network Interface Wireless LAN Management LAN Out of Band Failover General Settings Users amp Groups Interface Interface Interface Authentication Network Hosts Disable F Trusted Networks O Pai Deactivate this network interface UPS Con
369. k Apply to run the systemsettings configurator System Name cm4116 Model CM4116 Firmware 3 2 0 re opPengear Uptime 0 days 3 hours 9 mins 46 secs Current User root Backup Commit Log Out System Commit Configuration Serial Port systemsettings com Users amp Groups Authentication Apply Network Hosts a it Tae coke Bi adn eee lee The Commit Config button will no longer be displayed in the top right hand corner of the screen and configurations will no longer be queued 11 6 FIPS Mode The ACM5500 ACM5000 IM4004 5 and IM4200 family of advanced console server families all use an embedded cryptographic module that has been validated to meet the FIPS 140 2 standards Note The US National Institute of Standards and Technology NIST publishes the FIPS Federal Information Processing Standard series of standards FIPS 140 1 and FIPS 140 2 are both technical standards and worldwide de facto standards for the implementation of cryptographic modules These standards and guidelines are issued by NIST for use government wide NIST develops FIPS when there are compelling Federal government requirements such as for security and interoperability and there are no acceptable industry standards or solutions 232 Console Server amp RMM Gateway User Manual Opengear advance console servers use an embedded OpenSSL cryptographic module that has been validated to meet the FIPS 140 2 standards and has received Certificate
370. k Next On the Getting Ready screen select Set up my connection manually and click Next On the Internet Connection screen select Connect using a dial up modem and click Next Enter a Connection Name any name you choose and the dial up Phone number that will connect thru to the console server modem Enter the PPP User name and Password for have set up for the console server Set up earlier Windows clients For Windows 2000 the PPP client set up procedure is the same as above except you get to the Dial Up Networking Folder by clicking the Start button and selecting Settings Then click Network and Dial up Connections and click Make New Connection similarly for Windows 98 you double click My Computer on the Desktop then open Dial Up Networking and double click Make New Connection and proceed as above Console Server amp RMM Gateway User Manual 95 Chapter 5 Firewall Failover and Out of Band 5 2 5 Set up Linux clients The online tutorial http Awww yolinux com TUTORIALS LinuxTutorialPPP html presents a selection of methods for establishing a dial up PPP connection Command line PPP and manual configuration which works with any Linux distribution Using the Linuxconf configuration tool for Red Hat compatible distributions This configures the scripts ifup ifdown to start and stop a PPP connection Using the Gnome control panel configuration tool WVDIAL and the Redhat Dialup configuration tool GUI dial program X isp
371. k and serial connections For each check it has two configurations one each for NRPE and NSCA In practice these would be combined into a single check which used NSCA as a primary method falling back to NRPE if a check was late for details see the Nagios documentation http www nagios org docs on Service and Host Freshness Checks Host definitions Opengear Console server define host use generic host host_name opengear alias Console server address 192 168 254 147 Managed Host define host use generic host host_name server alias server address 192 168 254 227 Console Server amp Router User Manual 217 Chapter 10 Nagios Integration NRPE daemon on gateway define command command_name check_nrpe_daemon command_line USER1 check_nrpe H 192 168 254 147 p 5666 define service service_description NRPE Daemon host_name opengear use generic service check_command check_nroe_daemon Serial Status define command command_name check_serial_ status command_line USER1 check_nrpe H 192 168 254 147 p 5666 c check_serial_ SHOSTNAME define service service_description Serial Status host_name server use generic service check_command check_serial_ status define service service_description serial signals server host_name server use generic service check_command check_serial_ status active_checks_enabled 0 passive_checks_enabled 1 define servicedependency name opengear_nrpe_
372. key has been saved in home user ssh id_ rsa dsa pub The key fingerprint is 28 4aa 29 38 ba 40 14 11 5e 3f d4 fa e5 36 14 d6 user server lt is advisable to create a new directory to store your generated keys It is also possible to name the files after the device they will be used for For example mkdir keys ssh keygen t rsa Generating public private rsa key pair 286 Console Server amp RMM Gateway User Manual Enter file in which to save the key nhome user ssh id_rsa home user keys control_room Enter passphrase empty for no passphrase Enter same passphrase again Your identification has been saved in home user keys control_room Your public key has been saved in home user keys control_room pub The key fingerprint is 28 4a 29 38 ba 40 14 11 5e 3f 04 fa e5 36 14 d6 user server You must ensure there is no password associated with the keys If there is a password then the Opengear devices will have no way to supply it as runtime Full documentation for the ssh keygen command can be found at http www openbsd org cgi bin man cgi query ssh keygen 15 6 3 Installing the SSH Public Private Keys Clustering For Opengear console servers the keys can be simply uploaded through the web interface on the System Administration page This enables you to upload stored RSA or DSA Public Key pairs to the Master and apply the Authorized key to the slave and is described in Chapter 4 Once complete you then proceed to
373. l ACM5003 M Firmware 3 3 2 0 Uptime 0 days 0 hours 1 mins 32 secs Current User unknown Log Out System Login gt You will be prompted to log in Enter the default administration username and administration password Username root Password default Note Console servers are factory configured with HTTPS access enabled and HTTP access disabled opengear Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks IPsec VPN OpenVPN Call Home Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices System Name acm5003 m Model ACM5003 M Firmware 3 3 2 O Uptime 0 days 0 hours 4 mins 32 secs Current User root ia Backup Log Out OpenGear Management Console Welcome Welcome to the OpenGear Management Console You will need to configure the following in order to have a usable unit After completing a step by following the appropriate link you can return to the updated configuration steps by clicking on the logo in the top left corner of the Management Console Change the default administration password on the System Administration page Configure the local network settings on the Syste P page To configure console server features Configure serial ports settings and enable supported protocols on the Sera amp Network Serl Port page e Configure users with access to serial ports on the
374. l COM port However such port forwarding requires a PPP link to be set up over this serial port SDT Settings SDT Mode O Enable access over SSH to a host connected to this serial port Username The login name for PPP The default is pornog User Password The login secret for PPP The default is porog Confirm Password Re type the password for confirmation For configuration details refer to Chapter 6 6 Using SDT Connector to Telnet or SSH connect to devices that are serially attached to the console server 4 1 4 Device RPC UPS EMD Mode This mode configures the selected serial port to communicate with a serial controlled Uninterruptable Power Supply UPS Remote Power Controller Power Distribution Units RPC or Environmental Monitoring Device EMD Device Settings Device Type RPC Specify the device type Apply this setting then use the APC Connections page to configure the attached power controller gt Select the desired Device Type UPS RPC or EMD gt Proceed to the appropriate device configuration page Serial amp Network UPS Connections RPC Connection or Environmental as detailed in Chapter 8 Power amp Environmental Management 56 Console Server amp RMM Gateway User Manual User Manual 4 1 5 Terminal Server Mode gt Select Terminal Server Mode and the Terminal Type vt220 vt102 vt100 Linux or ANSI to enable a getty on the selected serial port Terminal Server Settings
375. l Port Users amp Groups Authentication Network Hosts Trusted Networks IPsec VPN Name Reset Timeout System Name img4004 5 Model IMG4004 5 Firmware 3 5 1b1 Uptime 0 days 1 hours 32 mins 51 secs Current User root Auto Response Settings Chapter 7 Alerts and Logging a Backup Log Out Alerts amp Logging Auto Response Unique Name for this AutoResponse 0 OpenVPN Call Home Time in seconds after resolution to delay before this AutoResponse can be triggered again Cascaded Ports 3 i UPS Connections e E RPC Connections Environmental Managed Devices Check Conditions Repeat Trigger actions until the check is resolved UPS Power Check Alerts amp Logging l a an Input Frequency Port Log Environmental R2APC p perform check on Auto Response ini k Input Voltage SMTP amp SMS amarae Trigger value Battery Charge SNMP nputs for the check pu q UPS Power 2 ent must exceed or drop below to trigger the Supply Temperature Administration UPS Status Comparison Above Trigger Value A ae ig Below Tage Valie Login Logout Determines what condition will cause the auto response to trigger gt Date amp Time Serial Signal ra 0 gt Dia vi Firewall Serial Pattern Hysteresis factor applied to environmental measurements DHCP Server Nagios ICMP Ping Save Auto Response Cana Maclhkl d Before configur
376. l Scripts and Alerts Raw Access to Serial Ports Access to serial ports Accessing the console modem port IP Filtering SNMP Status Reporting Retrieving status information using SNMP Check firewall rules Enable SNMP Service etc config snmpd conf Adding multiple remote SNMP managers Secure Shell SSH Public Key Authentication SSH Overview Generating Public Keys Linux Installing the SSH Public Private Keys Clustering Installing SSH Public Key Authentication Linux Generating public private keys for SSH Windows Fingerprinting SSH tunneled serial bridging SDT Connector Public Key Authentication Secure Sockets Layer SSL Support HTTPS Generating an encryption key Generating a self signed certificate with OpenSSL Installing the key and certificate Launching the HTTPS Server Power Strip Control The PowerMan tool The pmpower tool Adding new RPC devices IPMItool 15 11 Custom Development Kit CDK 15 12 Scripts for Managing Slaves 15 13 SMS Server Tools 15 14 Multicast APPENDIX A Linux Commands amp Source Code APPENDIX B Hardware Specification APPENDIX C Safety amp Certifications Appendix D Connectivity TCP Ports amp Serial I O APPENDIXE TERMINOLOGY APPENDIX F END USER LICENSE AGREEMENTS APPENDIX G SERVICE amp STANDARD WARRANTY Console Server amp RMM Gateway User Manual 264 266 266 266 266 267 268 268 270 272 272 273 274 274 273 276 276 276 277 277 278 27
377. l amp Network Managed Devices and click Add Connection gt Select the connection type for the new connection Serial Network Host UPS or RPC and then select the specific connection from the presented list of configured unallocated hosts ports outlets Console Server amp RMM Gateway User Manual 11 opengear Chapter 4 Serial Port Device and User Configuration System Name img4004 5 Model IMG4004 5 Firmware 2 7 0p1 Uptime 0 days 20 hours 0 mins 14 secs Current User root Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices Alerts amp Logging Port Log Alerts SMTP amp SMS SNMP Administration Firmware wa TH Edit an Existing Device Device Name Description Notes Connections Ada Comneston Ce To add a new network connected Managed Device Serial amp Network Managed Devices IBM X 324 A descriptive name for this device Asterisk PBX A brief description of the device 192 168 0 44 MainUPS PDU R7D Outlet3 Delete Delete Derete Delete Network Host UPS v RPC v Serial gt T he Administrator adds a new network connected Managed Device using Add Host on the Serial amp Network Network Host menu This automatically creates a corresponding new Managed Device as covered in Section
378. l scan a subnet looking for PCs which are listening on one of the ports which VNC uses Tunneling VNC over a SSH connection ensures all traffic is strongly encrypted Also no VNC port is ever open to the internet so anyone scanning for open VNC ports will not be able to find your computers When tunneling VNC over a SSH connection the only port which you re opening on your console server the SDT port 22 So sometimes it may be prudent to tunnel VNC through SSH even when the Viewer PC and the console server are both on the same local network Console Server amp RMM Gateway User Manual ter 7 Alerts and Logging ALERTS AUTOMATED RESPONSE AND LOGGING This chapter describes the automated response alert generation and logging features of the console server The new Auto Response facility in firmware V3 5 1 and later extends on the basic Alert facility available in earlier firmware revisions With the new facility the console server monitors selected serial ports logins the power status and environmental monitors and probes for Check Condition triggers The console server will then initiate a sequence of actions in response to the triggers To configure you e set general parameters Section 7 1 then e select and configure the Check Conditions i e the conditions that will trigger the response Section 7 2 then e specify the Trigger Actions i e sequence of actions initiated in the event of the trigger condition Section 7 3 then
379. le Server amp RMM Gateway User Manual User Manual Note opengear Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks IPsec VPN OpenVPN Call Home Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices Alerts amp Logging Port Log Auto Response SMTP amp SMS SNMP Administration SSL Certificates Configuration Backup Firmware DHCP Server Naning Name Reset Timeout Repeat Trigger Actions Check Conditions Environmental Alarms Digital Inputs UPS Power Supply UPS Status Serial Login Logout Serial Signal Serial Pattern ICMP Pina System Name img4004 5 Model IMG4004 5 Firmware 3 5 1b1 Uptime 0 days 2 hours 37 mins 42 secs Current User root Auto Response Settings a Backup Log Out Alerts amp Logging Auto Response Cisco console error Unique Name for this AutoResponse 0 Time in seconds after resolution to delay before this AutoResponse can be triggered again Repeat Trigger actions until the check is resolved Pattern Match on TX Match on RX Serial Port Serial Pattern Check PCRE regular expression to match on Match on transmitted characters Match on received characters Port 1 Serial Port to perform check on This check is not resolvable R
380. lf this product requires service during the applicable warranty period a Return Materials Authorization RMA number must first be obtained from Opengear Product that is returned to Opengear for service or repair without an RMA number will be returned to the sender unexamined Product should be returned freight prepaid in its original or equivalent packaging to Opengear Service Center Suite A 630 West 9560 South Sandy Utah 84070 Proof of purchase date must accompany the returned product and the Purchaser shall agree to insure the product or assume the risk of loss of damage in transit Contact Opengear by emailing support opengear com for further information TECHNICAL SUPPORT Purchaser is entitled to thirty 30 days free telephone support and twelve 12 months free e mail support worldwide from date of purchase provided that the Purchaser first register their product s with Opengear by filling in the on line form htto www opengear com registration html Direct telephone help desk and e mail support is available from 9 00 AM to 5 00 PM Mountain Time http www opengear com support htm Opengear s standard warranty includes free access to Opengear s Knowledge Base as well as any application notes white papers and other on line resources that may become available from time to time Opengear reserves the right to discontinue all support for products that are no longer covered by warranty 332 Console Server amp RMM Gatew
381. license as listed by the Open Source Initiative at http opensource org licenses The patent license shall not apply to any other combinations which include this software No hardware per se is licensed hereunder DISCLAIMER THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY 330 Console Server amp RMM Gateway User Manual AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH Console Server amp Router User Manual 331 service amp Warranty APPENDIX G SERVICE amp STANDARD WARRANTY STANDARD WARRANTY Opengear Inc its parent affiliates and subsidiaries collectively Opengear warrant your Opengear product to be in good working order and to be free from defects in workmanship and material except in those cases where the materials are supplied by the Purchaser under normal and proper use and service
382. lied devices on the internal network will be able to access resources on the external network 5 8 3 Port Protocol forwarding When using IP Masquerading devices on the external network cannot initiate connections to devices on the internal network To work around this Port Forwards can be set up to allow external users to connect to a specific port or range of ports on the external interface of the console server cellular router and have the console server cellular router redirect the data to a specified internal address and port range System Name im4216 Model IM4216 Firmware 3 5 2u1 Aa opPengear Uptime 1 days 0 hours 52 mins 42 secs Current User root Backup Log Out System Firewall Service Access Port Protocol Firewall Rules Forwarding amp Serial Port Users amp Groups Forwarding Mauopding Authentication Network Hosts Port Protocol Forwards Trusted Networks IPsec VPN No Port Forwards have been configured OpenVPN PPTP VPN New Port Protocol Forward Call Home To setup a port protocol forward gt Navigate to the System Firewall page and click on the Port Forwarding tab gt Click Add New Port Forward gt Fill in the following fields Name Name for the port forward This should describe the target and the service that the port forward is used to access Input Interface This allows the user to only forward the port from a specific interface In most cas
383. ll the SIM card provided by your cellular carrier and attach the external aerial Note The ACM5004 G l and ACM55044 5 G I each has two cellular status LEDs The SIM LED on top of the unit should go on solid when a SIM card has been inserted and detected gt Select Internal Cellular Modem panel on the System Dial menu gt Check Enable Dial Out Settings opengear Serial amp Network Alerts amp Logging Administration Disable Dial SSL Certificates Configuration Backup Firmware IP b e oe Enable Dial Out Firewall DHCP Server Nagios Configure Dashboard I O Ports Enable Dial In Status APN Port Access Active Users Statistics Phone Number Support Report Syslog UPS Status RPC Status Username Environmental Status Dashboard Password Manage Devices Port Logs Host Logs Confirm Power Terminal Custom Modem Initialization Radio Access Technology Override DNS Override returned DNS servers DNS Server 1 DNS Server 2 Dynamic DNS Dynamic DNS System Name acm5002 Model ACM5002 Firmware 3 4 0u1 Serial Console Port 1 a Backup Log Out Uptime 0 days 0 hours 11 mins 2 secs Current User root System Dial Internal Cellular Modem Internal Cellular Modem Dial Settings Disable modem communication Allow incoming modem communication Allow outgoing modem communication D
384. m5004 2 Model ACM5004 2 Firmware 3 5 1b0 re opengeafr Uptime 0 days 1 hours 8 mins 22 secs Current User root Backup Log Out Alerts amp Logging Port Log Serial amp Network Remote Log Storage Server Type None USB Flash Memory Trusted Networks 5 Remote Syslog IPsec VPN A NES OpenVPN i Ca Home 5 CIFS Windows Samba Cascaded Ports UPS Connections Server Address thir kano The remote Storage Server address Managed Devices Server Path Alerts amp Logging The directory where to store log in Port Log u Auto Response ame The login name required for remote server Password Admnetaion The secret required to access the remote server SSL Certificates Confirm Configuration Backup j en Re type the above secret for confirmation Date amp Time Syslog Facility Dial Daemon The facility field to include in syslog messages i Syslog Priority Info x copes Dashboard The priority field to include in syslog messages From the Manage Devices menu the Administrator will can view serial network and power device logs stored in the console reserve memory or flash USB The User will only see logs for the Managed Devices they or their Group have been given access privileges for Refer Chapter 13 Event logs on the USB can be viewed using the web terminal or by ssh telnet connecting to the console server System Name acm5004 2 Model ACM5004 2 Firmware 3 5 1b0
385. me as used on the external network i e if the console server is acting as an internet gateway or a cellular router then use the ISP provided DNS server address gt Enter the Default Lease time and Maximum Lease time in seconds The lease time is the time that a dynamically assigned IP address is valid before the client must request it again gt Click Apply The DHCP server will sequentially issue IP addresses from a specified address pool s gt Click Add in the Dynamic Address Allocation Pools field gt Enter the DHCP Pool Start Address and End Address and click Apply 114 Console Server amp RMM Gateway User Manual User Manual System Name acm5002 Model ACM5002 Firmware 3 3 0 re O opengear Uptime 0 days 4 hours 24 mins 55 secs Current User root Backup Log Out System DHCP Server Serial Port Network Interface Users amp Groups Authentication Network Hosts namically Allocated Pool Trusted Networks Dy DHCP Pool Start 100 Address The first address in the pool to use for DHCP Cascaded Ports see UPS Connections Pool En 150 RPC Connections Address Environmental The last address in the pool to use for DHCP Managed Devices Apply The DHCP server also supports pre assigning IP addresses to be allocated only to specific MAC addresses and reserving IP addresses to be used by connected hosts with fixed IP addresses To reserve an IP addresses for a particular host Once app
386. method RS232 The electrical signaling on this serial port Consult your manual to determine which protocols are supported for this port gt Select the appropriate Baud Rate Parity Data Bits Stop Bits and Flow Control for each port Console Server amp RMM Gateway User Manual 51 Note Note 4 1 2 Chapter 4 Serial Port Device and User Configuration The Signaling Protocol menu item only presents in ports with RS422 485 options i e Port 1 on SD4002 and SD4001 and all ports on ACM5004 2 1 ACM5508 2 I and ACM5504 5 G l The options available are RS232 RS422 RS485 and RS485 Echo mode Before proceeding with further serial port configuration you should connect the ports to the serial devices they will be controlling and ensure they have matching settings The serial ports are all set at the factory to RS 232 9600 baud no parity 8 data bits 1 stop bit and Console Server Mode The baud rate can be changed to 2400 230400 baud using the management console Lower baud rates 50 75 110 134 150 200 300 600 1200 1800 baud can be configured from the command line Refer Chapter 14 Basic Configuration Linux Commands Console Server Mode Select Console Server Mode to enable remote management access to the serial console that is attached to this serial port 7 VUITIQUIGUUI DOLU Firmware Console Server Settings IP Date amp Time Console Server Mode Dial Firewall DHCP
387. mhost The authenticity of host remhost 192 168 0 1 can t be established RSA key fingerprint is 8d 11 e0 7e 8a 6f ad f1 94 0f 93 fc 7c e6 ef 56 Are you sure you want to continue connecting yes no At this stage answer yes to accept the key You should get the following message Warning Permanently added remhost 192 168 0 1 RSA to the list of known hosts You may be prompted for a password but there is no need to log in you have received the fingerprint and can Ctrl C to cancel the connection If the host key changes you will receive the following warning and not be allowed to connect to the remote host CECE EEE EEOC EOC OC EOC OC EOC EOC ECEO EO OEOEEG WARNING REMOTE HOST IDENTIFICATION HAS CHANGED IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY CECE EEE ECE OC OEOOC OC OC EO CE CECE CEO EOECECOECE Someone could be eavesdropping on you right now man in the middle attack It is also possible that the RSA host key has just been changed The fingerprint for the RSA key sent by the remote host is ab 7e 33 00 85 50 5a 43 0b e0 bd 43 3f 10 45 78 Please contact your system administrator Add correct host key in 7ssh known_hosts to get rid of this message Offending key in 7ssh known_hosts 1 RSA host key for remhost has changed and you have requested strict checking Host key verification failed If the host key has been legitimately changed it can be removed from the ssh known_hosts file and the
388. mmand line access by dial in or directly connecting to the console server s serial console modem port or by using ssh or Telnet to connect to the console server over the LAN or with PPTP IPsec or OpenVPN Manual Conventions This manual uses different fonts and typefaces to show specific actions Note Text presented like this indicates issues to take note of Text presented like this highlights important issues and it is essential you read and take head of these warnings gt Text presented with an arrow head indent indicates an action you should take as part of the procedure Bold text indicates text that you type or the name of a screen object e g a menu or button on the Management Console Italic text is also used to indicate a text command to be entered at the command line level Publishing history Date Revision Update details Jan2010 3 8 4 SD4001 product Mar 2010 3 8 5 ACM5004 G fixed Failover details and added DDNS June 2010 3 9 V3 1 shadow password deg F SNMP SMS gateway and ACM5004 Aug 2010 3 9 1 V3 2 OpenVPN Zenoss config commit Call Home Dec 2010 4 0 V3 3 Firewall router Web Terminal SNMP updates June 2011 4 1 V3 4 GPS support SNMP traffic monitoring and IPv6 32 port models SMS over cellular Oct 2011 4 2 V3 5 Auto Response IM4004 5 Nov 2011 4 3 V3 5 2u2 PPTP GRE ext Groups FTP server multiple dial in pmshell update Add IM4216 34 Feb 2012 4 4 V3 5 2u3 Kerberos Cisco RJ in SD4000
389. mmands Single Connection Limit the port to a single concurrent connection Logging Level This specifies the level of information to be logged and monitored refer Chapter 7 Alerts and Logging Telnet When the Telnet service is enabled on the console server a Telnet client on a User s or Administrator s computer OZ can connect to a serial device attached to this serial port on the console server The Telnet communications are unencrypted so this protocol is generally recommended only for local or VPN tunneled connections With Win2000 XP NT you can run telnet from the command prompt cmd exe Windows 7 and Vista come with a Telnet client but it is not enabled by default You can install it by following the simple steps below o Click the Start button click Control Panel click Programs and then click Turn Windows features on or off If you are prompted for an administrator password or confirmation type the password or provide confirmation o Inthe Windows Features dialog box select the Telnet Client check box Console Server amp RMM Gateway User Manual User Manual Note o Click OK The installation might take several minutes CI Windows Features Turn Windows features on or off To turn a feature on select its check box To turn a feature off clear its check box A filled box means that only part of the feature is turned on SNMP feature Subsystem for UNIX based Applications V Tablet PC Op
390. mmunity v1 contig s conftig ports port2 power log enabled on config s config ports port2 power log interval 600 contig s conftig ports port2 power outlets 4 The following five commands are used by the Management Console to add the RPC to Managed Devices contig s contig devices device3 connections connection1 name myRPC config s config devices device3 connections connection1 type RPC Unit contig s config devices device3 name myRPC contig s config devices device3 description RPC in room 5 Console Server amp Router User Manual 255 Chapter 14 Command Line Configuration contig s config devices total 3 The following command will synchronize the live system with the new configuration config a 14 1 10 Environmental To configure an environmental monitor with the following details Monitor name Envi4 Monitor Description Monitor in room 5 Temperature offset 2 Humidity offset 5 Enable alarm 1 yes Alarm 1 label door alarm Enable alarm 2 yes Alarm 2 label window alarm Logging enabled yes Log interval 120 seconds config s config ports port3 enviro name Envi4 config s config ports port3 enviro description Monitor in room 5 config s config ports port3 enviro offsets temp 2 config s config ports port3 enviro offsets humid 5 config s config ports port3 enviro alarms alarm1 alarmstate on config s config ports port3 enviro alarms alarm1 label door alarm config s c
391. mote RADIUS servers can be found at the following sites http www ldapman org articles intro_to_ldap html http www ldapman org servers html http www linuxplanet com linuxplanet tutorials 5050 1 http www linuxplanet com linuxplanet tutorials 5074 4 RADIUS TACACS user configuration Users may be added to the local console server appliance If they are not added and they log in via remote AAA a user will be added for them This user will not show up in the Opengear configurators unless they are specifically added at which point they are transformed into a completely local user The newly added user must authenticate off of the remote AAA server and will have no access if it is down Console Server amp RMM Gateway User Manual 195 Chapter 9 Authentication If a local user logs in they may be authenticated authorized from the remote AAA server depending on the chosen priority of the remote AAA A local user s authorization is the union of local and remote privileges Example 1 User Tim is locally added and has access to ports 1 and 2 He is also defined on a remote TACACS server which says he has access to ports 3 and 4 Tim may log in with either his local or TACACS password and will have access to ports 1 through 4 If TACACS is down he will need to use his local password and will only be able to access ports 1 and 2 Example 2 User Ben is only defined on the TACACS server which says he has access to ports 5 an
392. mp snmpalertd OG SMI MIB Enterprise structure of management information OGTRAP MIB SMlv1 traps from old MIBS as smilint will not let SMlv1 structures coexist with SMlv2 15 5 2 Check firewall rules gt Select System Firewall and ensure the SNMP daemon box has been checked for the interface required This will allow SNMP requests through the firewall for the specified interface 218 Console Server amp RMM Gateway User Manual System Firewall Service Access Port Forwarding Port Rules Forwarding amp Masquerading Service Access Services Network Interface Dialout Cellular Dial in VPN HTTP Web O go o O Management HTTPS Web Management Telnet command F F O O shell SSH command shell Telnet direct to go serial ports SSH direct to serial ports RAW TCP access to F serial ports RFC 2217 access to F serial ports Unauthenticated F telnet access to serial ports Nagios NRPE C daemon NUT UPS F monitoring daemon SNMP daemon 15 5 3 Enable SNMP Service The console server supports different versions of SNMP including SNMPv1 SNMPv2c and SNMPv3 SNMP although an industry standard brings with it a variety of security concerns For example SNMPv1 and SNMPv2c offer no inherent privacy while SNMPv3 is susceptible to man in the middle attacks Recent IETF developments suggests tunnelling SNMP over widely accepted technologies such as SSH Secure Shell or TLS Transport Layer Security rather tha
393. ms Digital Inputs UPS Power Supply UPS Status Serial Login Logout Serial Signal Serial Pattern a Backup Log Out Alerts amp Logging Auto Response Cisco console error Unique Name for this AutoResponse 0 Time in seconds after resolution to delay before this AutoResponse can be triggered again Repeat Trigger actions until the check is resolved ICMP Ping Check Address to Ping Interface Check Frequency Number of Packets Dial in Nurnpero Address to send ICMP Ping to Can be an IP or a DNS name Management LAN Default Route Network Interface Wireless Network Management LAN checks Out of Band Failover Dialout Cellular T ICMP Ping packets to send Save Auto Response 155 7 2 7 Chapter 7 Alerts and Logging Cellular Data This check monitors the aggregate data traffic inbound and outbound through the cellular modem as an Auto Response trigger event gt Note 7 2 8 Click on Cellular Data as the Check Condition Before configuring cellular data checks in Auto Response the internal or external USB cellular modem must be configured and detected by the console server Custom Check This check allows users to run a nominated custom script with nominated arguments whose return value is used as an Auto Response trigger event gt gt 156 Click on Custom Check as the Check Condition Create an executable trigger check script file
394. n Administration SSL Certificates No users currently configured Configuration Backup Firmware Users can be authorized to access specified services serial ports power devices and specified network attached hosts These users can also be given full Administrator status with full configuration and management and access privileges Console Server amp RMM Gateway User Manual 59 Chapter 4 Serial Port Device and User Configuration To simplify user set up they can be configured as members of Groups With firmware V3 5 2 and later there are five Groups set up by default where earlier versions only had admin and user by default admin Provides users with unlimited configuration and management privileges pptpd Group to allow access to the PPTP VPN server Users in this group will have their password stored in clear text dialin Group to allow dialin access via modems Users in this group will have their password stored in clear text ftp Group to allow ftp access and file access to storage devices pmshell Group to set default shell to pmshell users Provides users with basic management privileges Note 1 Membership of the admin group provides the user with full Administrator privileges The admin user Administrator can access the console server using any of the services which have been enabled in System Services e g if only HTTPS has been enabled then the Administrator can only access the console server using HTT
395. n assume this is 0 config g config portaccess total This command should display config portaccess total 1 Note that if you see config portaccess total this means you have 0 rules configured Your new rule will be the existing total plus 1 So if the previous command gave you 0 then you start with rule number 1 If you already have 1 rule your new rule will be number 2 etc If you want to restrict access to serial port 5 to computers from a single class C network 192 168 5 0 say you need to issue the following commands assuming you have a previous rule in place Add a trusted network config s config portaccess rule2 address 192 168 5 0 config s config portaccess rule2 description foo bar config s config portaccess rule2 netmask 255 255 255 0 config s config portaccess rule2 port5 on config s config portaccess total 2 The following command will synchronize the live system with the new configuration config r serialcontig 14 1 7 Cascaded Ports To add a new slave device with the following settings IP address DNS name 192 168 0 153 Description CM in office 42 Label cm4116 5 Number of ports 16 The following commands must be issued config s config cascade slaves slave 1 address 192 168 0 153 config s config cascade slaves slave1 description CM in office 42 config s contig cascade slaves slave 1 label cm4116 5 config s config cascade slaves slave1 ports 16 The total number of slave
396. n password Username root Password default 226 Console Server amp RMM Gateway User Manual System Name acm5003 m Model ACM5003 M Firmware 3 3 2 opPengear Uptime 0 days 0 hours 1 mins 32 secs Current User unknown Log Out System Login Username Password Passcode 11 2 Upgrade Firmware Before upgrading you should ascertain if you are already running the most current firmware in your gateway Your console server will not allow you to upgrade to the same or an earlier version gt The Firmware version is displayed in the header of each page gt Alternately selecting Status Support Report reports the Firmware Version System Name acm5003 m Model ACM50C M Firmware 3 3 2 pr opengedf Uptime 1 days 0 hours 1 mins 15 secs wus int ot Trt Backup Log Out Status Support Report Firmware Version Serial Port Users amp Groups OpenGear ACM500x Version 3 3 2 Tue Dec 14 00 33 01 EST 2010 Authentication Network Hosts gt To upgrade you first must download the latest firmware image from ftp ftp opengear com or htto opengear com firmware For ACM5000 family download acm500x flash For CM4116 4148 download cm41xx flash For CM4008 download cm4008 flash For CM4001 download cm4001 flash For IM4216 34 and IM4208 16 32 48 2 download im42xx flash For IM4004 5 download img4004 flash For SD4001 4002 download sd4002 flash gt Save this downloaded
397. n ports on network hosts check_ping is used to check network host availability check_nrpe is used to execute arbitrary plug ins in other devices Each console server is preconfigured with two checks that are specific to Opengear check_serial_signals is used to monitor the handshaking lines on the serial ports check_port log is used to monitor the data logged for a serial port 10 4 3 Additional plug ins Additional Nagios plug ins listed below are available for all the IM4200 products check_apt check_by_ssh check_clamd check_dig check_dns check_dummy check_fping check_fto check_game check_hpjd check_http check_imap 220 Console Server amp RMM Gateway User Manual check_jabber check_Idap check_load check_mrtg check_mrtgtraf check_nagios check_nntp check_nntps check_nt check_nto check_nwstat check_overcr check_ping check_pop check_procs check_real check_simap check_smtpo check_snmp check_spop check_ssh check_ssmto check_swap check_tcp check_time check_udp check_ups check_users These plug ins from the Nagios plug ins package can be downloaded from ftp opengear com There also are bash scripts which can be downloaded and run primarily check_log sh gt To configure additional checks the downloaded plug in program must be saved in the tftp addins directory on the USB flash and the downloaded text plug in file saved in etc config gt To enable these new additional checks you select Serial amp Network N
398. n relying on a less mature security systems such as SNMPv3 s USM User based Security Model Additional information regarding SNMP security issues and SNMPvs can be found at htto net snmp sourceforge net wiki index php TUT Security http www ietf org html charters snmpv3 charter html gt Select Alerts amp Logging SNMP System Name acm5003 m Model ACM5003 M Firmware 3 3 2 Aa O opengear Uptime 1 days 2 hours 34 mins 51 secs Current User root Backup Log Out Alerts amp Logging SNMP Serial amp Network Serial Port SNMP Service Details Primary SNMP Manager Secondary SNMP Manager Users amp Groups Authentication Enable A Network Hosts Enable the SNMP service Trusted Networks IPsec VPN TCP IP Protocol UDP x OpenVPN 7 Call Home The TCP IP protocol to serve Cascaded Ports z UPS Connections SEL RPC Connections System Location Environmental Managed Devices Contact Alerts amp Logging System Contact pout Log SNMP vi amp v2c Alerts SMTP amp SMS Read Only Community SNMP The read only community Read Write Community Administration SSL Certificates The read write community Console Server amp Router User Manual 219 Chapter 16 KCS Client Configuration gt The SNMP Service Details tab is shown by default The SNMP Service Details tab controls aspects of the SNMP Service including Security Level It manages request
399. nSSL This example shows how to use OpenSSL to create a self signed certificate OpenSSL is available for most Linux distributions via the default package management mechanism Windows users can check htto www openssl org related binaries html To create a 1024 bit RSA key and a self signed certificate issue the following openssl command from the host you have openssl installed on openssl reg x509 nodes days 1000 newkey rsa 1024 keyout ssl _key pem out ssl _cert pem 294 Console Server amp RMM Gateway User Manual You will be prompted to enter a lot of information Most of it doesn t matter but the Common Name should be the domain name of your computer e g test opengear com When you have entered everything the certificate will be created in a file called ss _cert pem 15 8 3 Installing the key and certificate The recommended method for copying files securely to the console server unit is with an SCP Secure Copying Protocol client The scp utility is distributed with OpenSSH for most Unix distributions while Windows users can use something like the PSCP command line utility available with PuTTY The files created in the steps above can be installed remotely with the scp utility as follows scp ssl_key pem root lt address of unit gt etc conftig scp ssi_cert pem root lt address of unit gt etc config or using PSCP pscp scp ssl_key pem root lt address of unit gt etc config pscp scp ssi_cert pem root
400. nVPN Tunnel Tunnel Name NorthStOutletVPN A descriptive name for the OpenVPN tunnel Device Driver Tun IP Select the tap or tun driver to use Protocol UCP Use a UDP or TCP protocol Tunnel Mode Client Is this the Client or Server end of the tunnel Configuration Method PKI X 509 Certificates Authenticate using certificates or use a custom configuration Compression Enable or disable compression gt Select the Device Driver to be used either Tun P or Tap Ethernet The TUN network tunnel and TAP network tap drivers are virtual network drivers that support IP tunneling and Ethernet tunneling respectively TUN and TAP are part of the Linux kernel gt Select either UDP or TCP as the Protocol UDP is the default and preferred protocol for OpenVPN 76 Console Server amp RMM Gateway User Manual User Manual gt In Tunnel Mode nominate whether this is the Client or Server end of the tunnel When running as a server the advanced console server supports multiple clients connecting to the VPN server over the same port gt In Configuration Method select the authentication method to be used To authenticate using certificates select PKI X 509 Certificates or select Custom Configuration to upload custom configuration files Custom configurations must be stored in etc config Note If you select PKI public key infrastructure you will need to establish Separate certificate also Known as a public key This Certificate
401. nabled contig d config services pingreply enabled contig s conftig services tfto enabled on To set secondary port ranges for any service config s config services telnet portbase port base number Default 2000 contig s config services ssh portbase port base number Default 3000 config s config services tcp portbase port base number Default 4000 config s config services rfc221 7 portbase port base number Default 5000 config s contig services unauthtel portbase port base number Default 6000 The following command will synchronize the live system with the new configuration config a 14 1 22 NAGIOS To configure NAGIOS with the following settings NAGIOS host name cm4116 Name of this system NAGIOS host address 192 168 0 1 IP to find this device at NAGIOS server address 192 168 0 10 upstream NAGIOS server Enable SDT for NAGIOS ext Enabled SDT gateway address 192 168 0 1 defaults to host address Prefer NRPE over NSCA Disabled defaults to Disabled contig s contig system nagios enabled on config s config system nagios name cm4 116 contig s contig system nagios address 1 92 168 0 1 config s config system nagios server address 192 168 0 10 contig s contig system nagios sdt disabled on diables SDT for nagios extensions contig s contig system nagios sdt address 1 92 168 0 1 contig s contig system nagios nrpe prefer To configure NRPE with following settings NRP
402. nd gt Connect the power wires to the appropriate terminals of the terminal block The Terminal on the four way screw terminal block should always be connect to the more positive voltage from OV to 48 V The terminal on the four way screw terminal block should connect to the more negative voltage from 48V to OV So the connections for 48 Volt DC input power are OV return 48 _ Safety ground f grou The connections for 48 Volt DC input power are 448 V ov a S fet p ty ground gt Tighten the terminal screw to a torque of 8 0 0 5 in Ib 0 93 0 05 N m gt Repeat the connection steps above for the second power supply gt Turn on the DC power The safety covers are an integral part of the DDC product Do not operate the unit without the safety cover installed electricity So ensure that no exposed portion of the DC input power source wire extends from the terminal block plug and safety cover Any exposed wire lead from a DC input power source can conduct harmful levels of 2 3 Network Connection The RJ45 LAN ports are located on the front panel of the rack mount CM41xx and IM42xx console servers The RJ45 LAN ports are located on the side of the smaller ACM5500 ACM5000 CM4001 8 and SD4001 2 units All physical connections are made using industry standard Cat5 cabling and connectors Ensure you only connect the LAN port to an Ethernet network that supports 10Base T 100Base T For t
403. nd control the configured serial and network attached PDU power strips and servers with embedded IPMI service processors or BMCs System Name img4004 5 Model IMG4004 5 Firmware 2 7 0p1 opengear Uptime 0 days 0 hours 30 mins 15 secs Current User root Manage Power Serial Port Users amp Groups Target 192 168 253 240 SNMP Controlled Baytech Outlet Outlet2 2 v Authentication Select a power device to manage Network Hosts F Trusted Networks ELLI Turn On Turn Off Cj Cycle E Status Cascaded Ports UPS Connections Perform an action on the power device RPC Connections Environmental Status pe Managed Devices gt Select the Manage Power and the particular Target power device to be controlled and the Outlet to be controlled if the RPC supports outlet level control gt The outlet status is displayed and you can initiate the desired Action to be taken by selecting the appropriate icon J O Turn ON Turn OFF J Cycle amp Status You will only be presented with icons for those operations that are supported by the Target you have selected System Name cm4148 Model CM4148 Firmware 2 5 0u2 opengear Uptime 0 days 18 hours 35 mins 5 secs Current User root Manage Power Serial Port Users amp Groups Target Port 1 Baytech RPC3ADE outlet 1 1 Authentication Select a power device to manage Ne
404. ndows 7 Professional operating system The steps may vary slightly depending on your network access or if you are using an alternate version of Windows More detailed instructions are available from the Microsoft web site 86 Login to your Windows client with administrator privileges From the Network amp Sharing Center on the Control Panel select Network Connections and create a new connection Console Server amp RMM Gateway User Manual User Manual Ks um Set Up a Connection or Network Choose a connection option Sb Connect to the Internet Set up a wireless broadband or dial up connection to the Internet i Set up a new network mg Configure a new router or access point La Manually connect to a wireless network mg Connect to a hidden network or create a new wireless profile Connect to a workplace Set up a dial up or VPN connection to your workplace gos Set up a dial up connection a Connect to the Internet using a dial up connection gt Select Use My Internet Connection VPN and enter the IP Address of the Opengear appliance Note To connect remote VPN clients to the local network you need to Know the user name and password for the PPTP account you added as well as the Internet IP address of the Opengear appliance If your ISP has not allocated you a Static IP address consider using a dynamic DNS service Otherwise you must modify the PPTP client configuration each time your Internet IP address changes
405. nections RPC Connections Environmental IP Settings Wireless LAN Currently Disabled Managed Devices gt 9 z Configuration DHCP Method l i Alerts amp Logging Static Port Log The mechanism to acquire IP settings Alerts SMTP amp SMS IP Address SNMP A statically assigned IP address Subnet Mask Administration A statically assigned network mask Configuration Backup Firmware Gateway IP 5 r A statically assigned gateway Date amp Time Dial Primary DNS Services A statically assigned primary name server DHCP Server Nagios Secondary DNS A statically assigned secondary name server Port Access Failover Interface None Active Users z z Statisti A device to fail to in case of outage Devices must be configured and enabled for failover to work Support Report Primary Probe Syslog Address l N UPS Status The address of the first peer to probe for connectivity detection RPC Status Secondary Probe Environmental Status Address The address of the second peer to probe for connectivity detection Devices w Past Loge IPv6 Settings Wireless LAN Currently Disabled Host Logs Power era Stateless only Terminal a Static The mechanism to acquire IP settings Wireless Client Settings SSID SSID of the wireless access point to connect to chins Network Infrastructure Ad hoc Select infrastructure to connect to an access point ad hoc to c
406. nections RPC Connections Environmental Managed Devices Alerts amp Logging Port Log Generate Keys D Shared secret PSK Authenticate using RSA digital signatures or a shared secret PSK RSA digital signatures cannot be used until IPsec RSA keys have been generated Click here to generate keys Authentication Alerts Srotenl FSP SMTP amp SMS F SNMP mis gt i Authenticate as part of ESP encryption or separately using the AH protocol Left ID Administration SSL Certificates The identifier for this end of the tunnel should include a fully qualified domain name Configuration Backup preceded by e g eft example com Firmware z P Right TD x ri aia The identifier for the other end of the tunnel should include a fully qualified domain la 2 i Giaa name preceded by e g zght example com DHCP Server Left Address Nagios Configure Dashboard The public IP ur DNS address of lhis end of Ue Lunnel leave blank Lo use Lie interface of the default route Port Access Right Address s Active llsers age a es The public IP or DNS address of the other end of the tunnel leave blank if it is Suppurl Repurl dynamic Syslog left Subnet UPS Status ss RPC Status The private subnet behind this end of the tunnel in CIDR notation e g Environmental Status 192 168 123 0 24 aave blank to allow connections to this host only Dashboard Right Subnet a Deutes The privale subnel b
407. nections e g 192 168 1 10 20 This must be a free IP address or a range of free IP addresses from the network typically the LAN that remote users are assigned while connected to the Opengear appliance gt Enter the desired value of the Maximum Transmission Unit MTU for the PPTP interfaces into the MTU field defaults to 1400 gt Inthe DNS Server field enter the IP address of the DNS server that assigns IP addresses to connecting PPTP clients gt Inthe WINS Server field enter the IP address of the WINS server that assigns IP addresses to connecting PPTP client gt Enable Verbose Logging to assist in debugging connection problems gt Click Apply Settings Console Server amp RMM Gateway User Manual 85 Chapter 4 Serial Port Device and User Configuration 4 11 2 4 11 3 Add a PPTP user Select Users amp Groups on the Serial amp Networks menu and complete the fields as covered in section 4 2 Ensure the pptpd Group has been checked to allow access to the PPTP VPN server Note users in this group will have their password stored in clear text Keep note of the username and password for when you need to connect to the VPN connection Click Apply System Name im4216 Model IM4216 Firmware 3 5 2u1 Aa O opPengear Uptime 0 days 3 hours 19 mins 42 secs Current User root Backup Log Out Serial amp Network Users amp Groups Serial Port Users amp Groups Authentication Network Hos
408. new fingerprint added If it has not changed this indicates a serious problem that should be investigated immediately 15 6 7 SSH tunneled serial bridging You have the option to apply SSH tunneling when two Black Box console servers are configured for serial bridging Local Ethernet LAN Serially connected device COM Port connected e g security appliance control PC amp gt As detailed in Chapter 4 the Server console server is setup in Console Server mode with either RAW or RFC2217 enabled and the Client console server is set up in Serial Bridging Mode with the Server Address and Server TCP Port 4000 port for RAW or 5000 port for RFC2217 specified gt Select SSH Tunnel when configuring the Serial Bridging Setting Console Server amp Router User Manual 291 Chapter 16 KCS Client Configuration Serial Bridge Settings Serial Bridging Mode Create a network connection to a remote serial port via RFC 2217 Server Address 250 258 2 16 The network address of an RFC 2217 serwer to connect to The TCP port the RFC 2217 server is serving on RFC 2217 Enable RFC 2217 access SSH Tunnel Redirect the serial bridge over an SSH tunnel to the server Next you will need to set up SSH keys for each end of the tunnel and upload these keys to the Server and Client console servers Client Keys The first step in setting up ssh tunnels is to generate keys Ideally you will use a separate secure machine
409. ng in standby power mode b beacon Query beacon status if implemented by RPC If no targets are specified query all targets t temp Query node temperature if implemented by RPC If no targets are specified query all targets Temperature information is not interpreted by powerman and is reported as received from the RPC on one line per target prefixed by target name h help Display option summary L license Show powerman license information d destination host port Connect to a powerman daemon on non default host and optionally port V version Display the powerman version number and exit D device Displays RPC status information If targets are specified only RPC s matching the target list are displayed T telemetry Causes RPC telemetry information to be displayed as commands are processed Useful for debugging device scripts x exprange Expand host ranges in query responses For more details refer htto linux die net man 1 oowerman Also refer powermand htto linux die net man 1 powermand documentation and powerman cont Atto linux die net man 5 powerman cont Target Specification powerman target hostnames may be specified as comma separated or space separated hostnames or host ranges Host ranges are of the general form prefix n m I k where n lt m and I lt k etc This form should not be confused with regular expression character classes also denoted by For example foo 19
410. nger than 16 characters will be truncated For IPMI v2 0 the maximum password length is 20 characters longer passwords are truncated COMMANDS helo This can be used to get command line help on jomitoo l commands It may also be placed at the end of commands to get option usage help jomitool help Commands raw Senda RAW IPMI request and print response lan Configure LAN Channels chassis Get chassis status and set power state event Send pre defined events to MC mc Management Controller status and global enables sdr Print Sensor Data Repository entries and readings sensor Print detailed sensor information fru Print built in FRU and scan SDR for FRU locators sel Print System Event Log SEL pef Configure Platform Event Filtering PEF sol Configure IPMIv2 0 Serial over LAN isol Configure IPMIv1 5 Serial over LAN user Configure Management Controller users channel Configure Management Controller channels session Print session information exec Run list of commands from file set Set runtime variable for shell and exec ipmitool chassis help Chassis Commands status power identify policy restart_cause poh bootdev jomitool chassis power help chassis power Commands status on off cycle reset diag soft You will find more details on jomitools at http ipmitool sourceforge net manpage html 300 Console Server amp RMM Gateway User Manual 15 11 Custom Development Kit CDK As detailed in this man
411. nges to the configuration e g modify user accounts amend authentication method enable OpenVPN tunnel or modify system time gt Click the Commit Config button This will generate the System Commit Configuration screen displaying all the configurators to be run Console Server amp Router User Manual 231 Chapter 11 System Management System Name cm4116 Model CM4116 Firmware 3 2 0 re 0 opengear Uptime 0 days 2 hours 51 mins 1 secs Current User root Backup Commit Log Out System Commit Configuration Serial amp Network The following configurators will be run on config commit Serial Port alerts Users amp Groups cascade Authentication console Network Hosts dialin Trusted Networks firewall Call Home hosts Cascaded Ports ipconfig UPS Connections nagios RPC Connections power Environmental serialconfig Managed Devices services time Alerts amp Logging ups Port Log poe ate gt Click Apply to run all the configurators in the queue gt Alternately click Cancel and this will discard all the delayed configuration changes Note All the queued configuration changes will be lost if Cancel is selected To disable the Delayed Configuration Commits mode gt Uncheck the Delayed Config Commits button under System Administration and click Apply gt Click the Commit Config button in top right hand corner of the screen to display the System Commit Configuration screen gt Clic
412. nly those people who know the root password can access and reconfigure the console server itself The corollary is that anyone who correctly guesses the root password could gain access and the default root password is default So it is essential that you enter and confirm a new password before giving the console server any access to or control of your computers and network appliances 32 Console Server amp RMM Gateway User Manual User Manual Note Note 3 2 1 System Name im4216 Model IM4216 Firmware 3 5 2u1 Ra opengear Uptime 1 days 1 hours 20 mins 56 secs Current User root Backup Log Out System Administration Serial amp Network Serial Port im4216 Users amp Groups gt ei a An ID for this device Network Hosts Trusted Networks sia IPsec VPN The physical location of this device OpenVPN PPTP VPN System acc ccce Call Home Password Cascaded Ports The secret used to gain administration access to this device UPS Connections RPC Connections Confirm asese Environmental System Managed Devices Password Re enter the above password for confirmation Alerts amp Logging esad Port Log Auto Response Message of the day text banner to display to authenticating users SMTP amp SMS SNMP Delayed F Config i Commits Config changes are queued and must be explicitly applied Administration SSL Certificates Apply Select Syst
413. not survive a restore Backup and restore should be done by the root user to ensure correct file permissions are set The config command is used to create a backup tarball config e lt Outpout File gt The tarball will be saved to the indicated location It will contain the contents of the etc config directory in an uncompressed and unencrypted form Example nfs storage mount t nfs 192 168 0 2 backups mnt config e mnt cm4008 conftig umount mnt Example transfer off box via scp config e tmp cm4008 config scp tmp cm4008 config 192 168 0 2 backups The config command is also used to restore a backup config i lt Input File gt This will extract the contents of the previously created backup to tmp and then synchronize the etc config directory with the copy in tmp One problem that can crop up here is that there is not enough room in tmp to extract files to The following command will temporarily increase the size of tmp mount t tmpfs o remount size 2048k tmpfs var If restoring to either a new unit or one that has been factory defaulted it is important to make sure that the process generating SSH keys is either stopped or completed before restoring configuration If this is not done then a mix of old and new keys may be put in place As SSH uses these keys to avoid man in the middle attacks logging in may be disrupted Console Server amp Router User Manual 213 Chapter 16 KCS Client Configur
414. nse An incoming SMS command from a nominated caller can trigger an Auto Response gt Click on SMS Command as the Check Condition gt Specify which Phone Number in international format of the phone sending the SMS message gt Set the Incoming Message Pattern PCRE regular expression to match to create trigger event Check Conditions Environmental Alarms Digital Inputs UPS Power Supply UPS Status Serial Login Logout Serial Signal Incoming Message Pattern SMS Command Check Phone number 61400028801 Phone number in international format without the PCRE Regular expression to match within the incoming message This check is not resolvable Resolve actions will not be run Save Auto Response Note The SMS command trigger condition can only be set if there is an internal or external USB cellular modem detected Console Server amp RMM Gateway User Manual 157 7 3 Chapter 7 Alerts and Logging Trigger Actions To configure the sequence of actions that is to be taken in the event of the trigger condition gt Note 7 3 1 Note 7 3 2 Note 158 For a nominated Auto Response with a defined Check Condition click on Add Trigger Action e g Send Email or Run Custom Script to select the action type to be taken Then configure the selected action as detailed in the following sections Each action is configured with a nominated Action Delay Time which specifies how long in secon
415. nse and Logs 8 Power amp Environment 9 Authentication 10 Nagios Integration 11 System Management 12 Status Reports 13 Management 14 Basic Configuration 15 Advanced Config An overview of the features of the console server and information on this manual Physical installation of the console server and the interconnecting of managed devices Covers initial installation and configuration of the console server on the network and the services that will be supported Covers configuring serial ports and connected network hosts and setting up users Describes setting up the firewall router functions and the high availability access features of the console server Covers secure remote access using SSH and configuring for RDP VNC HTTP HTTPS etc access to network and serially connected devices Explains the setting up of local and remote event data logs and configuring auto response actions to trigger events Management of USB serial and network attached power strips and UPS supplies EMD environmental sensor configuration All access to the console server requires usernames and passwords which are locally or externally authenticated Setting Nagios central management with SDT extensions and configuring the console server as a distributed Nagios server Covers access to and configuration of services to be run on the console server View a dashboard summary and detailed status and logs of serial and network connected devic
416. nt User Device Status Name 168 z 8e login aleni 4 logout root N A 6e login aleni 11 logout root N A a signal alert2 4 DSR N A on a a 21 38 4 21 50 22 08 22 18 22 28 a ad ups alen4 N A ONLINE donut ONLINE emd alen5 N A temp envi 24 rpe alen5 N A temp bogus RPC 2 bogus RPC myrpc Sensor envi myENV Temperature Managed Devices x Pos 3 48 iL Device Name Description Notes Related Connections donut myUPS UPS donut envi myENV EMD env1 bogus RPC myrpe RPO bogus RPC hjhik Al managed devices 12 5 1 Configuring the Dashboard Only users who are members of the admin group and the root user can configure and access the dashboard To configure a custom dashboard gt Select System Configure Dashboard and select the user or group you are configuring this custom dashboard layout for System Name acm5003 m Model ACM5003 M Firmware 3 3 2 Ra O opPengear Uptime 1 days 1 hours 25 mins 34 secs Current User root Backup Log Out System Configure Dashboard Serial amp Network acne as Serial Port peste Users amp Groups Select group user Authentication Group admin Network Hosts Group admin user to configure the dashboard for Trusted Networks User Radmin IPsec VPN Default OpenVPN ON Note You can configure a custom dashboard for any admin user or for the admin group or you can reconfigure the default dashboard The Status Da
417. ny time by destroying the Software GOVERNING LAW AND ATTORNEY S FEES This EULA is governed by the laws of the State of Utah USA excluding its conflict of law rules You agree that the United Nations Convention on Contracts for the International Sale of Goods is hereby excluded in its entirety and does not apply to this EULA If you acquired this Software in a country outside of the United States that country s laws may apply In any action or suit to enforce any right or remedy under this EULA or to interpret any provision of this EULA the prevailing party will be entitled to recover its costs including reasonable attorneys fees ENTIRE AGREEMENT This EULA constitutes the entire agreement between you and Opengear with respect to the Software and supersedes all other agreements or representations whether written or oral The terms of this EULA can only be modified by express written consent of both parties If any part of this EULA is held to be unenforceable as written it will be enforced to the maximum extent allowed by applicable law and will not affect the enforceability of any other part Should you have any questions concerning this EULA or if you desire to contact Opengear for any reason please contact the Opengear representative serving your company 326 Console Server amp RMM Gateway User Manual THE FOLLOWING DISCLAIMER OF WARRANTY AND LIMITATION OF LIABILITY IS INCORPORATED INTO THIS EULA BY REFERENCE THE SOFTWARE IS N
418. o the System Firewall page and then click on the Forwarding amp Masquerading tab System Name acm5002 Model ACM5002 Firmware 3 3 0 Ra 0 opengear Uptime 0 days 1 hours 43 mins 1 secs Current User root Backup Log Out System Firewall Serial amp Network Serial Port Service Access Port Forwarding Port Rules Lopes amp Users amp Groups ee Authentication Network Hosts Network Forwarding and Masqueradi Trusted Networks ng ng IPsec VPN Source Networks Allowed Destination Networks OpenVPN Call Home Network Interface Dialout Cellular Cascaded Ports 1 Dak UPS Connections Si RPC Connections VPN Environmental Managed Devices l Dialout Cellular Network Interface Alerts amp Logging Dial in Port Log E VPN Alerts SMTP amp SMS SNMP Dial in E Network Interface Dialout Cellular Administration ii SSL Certificates Configuration Backup SEA VPN Network Interface E Dialout Cellular Dial in IP Date amp Time Dial Firewall gt Find the Source Network to be routed and then tick the relevant Destination Network to enable Forwarding For example to configure a single Ethernet device such as an ACM5004 G as a cellular router gt The Source Network would the Network Interface and the Destination Network would be Dialout Cellular IP Masquerading is generally required if the console server will be routing to the Internet or if th
419. o the console server and select the Service Access tab on the System Firewall menu Ensure SSH Command Shell is enabled on the Network interface and any out of band interfaces With earlier firmware gt Browse to the console server and select Network Hosts from Serial amp Network click Add Host and in the IP Address DNS Name field enter 127 0 0 1 this is the Opengear s network loopback address and enter Loopback in Description gt Remove all entries under Permitted Services except for those that will be used in accessing the Management Console 80 http or 443 https or the command line 22 ssh or 23 telnet then scroll to the bottom and click Apply gt Administrators by default have gateway access privileges however for Users to access the gateway Management Console you will need to give those Users the required access privileges Select Users amp Groups from Serial amp Network Click Add User Enter a Username Description and Password Confirm Select 127 0 0 1 from Accessible Host s and click Apply Console Server amp RMM Gateway User Manual User Manual 6 4 SDT Connector telnet or SSH connect to serially attached devices SDT Connector can also be used to access text consoles on devices that are attached to the console server serial ports For these connections you must configure the SDT Connector client software with a Service that will access the target gateway serial port and then set the gateway up as a host
420. o which the device belongs Managed Devices Locality City odgen The City where the organization is located Alerts amp Logging Patine State Province utah The State or Province where the organization is located Alerts SMTP amp SMS Country AM SNMP The country where the organization is located Email eng myco com The email address of a contact person for this device Administration SESE SESS SSL Certificates ie Configuration Backup An optional dependant on CA password Firmware Confirm Sreteree IP Password Confirmation of the challenge password Date amp Time Key Length 512 Dial bits Length of generated key in bits Services Nagios Download Cancel CSR Configure Dashboard ne File Port Access Certificate file issued by your CA Active Users Statisti Upload After completing these steps the console server has its own certificate that is used for identifying the console server to its users Note Information on issuing certificates and configuring HTTPS from the command line can be found in Chapter 15 Advanced 204 Console Server amp RMM Gateway User Manual Chapter 10 Nagios Integration NAGIOS INTEGRATION Nagios is a powerful highly extensible open source tool for monitoring network hosts and services The core Nagios software package will typically be installed on a server or virtual server the central Nagios server Console servers operate in conjunction
421. oad save or delete a stored session Click Open and you will be presented with the Data i p y p Proxy a console server login prompt You may also Telnet t j J z Rlogin ee ee receive a Security Alert that the host s key is ars not cached you will need to choose yes to Auth continue TTY Ta Using the Telnet protocol is similarly simple but Bugs you use the default port 23 40 Console Server amp RMM Gateway User Manual User Manual 3 5 3 SSHTerm Another common communications package that may be useful is SSH Term an open source package that can be downloaded from http sourceforge net projects sshtools To use SSHTerm for an SSH terminal session from a Windows Client you simply Select the File option and click on New Connection Connection Profile x A new dialog box will appear for your Connection Profile Host Protocol Pronar Commands Terminai where you can type in the host name or IP address for the fa Hostname console server unit and the TCP port that the SSH session ante will use port 22 Then type in your username and choose 200 password authentication and click connect Lier aip O E You may receive a message about the host key fingerprint z siian and you will need to select yes or always to continue password publiche y The next step is password authentication and you will be an rare prompted for your username an
422. of the controlled devices and to power as outlined below 2 1 4 CM4008 kit components EEE en KO O Part 440016 Part 319000 Ss amp and 319001 Part 450006 E b and 440001 bo Part 539000 CM4008 Console Manager 2 x Cable UTP Cat5 blue Connector DB9F RJ45S straight and DB9F RJ45S cross over Power Supply 5VDC 2 0A IEC Socket and AC power cable Quick Start Guide and CD ROM gt Unpack your CM4008 kit and verify you have all the parts shown above and that they all appear in good working order gt Proceed to connect your CM4008 to the network the serial ports of the controlled servers and AC power as shown below 2 1 5 CM4001 and SD4002 kit components Part 509003 Part 509005 Part 440016 Part 319017 and 319018 Part 4500XX Part 539000 CM4001 Console Manager SD4002 Device Server 2 x Cable UTP Cat5 blue Connector DB9F RUJ45S straight and DB9F RJ45S cross over Power Supply 12VDC 1 0A Wall mount Quick Start Guide and CD ROM gt Unpack your CM4001 or SD4002 and verify you have all the parts shown above and that they all appear in good working order gt Proceed to connect your CM4001 or SD4002 to the network to the serial port of the controlled device and to power as outlined below Console Server amp RMM Gateway User Manual 19 2 1 6 20 D4001 kit components Part 509068 Part 319018 Part 450026 Part 539000
423. oint in the future you chose to connect a modem for dial in out of band access the procedure can be reversed with the following commands bin contig del config console debug bin config run console reboot 15 4 IP Filtering The console server uses the iptables utility to provide a stateful firewall of LAN traffic By default rules are automatically inserted to allow access to enabled services and serial port access via enabled protocols The commands which add these rules are contained in configuration files etc config ipfilter This is an executable shell script which is run whenever the LAN interface is brought up and whenever modifications are made to the iptables configuration as a result of CGI actions or the config command line tool The basic steps performed are as follows The current iptables configuration is erased lfa customized IP Filter script exists it is executed and no other actions are performed Standard policies are inserted which will drop all traffic not explicitly allowed to and through the system Rules are added which explicitly allow network traffic to access enabled services e g HTTP SNMP etc Rules are added which explicitly allow traffic network traffic access to serial ports over enabled protocols e g Telnet SSH and raw TCP If the standard system firewall configuration is not adequate for your needs it can be bypassed safely by creating a file at etc config filter custom containing comm
424. ole Server amp Router User Manual 305 pmloggerd pmshell pmusers portmanager portmap pppd ps pwd reboot rm rmdir routed routed routef routel rtacct rtmon scp sed setmac setserial sh showmac sleep smbmnt smbmount smbumount snmpd snmptrap sredird ssh ssh keygen sshd sslwrap sity stunnel sync sysctl syslogd tar tc tcpdump telnetd tftp tftpd tip top touch 306 Linux Commands amp Source Code Opengear command similar to the standard tip or cu but all serial port access is directed via the portmanager Opengear command to query portmanager for active user sessions Opengear command that handles all serial port access DARPA port to RPC program number mapper Point to Point protocol daemon Report a snapshot of the current processes Print name of current working directory Soft reboot Remove files or directories Remove empty directories Show or manipulate the IP routing table Show or manipulate the IP routing table IP Route tool to flush IPv4 routes IP Route tool to list routes Applet printing proc net rt_acct RTnetlink listener secure copy remote file copy program Text stream editor Sets the MAC address Sets and reports serial port configuration Shell Shows MAC address Delay for a specified amount of time Helper utility for mounting SMB file systems Mount an SMBEFS file system SMBFS umount for normal users SNMP daemon Sends an SNMP notificat
425. on A statically assigned network mask Firmware IP Primary DNS i ol amp Time A statically assigned primary name server Dial Services Secondary DNS DHCP Server Nagios A statically assigned secondary name server Media Auto v lt The Ethernet media type Active Users DHCP Server Disabled Statistics Configure a DHCP server for this interface Support Report Sysog Ine Cenk The management gateway function is now enabled with default firewall and router rules By default these rules are configured so the Management LAN can only be accessible by SSH port forwarding This ensures the remote and local 42 Console Server amp RMM Gateway User Manual User Manual connections to Managed Devices on the Management LAN are secure The LAN ports can also be configured in bridged or bonded mode as described later in this chapter or they can be manually configured from the command line 3 6 2 Configure the DHCP server The IM4200 family ACM5508 2 I M ACM5504 5 G l IM4004 5 and ACM5004 2 console servers also host a DHCP server which by default is disabled The DHCP server enables the automatic distribution of IP addresses to devices on the Management LAN that are running DHCP clients To enable the DHCP server gt On the System IP menu select the Management LAN page and click the Disabled label in the DHCP Server field or go to the System DHCP Server menu and check Enable DHCP Server Sy
426. on Alarms Digital Inputs as the Check Condition In the Alarms Digital Inputs Check menu select the specific Alarm Digital IO Pin that will trigger the Auto Response Select Trigger on Change to trigger when alarm signal changes or select to trigger when the alarm signal state changes to either a Trigger Value of Open 0 or Closed 1 Check Save Auto Response Before configuring Alarms Digital Inputs checks in Auto Response you first must configure the sensor DIO that is to be attached to your EMD or ACM5000 UPS Power Supply To use the properties of any attached UPS as the trigger event gt gt gt Click on UPS Power Supply as the Check Condition Select UPS Power Device Property Input Voltage Battery Charge Load Input Frequency Hz or Temperature in C that will checked for the trigger Specify the Trigger value that the check measurement must exceed or drop below to trigger the AutoResponse Select Comparison type as being Above Trigger Value or Below Trigger Value to trigger Specify any Hysteresis factor that is to be applied to environmental measurements e g if an Auto Response was Set up with a trigger event of a battery charge below 20 with a Hysteresis of 5 then the trigger condition would not be seen as having been resolved till the battery charge was above 25 Check Save Auto Response Console Server amp RMM Gateway User Manual 153 Note 7 2 4 opengear Serial amp Network Seria
427. onfig s config ups remotes remote1 name oldUPS config s config ups remotes remote1 description UPS in room 2 contig s config ups remotes remote 1 address 192 168 50 50 contig d config ups remotes remote 1 log enabled contig s config ups remotes remote 1 log interval 240 config s config ups remotes remote1 script enabled on config s config ups remotes total 1 The following command will synchronize the live system with the new configuration config a 14 1 9 RPC Connections You can add an RPC connection from the command line but it is not recommended that you do so because of dependency issues However FYI before adding an RPC the Management Console GUI code makes sure that at least 1 port has been configured to run in device mode and that the device is set to rpc To add an RPC with the following values RPC type APC 7900 Connected via Port 2 UPS name MyRPC Description RPC in room 5 Login name for device rpclogin Login password for device secret SNMP community v1 or v2c Logging Enabled Log interval 600 second Number of power outlets 4 depends on the type model of the RPC contig s conftig ports port2 power tyoe APC 7900 config s config ports port2 power name MyRPC contig s config ports port2 power description RPC in room 5 config s config ports port2 power username rpclogin config s config ports port2 power password secret config s conftig ports port2 oower snmp co
428. onfig s contig system bridge enabled on To enable IPv6 for all interfaces config s config system ipv6 enabled on To configure the management lan interface use the same commands as above but replace config interfaces wan with config interfaces lan Note Not all devices have a management LAN interface To configure a failover device in case of an outage config s config interfaces wan failover address1 ip address config s conftig interfaces wan failover address2 p address config s config interfaces wan failover interface eth console modem The network interfaces can also be configured automatically config s config interfaces wan mode dhcp config s config interfaces lan mode dhcp The following command will synchronize the live system with the new configuration Console Server amp Router User Manual 261 Chapter 14 Command Line Configuration bin config run ipconfig The following command will synchronize the live system with the new configuration contig r ipconfig 14 1 18 Date amp Time settings To enable NTP using a server at pool ntp org issue the following commands config s config nto enabled on config s config nto server pool ntp org Alternatively you can manually change the clock settings To change running system time date 092216452005 05 Format is MMDDhhmm CC YY ss Then the following command will save this new system time to the hardware clock bin hw
429. onfig ports port3 enviro alarms alarm2 alarmstate on config s config ports port3 enviro alarms alarm2 label window alarm config s config ports port3 enviro alarms total 2 config s conftig ports port3 enviro log enabled on config s config ports port3 enviro log interval 120 It is important to assign alarms total 2 even if they are off The following 5 commands will add the environmental monitor to Wanaged devices To get the total number of managed devices config g config devices total Make sure to use the total 1 for the new device below config s config devices device5 connections connection1 name Envi4 contig s config devices device5 connections connection1 tyoe EMD Unit contig s contig devices device5 name Envi4 config s config devices device5 description Monitor in room 5 contig s contig devices total 5 The following command will synchronize the live system with the new configuration config a 14 1 11 Managed Devices To add a managed device also see UPS RPC connections and Environmental config s config devices device8 name my device config s config devices device8 description The eighth device config s config devices device8 connections connection1 name my device 256 Console Server amp RMM Gateway User Manual config s contig devices device8 connections connection1 tyoe serial Host UPS RPC contig s config devices total 8 decrement this value w
430. onfig sdt hosts host4 description MyPC contig s contig sdt hosts host4 name OfficePC contig s contig sdt hosts host4 device type leave this value blank contig s contig sdt hosts host4 tcoports tcpport1 22 config s config sdt hosts host4 tcpports tcpport1 loglevel 1 config s contig sdt hosts host4 udpports tcppport2 443 config s config sdt hosts host4 udpports tcpport2 loglevel 1 If you want to add the new host as a managed device make sure to use the current total number of managed devices 1 for the new device number To get the current number of managed devices config g config devices total Assuming we already have one managed device our new device will be device 2 Issue the following commands config s config devices device2 connections connection1 name 192 168 3 10 config s config devices device2 connections connection1 tyoe Host contig s config devices device2 name Office PC config s config devices device2 description MyPC 252 Console Server amp RMM Gateway User Manual contig s contig devices total 2 The following command will synchronize the live system with the new configuration contig hosts 14 1 6 Trusted Networks You can further restrict remote access to serial ports based on the source IP address To configure this via the command line you need to do the following Determine the total number of existing trusted network rules if you have no existing rules you ca
431. onfiguration causes the console server to become unbootable recover your unit to factory settings using the following steps gt If the configuration is stored on an external USB storage device unplug the storage device and reset to factory defaults as per section 11 1 of the user manual gt Ifthe configuration is stored on an internal USB storage device reset to factory defaults using a specially prepared USB storage device o The USB storage device must be formatted with a Windows FAT32 VFAT file system on the first partition or the entire disk most USB thumb drives are already formatted this way o The file system must have the volume label OPG_DEFAULT o Insert this USB storage device into an external USB port on the console server and reset to factory defaults as per section 11 1 230 Console Server amp RMM Gateway User Manual After recovering your console server ensure the problematic configuration is no longer selected for Load On Erase 11 5 Delayed Configuration Commit The Delayed Config Commit mode is available on all ACM5500 ACM5000 IM4004 5 and IM4200 family of advanced console servers with Firmware V3 2 and later This mode allows the grouping or queuing of configuration changes and the simultaneous application of these changes to a specific device For example changes to authentication methods or user accounts may be grouped and run once to minimize system downtime To enable gt Check the Delayed Config Commits
432. onnect directly to a computer Wireless Security None wep CO WPA PSK C WPA2 PSK WPA None The security mode of the wireless network To configure the IP settings of the wireless LAN gt Select DHCP or Static for the Configuration Method o Ifyou selected Static then manually enter the new IP Address Subnet Mask Gateway and DNS server details This selection automatically disables the DHCP client o If you selected DHCP the console server will look for configuration details from a DHCP server on your management LAN This selection automatically disables any static address The console server MAC address can be found on a label on the base plate gt The wireless LAN when enabled will operate as the main network connection to the console server so failover is available though it not enabled by default Use Failover Interface to select the device to failover to in case of wireless outage and specify Probe Addresses of the peers to probed for connectivity detection gt Configure the Wireless Client to select the local wireless network which will serve as the main network connection to the console server o Enter the appropriate SSID Set Service Identifier of the wireless access point to connect to Console Server amp RMM Gateway User Manual 47 Chapter 3 Initial System Configuration o Select the Wireless Network Type where Infrastructure is used to connect to an access point and Ad hoc to connect directly to a computer
433. ons Devices Port Logs Host Logs Power Out of Band Failover oobfo Terminal Connection Status Establishing connection IP Address 0 0 0 0 OpenGear 2010 Customer Support Site o The Operational Status will change as the cellular modem finds a channel and connects to the network o The Failover amp Out of Band screen will display information relating to a configured Failover OoB interface and the status of that connection The IP Address of the Failover OoB interface will be presented in the Failover amp Out of Band screen once the Failover OoB interface has been triggered Console Server amp RMM Gateway User Manual User Manual 5 7 3 Cellular routing Once you have configured carrier connection the cellular modem can be configured to route traffic through the console server This requires setting up forwarding and masquerading as detailed in Chapter 5 8 5 7 4 Cellular CSD dial in setup Once you have configured carrier connection the cellular modem can be configured to receive Circuit Switched Data CSD calls Note CSD is a legacy form of data transmission developed for the TDMA based mobile phone systems like GSM CSD uses a single radio time slot to deliver 9 6kb s data transmission to the GSM Network and Switching Subsystem where it could be connected through the equivalent of a normal modem to the Public Switched Telephone Network PSTN allowing direct calls to any dial up service CSD is pr
434. ons Enable Dial Back System Name im4216 Model IM4216 Firmware 3 5 2u1 re O Uptime 0 days 4 hours 0 mins 44 secs Current User root Backup Log Out Serial amp Network Users amp Groups A unique name for the user A brief description of the user s role admin Provides users with unlimited configuration and management privileges pptpd Group to allow access to the PPTP VPN server Users in this group will have their password stored in clear er oO ki dialin Group to allow dialin access via modems Users in this group will have their password stored in clear text ftp Group to allow ftp access and file access to storage devices pmshell Group to set default shell to pmshell users Provides users with basic management privileges A group with predefined privileges the user will belong to The users authentication secret Note A password may not be required if remote authentication is being used Re enter the users password for confirmation E Allow an out going connection to be triggered by logging into this port Dial Back Phone Number Port Access Active Users The phone number to call back when user logs in Console Server amp RMM Gateway User Manual 61 Note Chapter 4 Serial Port Device and User Configuration Click Add User to add a new user Add a Username and a confirmed Password for each new user You may also include information related to the user e g contact det
435. onsole Server amp RMM Gateway User Manual User Manual Note For more information on enabling the SDT Connector so each user has secure tunneled remote RPD VNC Telnet HHTP HTTPS SoL access to the network connected hosts refer Chapter 6 4 3 Authentication Refer to Chapter 9 1 Remote Authentication Configuration for authentication configuration details 4 4 Network Hosts To monitor and remotely access a locally networked computer or device referred to as a Host you must identify the Host and specify the TCP or UDP ports services that will be used to control that Host System Name img4004 5 Model IMG4004 5 Firmware 2 7 0p1 opengedf Uptime 0 days 19 hours 46 mins 14 secs Current User root Serial amp Network Network Hosts Serial Port Users amp Groups IP Host Name Description Notes Permitted Services Device Authentication scala DNS Type me Network Hosts Trusted Networks 192 168 0 44 IBM X 324 Asterisk PBX 22 tcp ssh 0 Edit Delete Cascaded Ports 443 tcp https 0 UPS Connections RPC Connections 192 168 0 70 PowerEdgeR9000 5 Dell mail server 22 tcp ssh 0 Edit Delete Environmental 443 tcp https 0 Managed Devices 5900 tcp vnc 0 Alers amp Looano 192 168 0 46 MainUPS Computer room 80 tcp http 0 UPS Edit Delete atiati battery Port Log Alerts 192 168 253 240 PDU R7D Baytech PDU 23 tcp telnet 0 RPC Edit Delete SMTP amp SMS 80 tcp http 0 SNMP 192 168 0 39 PDU
436. or e g Door Open or Smoke Alarm Configure Dashboard Log Status Periodically log environmental status Port Access Active Users Log Rate 15 Statistics Minutes between sa 5 Support Report Syslog UPS Status Apply gt You may optionally calibrate the EMD with a Temperature Offset or C or Humidity Offset or percent Also if you check Temperature in Fahrenheit then the temperature will be reported in Fahrenheit Otherwise it will be reported in degrees Celsius gt Provide Labels for each of the alarm sensors you will used e g Door Open or Smoke Alarm gt Check Log Status and specify the Log Rate minutes between samples if you wish the status from this EMD to be logged These logs can be views from the Status Environmental Status screen v Click Apply This will also create a new Managed Device with the same name gt For the ACM5000 E select the Serial amp Network Environmental menu and check Enabled You will then need set any temperature offsets and label the sensors as described above System Name acm5003 w Model ACM5003 W Firmware 3 0 0 Ra opengedr Uptime 0 days 0 hours 40 mins 44 secs Current User root Backup Log Out Serial amp Network Environmental Serial Port Enabled Users amp Groups Authentication Network Hosts Edit Environmental Monitor Trusted Networks IPsec VPN Name Internal environmental sensor Enable or disa
437. or DNS address and any Notes or a Description of this gateway such as its firmware version site location or anything special about its network configuration Note Click OK and an icon for the new gateway will now appear in the SDT Connector home page For an SDT Connector user to access a console server and then access specific hosts or serial devices connected to that console server that user must first be setup on the console server and must be authorized to access the specific ports hosts refer Chapter 5 and only these permitted services will be forwarded through by SSH to the Host All other services TCP UDP ports will be blocked Console Server amp RMM Gateway User Manual 123 Chapter 6 Secure SSH Tunneling amp SDT Connector 6 2 3 Auto configure SDT Connector client with the user s access privileges Each user on the console server has an access profile which has been configured with those specific connected hosts and serial port devices the user has authority to access and a specific set of the enabled services for each of these This configuration can be auto uploaded into the SDT Connector client a Opengear SDTConnector File Edit Help wa z B EEC 208 64 91 182 Gateway Actions fa Baytech gateway Retrieve Hosts gt Click on the new gateway icon and select Retrieve Hosts This will configure access to network connected Hosts that the user is authorized to acce
438. or Nagios software Central Nagios cy i Server ig Distributed console servers Client ral Nagios server A vanilla Nagios 2 x or 3 x installation typically on a Linux server generally running on a blade PC virtual machine etc at a central location Runs a web server that displays the Nagios GUI Imports configuration from distributed Opengear servers using the SDT for Nagios Configuration Wizard Distributed Opengear console servers Opengear console server running firmware 2 4 1 or later Serial and network hosts are attached to each console server Each runs Nagios plug ins NRPE and NSCA add ons but not a full Nagios server Clients SDT Typically a client PC laptop etc running Windows Linux or Mac OS X Runs SDT Connector client software 1 5 0 or later Possibly remote to the central Nagios server or distributed console servers i e a road warrior May receive alert emails from the central Nagios server or distributed console servers Connects to the central Nagios server web UI to view status of monitored hosts and serial devices Uses SDT Connector to connect through the console servers to manage monitored hosts and serial devices Nagios setup involves the following steps Install Nagios and the NSCA and NRPE add ons on the central Nagios server Section 10 2 1 Set up central Nagios server Configure each Opengear distributed console server for Nagios monitoring alerting and SDT Nagios integration
439. or Public Key Authentication SDT Connector can authenticate against an SSH gateway using your SSH key pair rather than requiring your to enter your password This is known as public key authentication To use public key authentication with SDT Connector first you must add the public part of your SSH key pair to your SSH gateway gt Ensure the SSH gateway allows public key authentication this is typically the default behavior gt If you do not already have a public private key pair for your client PC the one running SDT Connector on generate them now using ssh keygen PuTTYgen or a similar tool You may use RSA or DSA however it is important that you leave the passphrase field blank PuTTYgen http Awww chiark greenend org uk sgtatham putty download html OpenSSH http Awww openssh org OpenSSH Windows http sshwindows sourceforge net download gt Upload the public part of your SSH key pair this file is typically named id_rsa poub or id_dsa pub to the SSH gateway or otherwise add to ssh authorized keys in your home directory on the SSH gateway gt Next add the private part of your SSH key pair this file is typically named id_rsa or id_dsa to SDT Connector Click Edit Preferences Private Keys Add locate the private key file and click OK You do not have to add the public part of your SSH key pair it is calculated using the private key SDT Connector will now use public key authentication when connecting thro
440. or serial connected device then executes the client application that will be used in communicating with the host Secure Local Management This chapter details the basic SDT Connector operations Configuring the console server for SSH tunneled access to network attached hosts and setting up permitted Services and user access Section 6 7 Setting up the SDT Connector client with gateway host service and client application details and making connections between the Client PC and hosts connected to the console server Section 6 2 Using SDT Connector to browser access the Management Console Section 6 3 Using SDT Connector to Telnet or SSH connect to devices that are serially attached to the console server Section 6 4 The chapter then covers more advanced SDT Connector and SSH tunneling topics Using SDT Connector for out of band access Section 6 5 Automatic importing and exporting of configurations Section 6 6 Configuring Public Key Authentication Section 6 7 Setting up a SDT Secure Tunnel for Remote Desktop Section 6 8 Setting up a SDT Secure Tunnel for VNC Section 6 9 Using SDT to IP connect to hosts that are serially attached to the console server Section 6 10 120 Console Server amp RMM Gateway User Manual User Manual 6 1 Configuring for SSH Tunneling to Hosts To set up the console server for SSH tunneled access a network attached host gt Add the new host and the permitted se
441. or this device System Description The physical location of this device System Password eneeeeee The secret used to gain administration access to this device armen System eeeeeece Re enter the above password for confirmation Apply SSH RSA Public Key Upload a replacement RSA public key file SSH RSA Private Key Upload a replacement RSA private key file SSH DSA Public Key Upload a replacement DSA public key file SSH DSA Private Key Upload a replacement DSA private key file SSH Authorized Keys Upload a replacement authorized keys file Generate SSH keys m automatically Generate SSH keys locally gt Select System Administration on Master s Management Console gt Check Generate SSH keys automatically and click Apply 66 Console Server amp RMM Gateway User Manual User Manual System Name img4004 5 Model IMG4004 5 Firmware 2 6 0p6 opengear Uptime 0 days 1 hours 4 mins 57 secs Current User root System SSH Keys Serial Port Generating each set of keys will require approximately two minutes Any old keys of that type will be destroyed Functions relying on SSH keys e g Cascading may stop functioning until they are updated with the new set of keys Users amp Groups If unsure select only RSA Authentication Network Hosts To generate keys select RSA and or DSA Trusted Networks RSA Keys W Cascaded Ports Generate RSA Keys UPS Connections RPC Connections DSA
442. ork UPS Tools NUT 8 3 Environmental Monitoring 68 3 1 Connecting the EMD and its sensors 8 3 2 Connecting sensors to ACM5000 and ACM5500s 68 3 3 Adding EMDs and configuring the sensors 8 3 4 Environmental alerts 8 3 5 Environmental status 8 4 Digital I O Ports 8 4 1 Digital I O Output Configuration 6 4 2 Digital I O Input Configuration 8 4 3 High Voltage Outputs AUTHENTICATION 9 1 Authentication Configuration 9 1 1 Local authentication 9 1 2 TACACS authentication 9 1 3 RADIUS authentication 9 1 4 LDAP authentication 91 5 RADIUS TACACS user configuration 9 1 6 Group support with remote authentication 9 1 7 Remote groups with RADIUS authentication 9 1 8 Remote groups with LDAP authentication 9 1 9 Idle timeout 9 1 10 Kerberos authentication 9 1 11 Authentication testing 9 2 PAM Pluggable Authentication Modules 9 3 SSL Certificate NAGIOS INTEGRATION 10 1 10 2 Nagios Overview Central management and setting up SDT for Nagios 10 2 1 Set up central Nagios server 10 2 2 Set up distributed Opengear console servers 10 2 3 Set up SDT for Nagios on the central Nagios server 10 2 4 Set up the clients 10 3 Configuring Nagios distributed monitoring 10 3 1 Enable Nagios on the console server Console Server amp RMM Gateway User Manual 161 162 164 164 164 165 166 166 167 168 168 168 172 172 172 174 174 177 178 179 179 181 183 183 184 186 188 188 189 189 190 190 192 192 192 192 193
443. ormat with the correct permissions with the following commands dos2unix etc contig users testuser ssh authorized_keys amp amp chown testuser etc contig users testuser ssh authorized_keys Using WinSCP copy the attached sshd_config over etc config sshd_config on the server Makes sure public key authentication is enabled Test the Public Key by logging in as testuser Test the Public Key by logging in as testuser to the client Opengear device and typing you should not need to enter anything ssh o StrictHostkKeyChecking no lt server ip gt To automate connection of the SSH tunnel from the client on every power up you need to make the clients etc contig rc local look like the following bin sh ssh L9001 127 0 0 1 4001 N o StrictHostkeyChecking no testuser lt server ip gt amp This will run the tunnel redirecting local port 9001 to the server port 4001 15 6 6 Fingerprinting Fingerprints are used to ensure you are establishing an SSH session to who you think you are On the first connection to a remote server you will receive a fingerprint which you can use on future connections This fingerprint is related to the host key of the remote server Fingerprints are stored in ssh known_hosts 290 Console Server amp RMM Gateway User Manual To receive the fingerprint from the remote server log in to the client as the required user usually root and establish a connection to the remote host ssh re
444. ote sites would enable the system manager to centrally monitor the status of the power supplies at all sites and centralize alarms So he she can be warned to initiate a call out or take shut down actions Check Log Status and specify the Log Rate minutes between samples if you wish the status from this UPS to be logged These logs can then be viewed from the Status UPS Status screen Check Enable Shutdown Script if this remote UPS is the UPS providing power to the console server itself In the event the UPS reaches critical battery status the custom script in etc config scripts ups shutdown is run enabling you to perform any ast gasp actions gt Click Apply Note The Remote UPS feature is supported on all console servers with V2 8 firmware and later Earlier versions supported a single remote Monitored UPS which could be set to trigger the console server shutdown script 8 2 3 Controlling UPS powered computers One of the advantages of having a Managed UPS is that you can configure computers that draw power through that UPS to be shut down gracefully in the event of UPS problems For Linux computers this can be done by setting up upsmon on each computer and directing them to monitor the console server that is managing their UPS This will set the specific conditions that will be used to initiate a power down of the computer Non critical servers may be powered down some second after the UPS starts running on battery Whereas more c
445. ou may charge a fee for the physical act of transferring a copy and you may at your option offer warranty protection in exchange for a fee 2 You may modify your copy or copies of the Program or any portion of it thus forming a work based on the Program and copy and distribute such modifications or work under the terms of Section 1 above provided that you also meet all of these conditions a You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change b You must cause any work that you distribute or publish that in whole or in part contains or is derived from the Program or any part thereof to be licensed as a whole at no charge to all third parties under the terms of this License c If the modified program normally reads commands interactively when run you must cause it when started running for such interactive use in the most ordinary way to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty or else saying that you provide a warranty and that users may redistribute the program under these conditions and telling the user how to view a copy of this License Exception if the Program itself is interactive but does not normally print such an announcement your work based on the Program is not required to print an announcement These requirements apply to the modified work as a whole If identifiable sections of th
446. ou set up for that connection will be entered as the Name and Description for the power device Alternately if you select to Connect Via a Serial connection then you will need to enter a Name and Description for the power device System Name img4004 5 Model IMG4004 5 Firmware 2 7 0p1 opengear Uptime 0 days 0 hours 39 mins 15 secs Current User root Serial amp Network RPC Connections Serial Port Users amp Groups Authentication Serial Port3 ieee Network 192 168 253 240 PDU R7D RELON MEDAD RPC Type Network 192 168 0 39 PDU R5A M Cascaded Ports Specity the type of the connected power device UPS Connections RPC Connections Name Environmental Managed Devices A descriptive name for the power device N for the power device Alerts amp Logging Desaipts Port Log Alerts A brief description for the power device SMTP amp SMS SNMP Username Specify the login name for the power device gt Select the appropriate RPC Type for the PDU or IPMI being connected If you are connecting to the RPC via the network you will be presented with the IPMI protocol options and the SNMP RPC Types currently supported by the embedded Network UPS Tools Console Server amp RMM Gateway User Manual 169 Chapter 8 Power Environmental amp Digital I O 170 Console Server amp RMM Gateway User Manual opengear Serial Port Users amp Groups Authentication
447. oved e g config users user1 Usage delete node full node path if l 1 then echo Wrong number of arguments echo Usage delnode full delimited node path exit 2 fi test for spaces TEMP echo 1 sed s 7N if S TEMP N then 268 Console Server amp RMM Gateway User Manual echo Wrong input format echo Usage delnode full delimited node path exit 2 fi testing if node exists TEMP config g config grep 1 if z TEMP then echo Node 1 not found exit O fi LASTFIELD is the last field in the node path e g usert ROOTNODE is the upper level of the node e g config users NUMBER is the integer value extracted from LASTFIELD e g 1 TOTALNODE is the node name for the total e g config users total TOTAL is the value of the total number of items before deleting e g 3 NEWTOTAL is the modified total i e TOTAL 1 CHECKTOTAL checks if TOTAL is the actual total items in xml LASTFIELD 1 ROOTNODE 1 NUMBER echo LASTFIELD sed s fa zA Z g TOTALNODE echo 1 sed s A1 total TOTAL config g TOTALNODE sed s NEWTOTAL TOTAL 1 Make backup copy of config file cp etc contig config xml etc contig config bak echo backup of etc config config xml saved in etc config config bak if z NUMBER test whether a singular node is being deleted e g config sdt host
448. ovided selectively by carriers and it is important you receive a Data Terminating number as part of the mobile service your carrier provides This is the number which external modems will call to access the console server gt Select the Cellular Modem panel on the System Dial menu gt Check Enable Dial In and configure the Dial In Settings Console Server amp RMM Gateway User Manual 109 opengear System Name acm5002 Model ACM5002 Firmware 3 4 0u1 5 8 Serial amp Network Administration SSL Certificates Configuration Backup Firmware IP Date amp Time Dial Firewall DHCP Server Nagios Configure Dashboard I O Ports Port Access Active Users Statistics Support Report Syslog UPS Status RPC Status Environmental Status Dashboard Devices Port Logs Host Logs Power Terminal Firewall amp Forwarding Serial Console Port 1 Disable Dial Enable Dial In Enable Dial Out Dial In Settings Username Remote Address Local Address Default Route Custom Modem Initialization Authentication Type Calling Number Filtering Permitted Calling Number Dynamic DNS Dynamic DNS DDNS server Chapter 5 Firewall Failover and Out of Band a Backup Log Out Uptime 0 days 0 hours 11 mins 2 secs Current User root System Dial Internal Cellular Modem Internal Cellular Modem Dial S
449. owing procedure to configure the RADIUS authentication method to be used whenever the console server or any of its serial ports or hosts is accessed gt Select Serial and Network Authentication and check RADIUS or LocalRADIUS or RADIUSLocal or RADIUSDownLocal Console Server amp RMM Gateway User Manual 193 Chapter 9 Authentication RADIUS Authentication and Authorisation Terner Addres Comma seperated list of remote authentiction and authorisation servers Accounting Server Address Comma seperated list of remote accounting servers If unset Authentication and Authorisation Server Address will be used Server Password The shared secret allowing access to the authentication server Re enter the above password for confirmation gt Enter the Server Address IP or host name of the remote Authentication Authorization server Multiple remote servers may be specified in a comma separated list Each server is tried in succession gt In addition to multiple remote servers you can also enter for separate lists of Authentication Authorization servers and Accounting servers If no Accounting servers are specified the Authentication Authorization servers are used instead gt Enter the Server Password gt Click Apply RADIUS remote authentication will now be used for all user access to console server and serially or network attached devices RADIUS The Remote Authentication Dial In User Service RADIUS protocol was develope
450. ows the performance of three of the console server models 1 2 port 8 port and 16 48 port tabulating No encryption SSL no encryption tunneled over existing SSH session NRPE time to service 1 check 1 10 second 1 3 second 1 8 second NRPE time to service 10 simultaneous 1 second 3 seconds 1 seconds checks Maximum number of simultaneous 30 20 1 2 and8 25 1 2 and 8 port 35 16 and checks before timeouts or25 16 and 48 port 48 port 222 Console Server amp RMM Gateway User Manual The results were from running tests 5 times in succession with no timeouts on any runs However there are a number of ways to increase the number of checks you can do Usually when using NRPE checks an individual request will need to set up and tear down an SSL connection This overhead can be avoided by setting up an SSH session to the console server and tunneling the NRPE port This allows the NRPE daemon to be run securely without SSL encryption as SSH will take care of the security When the console server submits NSCA results it staggers them over a certain time period e g 20 checks over 10 minutes will result in two check results every minute Staggering the results like this means that in the event of a power failure or other incident that causes multiple problems the individual freshness checks will be staggered too NSCA checks are also batched So in the previous example the two checks per minute will be sent through in a single tran
451. pengear Uptime 4 days 2 hours 15 mins 49 secs Current User root Log Out Status UPS Status Serial Port Users amp Groups Summary blazer tripplite sd4002 Authentication Network Hosts tripplite SmartOnline Status Graph Trusted Networks Cascaded Ports UPS Connections RPC Connections Environmental 28 Managed Devices EE eee Baal Sava E E A i stall Alerts amp Logging 82 308 62 48 62 58 tripplite SmartOnline Log Date Time Battery Input Load Status Temperature Frequency Charge Voltage Administration 20090518 212100 100 237 3 0 Off 49 9 aa 20090518 212200 100 237 3 0 off 49 9 Firmware IP 20090518 212300 100 235 8 0 Off 49 9 Date amp Time 8 2 6 Overview of Network UPS Tools NUT NUT is built on a networked model with a layered scheme of drivers server and clients NUT can be configured using the Management Console as described above or you can configure the tools and manage the UPSes directly from the command line This section provides an overview of NUT however you can find full documentation at http www networkupstools org doc nee Monitor log graph amp alert NUT upse client Local NUT upsd server NUT serial USE SNMP UPS drivers I NUT upsd server Multiple gii i ae Multiple on remote UPSes a NUT is built on a networked model with a layered scheme of drivers server and clients The driver programs talk dir
452. promised or if the holder of the certificate is to be denied the ability to establish a connection to Revocation List the console server CHAP Challenge Handshake Authentication Protocol CHAP is used to verify a user s name and password for PPP Internet connections It is more secure than PAP the other main authentication protocol DHCP Dynamic Host Configuration Protocol A communications protocol that assigns IP addresses to computers when they are connected to the network DNS Domain Name System that allocates Internet domain names and translates them into IP addresses A domain name is a meaningful and easy to remember name for an IP address DUN Dial Up Networking Encryption The technique for converting a readable message plaintext into apparently random material ciphertext which cannot be read if intercepted The proper decryption key is required to read the message Ethernet A physical layer protocol based upon IEEE standards Firewall A network gateway device that protects a private network from users on other networks A firewall is usually installed to allow users on an intranet access to the public Internet without allowing public Internet users access to the intranet GO 22 Console Server amp RMM Gateway User Manual Gateway Hub Internet Intranet IPMI Key lifetimes LAN LDAP LED MAC address MSCHAP NAT Net mask NFS NTP OUT OF BAND PAP A machine that provide
453. ps Authentication Network Hosts Trusted Networks Failover amp Interfaces Routes Serial Ports IP ICMP TCP UDP Out of Band Cellular Internal Cellular Modem gt OTASP success will result in a valid phone number being placed in the NAM Profile Account MDN field 104 UPS Connections RPC Connections Environmental Managed Devices Administration SSL Certificates Configuration Backup Firmware Service Availability Roaming Support Current Roaming Status Supported System Mode Current System Mode Network Acquisition Order Radio Access Technology Supported Service Domain Current Service Domain SIM Status Received Signal Strength Indication RSSI in dBm Bit Error Rate Operational Status Service available Supported Not roaming Auto select WCDMA mode WCDMA then GSM UMTS 3G Preferred Circuit and packet switched Circuit and packet switched service SIM available 83 Unknown Console Server amp RMM Gateway User Manual User Manual Manual Activation Some carriers may not support OTASP in which case it may be necessary to manually provision the modem gt Select Internal Cellular Modem panel on the System Dial menu 5 6 3 Serial Console Port 1 Internal Cellular Modem CDMA Modem Activation The CDMA Modem is not provisioned activated please contact your carrier and provide them with the ESN 1620743259 0x609A945B Some carriers require a second acti
454. ps UPS Name Authentication aeons The name of this UPS Trusted Networks Description Cascaded Ports An optional description UPS Connections ahd daaro RPC Connections Address Environmental The address or DNS name of the host managing this UPS Managed Devices Log Status Alerts amp Logging Periodically log UPS status Port Log Alerts Log Rate 15 SMTP amp SMS Minutes between samples SNMP Enable Shutdown Script Run the shutdown script when power becomes critical for this UPS Administration Configuration Backup Apply gt Enter the Name of the particular remote UPS to be remotely monitored This name must be the name that the remote UPS was configured with on the remote console server as the remote console server may itself have multiple UPSes attached that it is managing locally with NUT Optionally enter a Description gt Enter the IP Address or DNS name of the remote console server that is managing the remote UPS This may Note be another Opengear console server or it may be a generic Linux server running Network UPS Tools An example where centrally monitor remotely distributed UPSes is useful is a campus or large business site where there s a multitude of computer and other equipment sites spread afar each with their own UPS supply and many of these particularly the smaller sites will be USB or serially connected Having a CM4001 ACM5000 or IM4004 5 at these rem
455. r example the ACM5004 W has one internal USB committed for the 802 11 adapter so there is only one external USB port free Similarly with ACM5004 F model an internal USB flash is fitted using up one of the two USB2 0 ports 2 6 Fitting Cellular SIM and Antennas The ACM5504 5 G ACM5004 G and ACM5004 G I each has an internal 3G cellular modem that requires at least one or more SIM cards to be installed and at least one external antenna to be attached The ACM5004 GV also has an internal cellular modem requiring external antenna connection however the Verizon network does not require a SIM card Console Server amp RMM Gateway User Manual 21 Chapter 2 Installation The IM42xx 2 DAC X2 G and IM42xx 2 DAC X0 G models have an internal 3G cellular modem that requires a SIM card and external antenna All the other IM4200 ACM5000 ACM5500 and IM4004 5 models support an external USB cellular modem Such modems have internal antennas however they may benefit from an external antenna 2 6 1 ACM5004 G G I and ACM5504 5 G I SIM The ACM5004 G G and ACM5004 5 G I models work with GSM carriers globally Your carrier will provide you with a SIM card for activating you data plan You must install the SIM card before powering on the device For the ACM5004 G G unscrew the cover plate on the side of the insert the SIM into the SIM garage then screw the cover plate back on The ACM5004 5 G can hold two SIM cards from alternate carriers howe
456. r IP address A When the Viewer PC is connected to the console server thru a SSH tunnel over the public Internet or a dial in connection or private network connection enter localhost or 127 0 0 1 as the IP VNC Server IP address and the source port you entered when setting SSH tunneling port forwarding in Section 6 2 6 e g 1234 host display or host pork Quick Options AUTO Auto select best settings O ULTRA gt M bites Experimental LAN gt IMbit s Max Colors COMEDIUM 128 256K bits 256 Colors COMODEM 19 128Kbit s 64 Colors SLOW lt 19kKbit s 8 Colors View Only C Auto Sealing Options Use OSMPlugin No Plugin detected s Save connection settings as default Delete saved settings B When the Viewer PC is connected directly to the console server i e locally or remotely through a VPN or dial in connection and the VNC Host computer is serially connected to the console server enter the IP address of the console server unit with the TCP port that the SDT tunnel will use The TCP port will be 7900 plus the physical serial port number i e 7901 to 7948 so all traffic directed to port 79xx on the console server is tunneled thru to port 5900 on the PPP connection on serial Port xx e g for a Windows Viewer PC using Ultra VNC connecting to a VNC Server which is attached to Port 1 on a console server located 192 168 0 1 140 Console Server amp RMM Gateway User Manual
457. r client to use when connecting to the console server User clients who you may set up later will also use these protocols when accessing console server serial attached devices and network attached hosts So you will need to have appropriate communications software tools set up on the Administrator and User client s computer Opengear provides the SDT Connector as the recommended client software tool however other generic tools such as PuTTY and SSHTerm may be used and these are all described below 3 5 1 SDT Connector Opengear recommends using the SDT Connector communications software tool for all communications with Console servers to ensure these communications are secure Each console server is supplied with an unlimited number of SDT Connector licenses to use with that console server Console Server amp RMM Gateway User Manual 39 Chapter 3 Initial System Configuration Applications amp database Sarvers SDT Connector ROP VNC Telnet HTTP client SSH encrypted tunnel Network RDF VNC Telnet HTTP sessions appliance forwarded to devices computers Service processors on the LAN SDT Connector is a light weight tool that enables Users and Administrators to securely access the Console server and the various computers network devices and appliances that may be serially or network connected to the console server SDT Connector is a Java client program that couples the trusted SSH tunneling protocol
458. r the PuTTY SSH client instead of typing username fred and ssh port 3002 the alternate is to type username fred port02 or username fred ttyS1 and ssh port 22 Or by typing username fred serial and ssh port 22 the User is presented with a port selection option Console Server amp RMM Gateway User Manual User Manual gp 192 168 254 152 PuTTY This syntax enables Users to set up SSH tunnels to all serial ports with only a single IP port 22 having to be opened in their firewall gateway Note In Console Server mode when you connect through to a serial port you connect via pmshell To will generate a BREAK on the serial port if you re connected over SSH you ll need to type the character sequence b TCP RAW TCP allows connections directly to a TCP socket However while communications programs like PuTTY also supports RAW TCP this protocol would usually be used by a custom application For RAW TCP the default port address is IP Address _ Port 4000 serial port i e 4001 4048 RAW TCP also enables the serial port to be tunneled to a remote console server so two serial port devices can be transparently interconnect over a network see Chapter 4 1 6 Serial Bridging RFC2217 Selecting RFC2217 enables serial port redirection on that port For RFC2217 the default port address is IP Address _ Port 5000 serial port i e 5001 5048 Special client software is available for Windows UNIX and Linux that
459. red the NRPE server is the Nagios daemon for executing plug ins on remote hosts 212 Console Server amp RMM Gateway User Manual m Each of the Serial Ports and each of the Hosts connected to the console server which are to be monitored must have Nagios enabled and any specific Nagios checks configured Lastly the central upstream Nagios monitoring host must be configured 10 3 1 Enable Nagios on the console server gt Select System Nagios on the console server Management Console and tick the Nagios service Enabled Enabled C Switch on the Nagios service Nagios Host Name Name of this system in Nagios Generated fron Spsten Vane i unspectiad Nagias Host Address Address for Nagios to find this device at Defaults te Network ITP if set Nagios Server Address Address of the upstream server Disable SDT Nagios Extensions Don t show sdt y links in service status SDT Gateway Address External address of this system shown in sdt links Defaults te Nagios Host Address Prefer NRPE Use NRPE instead of NSCA whenever possible Defaults to prefer WSCA gt Enter the Nagios Host Name that the Console server will be referred to in the Nagios central server this will be generated from local System Name entered in System Administration if unspecified gt In Nagios Host Address enter the IP address or DNS name that the upstream Nagios server will use to reach the console server if unspecified this w
460. replacing w x y z with the IP address or DNS name To set the Manager Trap Port field config set config system snmp trapport3 162 replacing 162 with the TCP UDP port number To set the SNMP Manager Protocol field config set config system snmp protocol83 UDP or config set config system snmp protocol3 TCP To set the SNMP Manager Version field config set config system snmp version3 3 To set the SNMP Manager v1 amp v2c community field config set config system snmp community3 public To set the SNMP Manager v3 Engine ID field config set config system snmp engineid3 0x8000000001020304 replacing 0x8000000001 020304 with the hex Engine ID To set the SNMP Manager v3 Security Level field config set config system snmp seclevel3 noAuthNoPriv or config set config system snmp seclevel3 authNoPriv or config set config system snmp seclevel3 authPriv To set the SNMP Manager v3 Username field config set config system snmp username3 username To set the SNMP Manager v3 Auth Protocol and password fields config set config system snmp authprotocol8 SHA or config set config system snmp authprotocol8 MD5 config set config system snmp authpassword3 password 1 To set the SNMP Manager v3 Privacy Protocol and password fields config set config system snmp privprotocol3 AES or config set config system snmp privprotocol3 DES config set config system snmp privpassword3 password
461. response to trigger IP Date amp Time Serial Signal Hysteresis 0 Dial i Firewall Serial Pattern Hysteresis factor applied to environmental measurements DHCP Server Nagios ICMP Ping Save Auto Response u Canfinuira Nachhoaard gt Inthe Environmental Check menu select the specific Environmental Sensor to be checked for the trigger gt Specify the Trigger value in C F for Temp and for Humidity that the check measurement must exceed or drop below to trigger the AutoResponse gt Select Comparison type as being Above Trigger Value or Below Trigger Value to trigger gt Specify any Hysteresis factor that is to be applied to environmental measurements e g if an Auto Response was set up with a trigger event of a temp reading above 49 C with a Hysteresis of 4 then the trigger condition would not be seen as having been resolved till the temp reading was below 45 C gt Check Save Auto Response 152 Console Server amp RMM Gateway User Manual User Manual Note 7 2 2 Before configuring Environmental Checks as the trigger in Auto Response you will need first to configure the Temp and or Humidity sensors on your ACM5000 or attached EMD a h 4 latrws A os Carwent thes as Serial amp Network Environmental Alarms and Digital Inputs To set the status of any attached Smoke or Water sensors or digital inputs as the trigger event gt gt gt gt Note 7 2 3 Click
462. ress of the gateway e g the IP address it is accessible using when dialed in directly You also may modify the gateway s SSH port if it s not using the default of 22 gt Enter the command or path to a script to start the OoB connection in Start Command To initiate a pre configured dial up connection under Windows use the following Start Command cmd c start Starting Out of Band Connection wait min rasdial network_connection login password where network_connection is the name of the network connection as displayed in Control Panel gt Network Connections login is the dial in username and password is the dial in password for the connection To initiate a pre configured dial up connection under Linux use the following Start Command pon network_connection where network_connection is the name of the connection gt Enter the command or path to a script to stop the OoB connection in Stop Command To stop a pre configured dial up connection under Windows use the following Stop Command 132 Console Server amp RMM Gateway User Manual User Manual cmd c start Stopping Out of Band Connection wait min rasdial network_connection disconnect where network connection is the name of the network connection as displayed in Control Panel gt Network Connections To stop a pre configured dial up connection under Linux use the following Stop Command poff network_connection To make the OoB connection using SDT Connector
463. rfaces from the SysAdmin traffic from Tony from the Network Interface Interface Any Any Network Interface Port Range Any Any Any Source MAC Any Any Any Source IP IP address of SysAdmin IP address of Tony Any Destination IP Any Any Any Protocol TCP TCP TCP Direction Ingress Ingress Ingress Action Accept Accept Block System Name cm4001 Model CM4001 Firmware 3 4 0 re O opengear Uptime 4 days 6 hours 57 mins 28 secs Current User root Backup Commit Log Out Config System Firewall Serial amp Network Serial Port Service Access Port Forwarding Firewall Rules Forwarding amp Masquerading Users amp Groups Authentication Firewall Rules Network Hosts Trusted Networks Name Interface Protocol Destination Source Destination Direction Action Rule Modify Delete Call Home Port Port Address Address Address Address Order Cascaded Ports Range Range Range UPS Connections RPC Connections Allow Sys any tcp Any 192 168 0 0 16 Any ingress accept vy B B Environmental Admin Managed Devices Allow any tcp Any 10 0 0 0 8 Any ingress accept AY B B Tony Block wan tcp Any Any Any ingress block a Oo g Everyone Else New Firewall Rule However if the Rule Order above was to be changed so the Block Everyone Else rule was second on the list then the traffic coming in over the Network Interface from Tony would be blocked 118 Console Server amp RMM Gateway User Manual Chapter
464. ritical servers may not be shut down till a low battery warning is received Refer to the online NUT documentation for details on how this is done htto eu1 networkupstools org doc 2 2 0 INSTALL html htto linux die net man 5 upsmon cont htto linux die net man 8 upsmon An example upsmon conf entry might look like 178 Console Server amp RMM Gateway User Manual User Manual MONITOR managedups 192 168 0 1 1 username password slave managedups is the UPS Name of the Managed UPS 192 168 0 1 is the IP address of the Opengear console server 1 indicates the server has a single power supply attached to this UPS username is the Username of the Managed UPS password is the Password of the Manager UPS There are NUT monitoring clients available for Windows computers WinNUT If you have an RPC PDU it is also possible to shut down UPS powered computers and other equipment without them have a client running e g communications and surveillance gear Set up a UPS alert and using this to trigger a script which control a PDU to shut off the power refer Chapter 15 8 2 4 UPS alerts You can set UPS alerts using Alerts amp Logging Alerts refer Chapter 7 Alerts amp Logging 8 2 5 UPS status You can monitor the current status of your network serially or USB connected Managed UPSes and any configured Remote UPSes gt Select the Status UPS Status menu and a table with the summary status of all connected UPS hardware will
465. rmine what the computer can do without accessing programs from a disk On PCs the BIOS contains all the code required to control the keyboard display screen disk drives serial communications and a number of miscellaneous functions Bonding Ethernet Bonding or Failover is the ability to detect communication failure transparently and switch from one LAN connection to another BOOTP Bootstrap Protocol A protocol that allows a network user to automatically receive an IP address and have an operating system boot without user interaction BOOTP is the basis for the more advanced DHCP Certificates A digitally signed statement that contains information about an entity and the entity s public key thus binding these two pieces of information together A certificate is issued by a trusted organization or entity called a Certification Authority CA after the CA has verified that the entity is who it says it is Certificate A Certificate Authority is a trusted third party which certifies public key s to truly belong to their claimed owners It is a key part of any Public Key Infrastructure since it allows users to trust that a given public key is the one they wish to Authority i use either to send a private message to its owner or to verify the signature on a message sent by that owner Certificate A list of certificates that have been revoked by the CA before they expired This may be necessary if the private key certificate has been com
466. rn alert cd mkdir etc conftig scripts if the directory does not already exist cp etc scripts portmanager pattern alert etc contig scripts portmanager pattern alert The next step will be to edit the new script file Firstly open the file etc config scripts oortmanager pattern alert using vi or any other editor and remove the lines that check for a custom script the code from above this will prevent the new custom script from repeatedly calling itself After these lines have been removed edit the file or add any additional scripting to the file 15 1 3 Example script Power cycling on pattern match If for example we had an RPC PDU connected to port 1 on a console server and also have some telecommunications device connected to port 2 and which is powered by the RPC outlet 3 Now assume the telecom device transmits a character stream EMERGENCY out on its serial console port every time that it encounters some specific error and the only way to fix this error is to power cycle the telecom device The first step is to setup a pattern match alert on port 2 to check for the pattern EMERGENCY Next we need to create a custom script to deal with this alert cd mkdir etc conftig scripts if the directory does not already exist cp etc scripts portmanager pattern alert etc contig scripts portmanager pattern alert Note Make sure to remove the f statement which checks for a custom script from the new script in
467. rnal environmental sensors attached The industrial ACM5508 2 and ACM5504 5 G models are also supplied with a green connector block on the side by default The first two connectors on this block p1011 GND DIO2 GND ouT1 GND OUT EXT 9 30v DC marked DIO1 and DIO2 can be configured to have external environmental sensors attached EE 1 g Note The ACM5000 E Sensor inputs are four dry contact inputs which are normally open NO When open these are sensed as a TTL high or digital 1 When activated the external devices door close vibration water smoke present a short circuit and the contact closes to ground which is read as a TTL low or a digital 0 For custom applications a user can sense the state closed or open of non Opengear dry contact sensors through the Ul or command line It is also possible to control the sensor pins as outputs The user can set the pins as TTL high 1 or low 0 as required for their low voltage low current application The ACM5004 2 1 ACM5508 2 I and ACM5504 5 G models have specific dedicated I O DIO1 amp DIO2 and output only pins OUT1 amp OUT2 the later having inverting outputs with higher voltage current transistor By default on the ACM5000 and ACM500 each SENSOR and DIO port is configured as an nput so they are available to be used with external environmental sensors attached gt To confirm the direction and state configurations for th
468. rom htto openvpon se download html 80 Console Server amp RMM Gateway User Manual User Manual gt Once installed on the Windows machine an OpenVPN icon will have been created in the Notification Area located in the right side of the taskbar Right click on this icon to start and stop VPN connections and to edit configurations and view logs dient IM4004 cient IM4216 cient sample H H serwer Windows Client Proxy Settings About Exit OpenVPN GU Y When the OpenVPN software is started the C Program Files OpenVPN config folder will be scanned for opvn files This folder will be rechecked for new configuration files whenever the OpenVPN GUI icon is right clicked So once OpenVPN is installed a configuration file will need to be created gt Using a text editor create an xxxx ovpn file and save in C Program Files OpenVPN config For example C Program Files OpenVPN config client ovpn An example of an OpenVPN Windows client configuration file is shown below description IM4216_client client proto udp verb 3 dev tun remote 192 168 250 152 port 1194 ca c lopenvpnkeys ca crt cert c lopenvpnkeys client crt key c lopenvpnkeys client key nobind persist key persist tun comp lzo An example of an OpenVPN Windows Server configuration file is shown below server 10 100 10 0 255 255 255 0 port 1194 keepalive 10 120 proto udp mssfix 1400 persist key persist tun dev tun
469. rom the command line setfset r lists all of the current feature set variables You look for the factory_opts variable and then change add 3g gps to it For example factory_opts rs485 3g ind To update it to 3g gps you do the following setfset u factory_opts rs485 3g gps ind Then run setfset r again and make sure you can see the update 58 Console Server amp RMM Gateway User Manual User Manual You can use pmshell webshell SSH RFC2217 or RawTCP to get at the stream System Name acm5004 gi Model ACM5004 GI Firmware 3 4 0u2 Aa O opPengear Uptime 0 days 2 hours 56 mins 52 secs Current User root Backup Log Out Manage Devices Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks Managed Devices Network Serial Power System Name acm5004 gi Model ACM5004 GI Firmware 3 4 0u2 0 Uptime 0 days 2 hours 55 mins 8 secs Current User root as Backup Log Out Manage Terminal Serial amp Network Serial Port ie SGPRMC V 553s sss s N 53 C perfomes SPESA Ads sc yiseho veces ete GPVTG T M N K 4E GPGSV 1 1 00 79 GPGGA 0 66 GPRMC sVevetvesses 32 Cascaded Ports SGPGSA Aik rsi cetaeseeeae Le UPS Connections GPVTG T M N K 4E endear GPGSV 1 1 00 79 Environmental r Managed Devices GPGGA yxx999 99999999 66 GPRMC V FevFPIFaF N 53 Note This GPS support is also avail
470. roups on the console server Note Any spaces in the group name will be converted to underscores For example in an existing Active Directory setup a group of users may be part of the UPS Admin and Router Admin groups On the console server these users will be required to have access to a group Router_Admin with access to port 1 connected to the router and another group UPS Admin with access to port 2 connected to the UPS Once LDAP is setup users that are members of each group will have the appropriate permissions to access the router and UPS 198 Console Server amp RMM Gateway User Manual User Manual Currently the only LDAP directory service that supports group provisioning is Microsoft Active Directory Support is planned for OpenLDAP at a later time To enable group information to be used with an LDAP server gt Complete the fields for standard LDAP authentication including LDAP Server Address Server Password LDAP Base DN LDAP Bind DN and LDAP User Name Attribute gt Enter memberOf for LDAP Group Membership Attribute as group membership is currently only supported on Active Directory servers gt lf required enter the group information for LDAP Console Server Group DN and or LDAP Administration Group DN A user must be a member of the LDAP Console Server Group DN group in order to gain access to the console and user interface For example the user must be a member of MyGroup on t
471. router s console port Click Console server Mode and select Logging Level 1 Check Telnet SSH access is not required as SDT Connector is used to secure the otherwise insecure Telnet connection Scroll down to Nagios Settings and check Enable Nagios Check Port Log and Serial Status Click Apply Console Server amp Router User Manual 209 Chapter 10 Nagios Integration Now you can set the console server to send alerts to the Nagios server Select Alerts from the Alerts amp Logging menu and click Add Alert In Description enter Administrator connection Check Nagios NSCA In Applicable Ports check the serial port that has the router console port attached In Applicable Hosts check the IP address DNS name of the IIS server Y VV WV gt Click Connection Alert gt Click Apply Lastly you need to add a User for the client running SDT Connector gt Select Users amp Groups from the Serial amp Network menu gt Click Add User gt In Username enter sdtnagiosuser then enter and confirm a Password gt In Accessible Hosts click the IP address DNS name of the IIS server and in Accessible Ports click the serial port that has the router console port attached gt Click Apply 10 2 3 Set up SDT for Nagios on the central Nagios server Once the Nagios service network host and serial port have been configured on the console server you are ready to run the SDT for Nagios Configuration Wizard on the central Nagios server The pr
472. rver It is advisable to create a new directory to store your generated keys It is also possible to name the files after the device they will be used for For example mkdir keys ssh keygen t rsa Generating public private rsa key pair Enter file in which to save the key home user ssh id_rsa home user keys control_room Enter passphrase empty for no passphrase Enter same passphrase again Your identification has been saved in home user keys control_room Your public key has been saved in home user keys control_room pub The key fingerprint is 28 4a 29 38 ba 40 74 11 5e 3f 04 fa e5 36 14 d6 user server You should ensure there is no password associated with the keys If there is a password then the console servers will have no way to supply it as runtime Authorized Keys If the console server selected to be the server will only have one client device then the authorized _keys file is simply a copy of the public key for that device If one or more devices will be clients of the server then the authorized_keys file will contain a copy of all of the public keys RSA and DSA keys may be freely mixed in the authorized_keys file For example assume we already have one server called bridge_server and two sets of keys for the control_room and the plant_entrance Is home user keys control_room control_room pub plant_entrance plant_entrance pub cat home user keys control_room pub home user keys plant_entrance
473. rver amp RMM Gateway User Manual The config tool is designed to perform multiple actions from one command if need be so if necessary options can be chained together The config tool allows manipulation and querying of the system configuration from the command line Using config the new configuration can be activated by running the relevant configurator which performs the action necessary to make the configuration changes live The custom user configuration is saved in the etc config config xml file This file is transparently accessed and edited when configuring the device using the Management Console browser GUI Only the user root can configure from the shell By default the config elements are separated by a character The root of the config tree is called lt config gt To address a specific element place a between each node branch e g to access and display the description of user7 type contig g config users user1 description The root node of the config tree is lt config gt To display the entire config tree type config g config To display the help text for the config command type config h The config application resides in the bin directory The environmental variable called PATH contains a route to the bin directory This allows a user to simply type config at the command prompt instead of the full path bin config Options a run all Run all registered configurators This performs every configura
474. rvices using the Serial amp Network Network Hosts menu as detailed in Network Hosts Chapter 4 4 Only these permitted services will be forwarded through by SSH to the host All other services TCP UDP ports will be blocked Note Following are some of the TCP Ports used by SDT in the console server 22 SSH All SDT Tunneled connections 23 Telnet on local LAN forwarded inside tunnel 80 HTTP on local LAN forwarded inside tunnel 3389 RDP on local LAN forwarded inside tunnel 5900 VNC on local LAN forwarded inside tunnel 73XX RDP over serial from local LAN where XX is the serial port number i e 7801to 7348 on a 48 port console server 79XX VNC over serial from local LAN where XX is the serial port number System Name acm5003 m Model ACM5003 M Firmware 3 4 0u2 Aa 0 opengear Uptime 2 days 21 hours 46 mins 30 secs Current User root Backup Log Out Serial amp Network Network Hosts Serial amp Network Serial Port IP Address DNS Name Users amp Groups The host s IP Address or DNS name Authentication Network Hosts Host Name Trusted Networks IPsec VPN A descriptive name to identify the host OpenVPN Call Home Description Notes Cascaded Ports UPS Connections A brief description of the host RPC Connections 5 A Environmental Permitted Services 22 tcp ssh 0 Managed Devices Alerts amp Logging Port Log Alerts SMTP amp SMS SNMP Remov
475. ry can be centrally monitored through the one central console server window To add a Remote UPS System Name IMG4004 5 Model CHANGE_SYSTEM_NAME Firmware 2 8 0p0 Aa opengear Uptime 0 days 0 hours 45 mins 19 secs Current User root Backup Log Out Serial amp Network UPS Connections Serial amp Network Serial Port Managed UPSes Users amp Groups UPS Description Driver Username Shutdown Connected Authentication Name Order Via Network Hosts Trusted Networks APC Smart UPS apcsmart XX 0 Serial Port Edit Delete Cascaded Ports 4 Port 4 UPS Connections RPC Connections pipaa Add Managed UPS Managed Devices Remote UPSes Alerts amp Logging Port Log UPS Description Address Alerts Name SMTP amp SMS tripplte D4002 192 168 254 145 Edit Delete SNMP SUINT1000RTXL2U Sen er Adminictratinn gt Select the Serial amp Network UPS Connections menu The Remote UPSes section will display all the remote UPS devices being monitored gt Click Add Remote UPS Console Server amp RMM Gateway User Manual 177 Chapter 8 Power Environmental amp Digital I O System Name IMG4004 5 Model CHANGE_SYSTEM_NAME Firmware 2 8 0p0 Aa opengeaf Uptime 0 days 0 hours 52 mins 52 secs Current User root Backup Log Out Serial amp Network UPS Connections Serial amp Network Serial Port Add Remote UPS Users amp Grou
476. s URL this is the default the Web Terminal connects using HTTPS 13 3 1 1 Web Terminal to Command Line To enable the Web Terminal service for the console server gt Select System Firewall gt Check Enable Web Terminal and click Apply Enable Web Terminal v Allow web browser access to the system command line shell via Manage gt Terminal Alternate Telnet Base A secondary TCP port range for Telnet access to serial ports This is in addition to the default port 2000 Alternate SSH Base A secondary TCP port range for SSH access to serial ports This is in addition to the default port 3000 Alternate Raw TCP Base A secondary TCP port range for Raw TCP access to serial ports This is in addition to the default port 4000 Alternate RFC 2217 Base A secondary TCP port range for RFC 2217 access to serial ports This is in addition to the default port 5000 Alternate Unauthenticated Telnet lt Pee Base A secondary TCP port range for Unauthenticated Telnet access to serial ports This is in addition to the default port 6000 Administrators can now communicate directly with the console server command line from their browser gt Select Manage Terminal to display the Web Terminal from which you can log in to the console server command line System Name acm5004 g Model ACM5004 G Firmware 3 3 0 R O opengear Uptime 1 days 19 hours 16 mins 32 secs Current User root ae Backup Log Out Manage Terminal
477. s The original state will automatically be set as a priority and reestablished following three successful pings of the probe addresses during failover The failover state will be removed once the original state has been re established For earlier firmware that does not support automatic failure recovery to restore networking to a recovered state the following command then needs to be run rm f var run failed over amp amp config r ipconfig If required you can run a custom bash script when the device fails over It is possible to use this script to implement automatic failure recovery depending on your network setup The script to create is etc contig scripts interface failover alert You can check the connection status by selecting the Cellular panel on the Status Statistics menu System Name img4004 5 Model IMG4004 5 Firmware 3 1 0u2 Aa O opengear Uptime 5 days 2 hours 37 mins 13 secs Current User root Backup Log Out Status Statistics Serial amp Network Alerts amp Logging Interfaces Routes Serial Ports P ICMP TCP UDP esas ae Failover Port Access a Users Main Connection Network wan ISCICS Support Report Failover Connection Management LAN lan UPS Status Active Connection Main RPC Status Environmental Status Connection Status Connected Dashboard IP Address 192 168 250 106 Manage Warning This is a private IP address VPN is required to enable incoming connecti
478. s then echo deleting 1 contig d 1 echo Done exit O elif NUMBER TOTAL Test if only one item exists then echo only one item exists Deleting node echo Deleting 1 contig d 1 Modifying item total config s STOTALNODE 0 echo Done exit O Console Server amp Router User Manual 269 Chapter 16 KCS Client Configuration elif NUMBER It TOTAL more than one item exists then else fi Modify the users list so user numbers are sequential by shifting the users into the gap one at a time echo Deleting 1 LASTFIELDTEXT echo LASTFIELD sed s 0 9 g CHECKTOTAL contig g ROOTNODE LASTFIELDTEXT TOTAL if z SCHECKTOTAL then echo WARNING TOTALNODE greater than number of items fi COUNTER 1 while COUNTER TOTAL NUMBER 1 do contig g ROOTNODE LASTFIELDTEXT NUMBER COUNTER while read LINE do config s echo LINE sed e s LASTFIELDTEXT NUMBER COUNTER LASTFIELDTEXT NUMBER COUNTER 1 e S 7 done let COUNTER done deleting last user config d ROOTNODE LASTFIELDTEXT TOTAL Modifying item total config s TOTALNODE NEWTOTAL echo Done exit O echo error item being deleted has an index greater than total items Increase the total count variable exit 0 15 1 6 Power cycle any device upon a ping request failure The ping detect script is designed to run specified commands when
479. s Log Rate 15 Minutes between samples Enable Nagios Devices IE Port Logs Monitor the status of this UPS in Nagios Host Logs Power Terminal Name of host in Nagios Generated using if unspecified Nagios Host Name Nagios UPS Status Switch on Nagios UPS status Aep gt Check Enable Shutdown Script if this is the UPS providing power to the console server itself and in the event of a critical power failure you can perform any last gasp actions on the console server before power is lost This is achieved by placing a custom script in etc config scripts ups shutdown you may use the provided etc scripts ups shutdown as a template This script is only run when then UPS reaches critical battery status gt Click Apply Note You can also customize the upsmon upsd and upsc settings for this UPS hardware directly from the command line 8 2 2 Remote UPS management A Remote UPS is a UPS that is connected as a Managed Device to some remote console server which is being monitored but not managed by your console server The upsc and upsiog clients in the Opengear console server can configured to monitor remote servers that are running Network UPS Tools managing their locally connected UPSes These remote servers might be other Opengear console servers or generic Linux servers running NUT So all these distributed UPSes which may be spread in a row in a data center or around a campus property or across the count
480. s a route or pathway to the outside world A network device that allows more than one computer to be connected as a LAN usually using UTP cabling A worldwide system of computer networks a public cooperative and self sustaining network of networks accessible to hundreds of millions of people worldwide The Internet is technically distinguished because it uses the TCP IP set of protocols A private TCP IP network within an enterprise Intelligent Platform Management Interface IPMI is a set of common interfaces to a computer system which system administrators can use to monitor system health and manage the system The IPMI standard defines the protocols for interfacing with a service processor embedded into a server platform The length of time before keys are renegotiated Local Area Network The Lightweight Directory Access Protocol LDAP is based on the X 500 standard but significantly simpler and more readily adapted to meet custom needs The core LDAP specifications are all defined in RFCs LDAP is a protocol used to access information stored in an LDAP server Light Emitting Diode Every piece of Ethernet hardware has a unique number assigned to it called it s MAC address Ethernet is used locally to connect the console server to the Internet and it may share the local network with many other appliances The MAC address is used by the local Internet router in order to direct console server traffic to it rather than somebody else
481. s are the responsibility of the user 15 12 Scripts for Managing Slaves When the console servers are cascaded the Master is in control of the serial ports on the Slaves and the Master s Management Console provides a consolidated view of the settings for its own and all the Slave s serial ports However the Master does not provide a fully consolidated view e g Status Active Users only displays those users active on the Master s ports and you will need to write a custom bash script that parses the port logs if you want to find out who s logged in to cascaded serial ports from the master You will probably also want to enable remote or USB logging as local logs only buffer 8K of data and don t persist between reboots This script would e g parse each port log file line by line each time it sees LOGIN username it adds username to the list of connected users for that port each time it sees LOGOUT username it removes it from the list The list can then be nicely formatted and displayed It s also possible to run this as a CGI script on the remote log server To enable log storage and connection logging Select Alerts amp Logging Port Log Configure log storage Select Serial amp Network Serial Port Edit the serial port s Under Console server select Logging Level 1 and click Apply There s a useful tutorial on creating a bash script CGI at http www yolinux com TUTORIALS LinuxT utorialCgiShellScript htm
482. s from external agents for Opengear status information Check the Enable the SNMP Service box to start the SNMP Service The Service is disabled by default Select either UDP or TCP for the TCP IP Protocol UDP is the recommended protocol and is selected by default TCP should only be used in special cases such as when Port Forwarding SNMP requests responses to or from the Opengear device is required gt Complete the Location and Contact fields The Location field should describe the physical location of the Opengear and will be used in response to requests for the SNMPv2 MIB sysLocation 0 of the device The Contact field refers to the person responsible for the Opengear such as the System Administrator and will be used in response to requests as follows SNMPv2 MIB sysContact 0 gt Enter the Read Only Community and Read Write Community This is required for SNMP v1 amp v2c only The Read Only Community field is used to specify the SNMPv1 or SNMPv2c community that will be allowed read only GET and GETNEXT access This must be specified in order for both versions to become enabled The Read Write Community field is used to specify the SNMPv1 or SNMPv2c community that will be allowed read write GET GETNEXT and SET access gt Configure SNMP v3 if required SNMP v3 provides secure SNMP operations through the use of USM User based Security Model It offers various levels of security including user based authentication and basic encryp
483. s from remote modems who dial a special Data Terminating number 5 7 1 OoB access set up Out of band access is enabled by default and the cellular modem connection is always on However to be directly accessed the console server needs to have a Public IP address and it must not have SSH access firewalled Almost all carriers offer corporate mobile data service plans with a Public static or dynamic IP address These plans often have a service fee attached gt lf you have such a static Public IP address plan you can also now try accessing the console server using the Public IP Address provided by the carrier However by default only HTTPS and SSH access is enabled on the OoB connection So you can browse to the console server but you cannot ping it gt If you have a dynamic Public IP address plan then a DDNS service will need to be configured to enable the remote administrator to initiate incoming access Once this is done you can then also try accessing the console server using the allocated domain name By default most providers offer a consumer grade service which provides dynamic Private IP address assignments to 3G devices This IP address is not visible across the Internet but generally it is adequate for home and general business use gt With such a plan the Failover amp Out of Band tab on the Status Statistics shows will identify that your carrier has allocated you a Private P Address i e in the range 10 0 0 0 10 255 255 255
484. s group 1 Group7 contig s contig sdt hosts host5 groups total 1 total number of groups having access to host To give another group called Group8 access to the same host contig s contig sdt hosts host5 groups group2 Group8s config s config sdt hosts host5 groups total 2 total number of users having access to host To delete the group called Group 7 use the following command rmuser Group7 Attention The rmuser script is a generic script to remove any config element from config xml correctly However any dependencies or references to this group will not be affected Only the group details are deleted The administrator is responsible for going through config xm and removing group dependencies and references manually specifically if the group had access to a host or RPC device The following command will synchronize the live system with the new configuration config a 250 Console Server amp RMM Gateway User Manual 14 1 4 Authentication To change the type of authentication for the console server config s config auth tyoe authtype authtype can be Local LocalTACACS TACACS TACACSLocal TACACSDownLocal LocalRADIUS RADIUS RADIUSLocal RADIUSDownLocal LocalLDAP LDAP LDAPLocal LDAPDownLocal To configure TACACS authentication contig s contig auth tacacs auth_server comma separated list list of remote authentiction and authorization servers config s config auth tacacs acct_server comma
485. s in the script responsible for invoking the alert email script then add the following lines below the existing lines export TOADDR emailaddress domain com bin sh etc scripts alert email suffix amp These two lines assign a new email address to TOADDR and invoke the alert email script in the background 15 1 5 Deleting configuration values from the CLI The delete node script is provided to help with deleting nodes from the command line The delete node script takes one argument the node name you want to delete e g config users user1 or config sdt hosts host1 So delete node is a general script for deleting any node you desire users groups hosts UPS s etc from the command line The script deletes the specified node and shuffles the remainder of the node values For example if we have five users configured and we use the script to delete user 3 then user 4 will become user 3 and user 5 will become user 4 This creates an obvious complication as this script does NOT check for any other dependencies that the node being deleted may have had So you are responsible for making sure that any references and dependencies connected to the deleted node are removed or corrected in the config xml file The script treats all nodes the same The syntax to run the script is delete node node name so to remove user 3 delete node config users user3 The delete node script bin bash User must provide the node to be rem
486. s must also be incremented If this is the first slave being added type config s config cascade slaves total 1 Increment this value when adding more slaves NOTE If a slave is added using the CLI then the master SSH public key will need to be manually copied to every slave device before cascaded ports will work refer Chapter 4 The following command will synchronize the live system with the new configuration contig r cascade Console Server amp Router User Manual 253 Chapter 14 Command Line Configuration 14 1 8 UPS Connections Managed UPSes Before adding a managed UPS make sure that at least 1 port has been configured to run in device mode and that the device is set to ups To add a managed UPS with the following values Connected via Port 1 UPS name My UPS Description UPS in room 5 Username to connect to UPS User2 Password to connect to UPS secret shutdown order 2 0 shuts down first Driver genericups Driver option option option Driver option argument argument Logging Enabled Log interval 2 minutes Run script when power is critical Enabled config s config ups monitors monitor1 port dev port0 1 If the port number is higher than 9 eg port 13 enter config s config ups monitors monitor1 port dev port13 contig s config ups monitors monitor1 name My UPS config s config ups monitors monitor1 description UPS in room 5 config s config ups monitors monitor1 username User2
487. s must be in the correct location etc conftig scripts contig post To create an alerts custom script cd etc conftig scripts touch config post alerts vi config post alerts This script could be used to recover a specific backup config or overwrite a config or make copies of config files etc 15 1 8 Backing up the configuration and restoring using a local USB stick The etc scripts backup usb script been written to save and load custom configuration using a USB flash disk Before saving configuration locally you must prepare the USB storage device for use To do this disconnect all USB storage devices except for the storage device you wish to use Usage etc scripts backup usb COMMAND FILE COMMAND check magic check volume label set magic set volume label save FILE save configuration to USB delete FILE delete a configuration tarbal from USB list list available config backups on USB load FILE load a specific config from USB load default load the default configuration set default FILE set which file becomes the default The first thing to do is to check if the USB disk has a label etc scripts backup usb check magic lf this command returns Magic volume not found then run the following command etc scripts backup usb set magic To save the configuration 212 Console Server amp RMM Gateway User Manual etc scripts backup usb save config 20May To check if the backup was sav
488. saction 10 4 5 Distributed Monitoring Usage Scenarios Below are a number of distributed monitoring Nagios scenarios Local office In this scenario the console server is set up to monitor the console of each managed device It can be configured to make a number of checks either actively at the Nagios server s request or passively at preset intervals and submit the results to the Nagios server in a batch The console server may be augmented at the local office site by one or more Intelligent Power Distribution Units IPDUs to remotely control the power supply to the managed devices etwork Checks over ethernet mu Gerjal Checks over RS232 wee Power monitoring and manipulation via IPO ee J zG O w H Il Remote site In this scenario the console server NRPE server or NSCA client can be configured to make active checks of configured services and upload to the Nagios server waiting passively It can also be configured to service NRPE commands to perform checks on demand In this situation the console server will perform checks based on both serial and network access Console Server amp Router User Manual 223 Chapter 10 Nagios Integration ome h etwork Checks over internet Serial checks over R5232 meee Fesults Updated to Nagios via Internet MSCA Firewall Outgoing connections anly Console Server Remote site with restrictive firewall In this scenario the role of t
489. se runtime description of their behavior More details on the generic Linux commands can found online at htto en tldp org HOWTO HOWTO INDEX howtos html and htto www fags org docs Linux HOWTO Remote Serial Console HOWTO html An updated list of the commands in the latest console server build can be found at http www opengear com faq233 html However it may be worth using s command to view all the commands actually available in the bin directory in your console server There were a number of Opengear tools listed above that make it simple to configure the console server and ensure the changes are stored in the console servers flash memory etc These commands are covered in the previous chapters and include e config which allows manipulation and querying of the system configuration from the command line With config a new configuration can be activated by running the relevant configurator which performs the action necessary to make the configuration changes live e portmanager which provides a buffered interface to each serial port It is supported by the pmchat and pmshell commands which ensure all serial port access Is directed via the portmanager e pmpower is a configurable tool for manipulating remote power devices that are serially or network connected to the console server e SDT Connector is a java client applet that provides point and click SSH tunneled connections to the console server and Managed Devices There are also a number o
490. sented with Nagios Settings options to enable nominated services on the Host to be monitored refer Chapter 10 Nagios Integration gt Click Apply This will create the new Host and also create a new Managed Device with the same name 4 5 Trusted Networks The Trusted Networks facility gives you an option to nominate specific IP addresses that users Administrators and Users must be located at to have access to console server serial ports System Name im4216 Model IM4216 Firmware 2 5 0 opengeafr Uptime 2 days 22 hours 57 mins 42 secs Current User root Serial amp Network Trusted Networks Serial Port Message Changes to configuration succeeded Users amp Groups Authentication cope Wieden aaa Network Address Network Mask Description Trusted Networks 192 168 200 200 255 255 255 255 Made Up Edit Delete Cascaded Ports gt Select Serial amp Network Trusted Networks gt To add anew trusted network select Add Rule 64 Console Server amp RMM Gateway User Manual User Manual System Name im4216 Model IM4216 Firmware 2 5 0 opengear Uptime 2 days 22 hours 58 mins 36 secs Current User root Serial amp Network Trusted Networks Add a New Rule Serial Port Users amp Groups Authentication Port s Network Hosts Trusted Networks Cascaded Ports C Select Unselect all Ports C Port C Port C Port C Port C Port C Port C Port Cl Port 1 2 3 4 5
491. separated list list of remote accounting servers If unset Authentication and Authorization Server Address will be used config s contig auth tacacs password password To configure RADIUS authentication contig s contig auth radius auth_server comma separated list list of remote authentiction and authorization servers config s config auth radius acct_server comma separated list list of remote accounting servers If unset Authentication and Authorization Server Address will be used contig s contig auth radius password passworad To configure LDAP authentication config s config auth ldap server comma separated list list of remote servers config s config auth dap basedn name The distinguished name of the search base For example dc my company dc com config s config auth ldap binddn name The distinguished name to bind to the server with The default is to bind anonymously config s config auth radius password password The following command will synchronize the live system with the new configuration config r auth 14 1 5 Network Hosts To determine the total number of currently configured hosts config g contig sadt hosts total Assume this value is equal to 3 If you add another host make sure to increment the total number of hosts from 3 to 4 contig s conftig sdt hosts total 4 If the output is config sdt hosts total then assume 0 hosts are configured Console
492. serial port and host access permissions who are not a member of any Groups Similarly these users don t have any access to the Management Console menu nor do they have any command line access to the console server itself 6 For convenience the SDT Connector Retrieve Hosts function retrieves and auto configures checked serial ports and checked hosts only even for admin group users 4 2 1 Setup new Group To set up new Groups and new users and to classify users as members of particular Groups gt Select Serial amp Network Users amp Groups to display the configured Groups and Users gt Click Add Group to add a new Group 60 Console Server amp RMM Gateway User Manual User Manual 4 2 1 Click Apply opengear erial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices Alerts amp Logging Port Log Alerts SMTP amp SMS SNMP Administration Firmware IP Date amp Time Dial Services DHCP Server Nagios Port Access Active Users Statistics Support Report Svsina Set up new Users System Name img4004 5 Model IMG4004 5 Firmware 2 7 0p1 Uptime 0 days 1 hours 38 mins 23 secs Current User root Serial amp Network Users amp Groups Add a New gro
493. server session idle timeout in minutes The default setting is to never expire gt Select Serial and Network Authentication gt Web Management Session Timeout specifies the browser console session idle timeout in minutes The default setting is 20 minutes gt CLI Management Session Timeout specifies the ssh console session idle timeout in minutes The default setting is to never expire gt Console Server Session Timeout specifies the pmshell serial console server session idle timeout in minutes The default setting is to never expire 9 1 10 Kerberos authentication The Kerberos authentication can be used with UNIX and Windows Active Directory Kerberos servers This form of authentication does not provide group information so a local user with the same username must be created and permissions set 200 Console Server amp RMM Gateway User Manual User Manual Note Kerberos is very sensitive to time differences between the Key Distribution Center KDC authentication server and the client device Please make sure that NTP is enabled and the time zone is set correctly on the console server When authenticating against Active Directory the Kerberos Realm will be the domain name and the Master KDC will be the address of the primary domain controller Kerberos V Kerberos Realm The domain name of the realm users must authenticate against Master KDC address The address of the Master KDC to authenticate against Slave KDC Address
494. server to connect to server TOP Port The TCP port the RFC 2217 server is serving an RFC z217 Enable RPO 2217 access SSH Tunnel Redirect the serial bridge over an SSH tunnel to the server gt Select Serial Bridging Mode and specify the IP address of the Server console server and the TCP port address of the remote serial port for RFC2217 bridging this will be 5001 5048 gt By default the bridging client will use RAW TCP so you must select RFC2217 if this is the console Server mode you have specified on the server console server Local Ethernet LAN serially connected device COM Port connected e g security appliance control PC CS Console Server amp RMM Gateway User Manual Of Chapter 4 Serial Port Device and User Configuration gt You may secure the communications over the local Ethernet by enabling SSH however you will need to generate and upload keys refer Chapter 14 Advanced Configuration 4 1 7 Syslog In addition to inbuilt logging and monitoring which can be applied to serial attached and network attached management accesses as covered in Chapter 7 Alerts and Logging the console server can also be configured to support the remote syslog protocol on a per serial port basis gt Select the Syslog Facility Priority fields to enable logging of traffic on the selected serial port to a syslog server and to appropriately sort and action those logged messages i e redirect them send alert
495. sh org portable html htto www openbsd org cgi bin man cgi query ssh amp sektion 1 http www openbsd org cgi bin man cgi query sshd 15 6 5 Generating public private keys for SSH Windows This section describes how to generate and configure SSH keys using Windows First create a new user from the Opengear Management the following example uses a user called testuser making sure it is a member of the users group If you do not already have a public private key pair you can generate them now using ssh keygen PuTTYgen or a similar tool Pul TYgen htto www chiark greenend org uk sgtatham putty download html OpenSSH htto www openssh org OpenSSH Windows htto sshwindows sourceforge net download For example using PuT TYgen make sure you have a recent version of the puttygen exe available from htto www chiark greenend org uk sgtatham putty download html Make sure you have a recent version of WinSCP available from htto winscp net eng download php To generate a SSH key using PuTTY htto sourceforge net docs F02 clients Execute the PUTTYGEN EXE program Select the desired key type SSH2 DSA you may use RSA or DSA within the Parameters section itis important that you leave the passphrase field blank Click on the Generate button Console Server amp Router User Manual 289 Chapter 16 KCS Client Configuration Follow the instruction to move the mouse over the blank area of the program in order to creat
496. shboard screen is the first screen displayed when admin users other than root log into the console manager If you log in as John and John is member of the admin group and there is a dashboard layout configured for John then you will see the dashboard for John on log in and each time you click on the Status Dashboard menu item If there is no dashboard layout configured for John but there is an admin group dashboard configured then you will see the admin group dashboard instead If there is no user dashboard or admin group dashboard configured then you will see the default dashboard The root user does not have its own dashboard The above configuration options are intended to enable admin users to setup their own custom dashboards The Dashboard displays six widgets These widgets include each of the Status screens alerts devices ports ups rpc and environmental status and a custom script screen The admin user can configure which of these widgets is to be displayed where gt Goto the Dashboard layout panel and select which widget is to be displayed in each of the six display locations widget1 6 Console Server amp Router User Manual 231 Chapter 12 Status Reports gt Click Apply System Name acm5003 m Model ACM5003 M Firmware 3 3 2 Aa O opengear Uptime 1 days 1 hours 30 mins 32 secs Current User root Backup Log Out System Configure Dashboard Serial Port Dashboard Layout Configure
497. simply config d config users user2 port1 The port number can be anything from 1 to 48 depending on the available ports on the specific console server For example assume we have an RPC device connected to port 1 on the console server and the RPC is configured To give this user access to RPC outlet number 3 on the RPC device run the 2 commands below config s config ports port1 power outlet3 users user2 John config s config ports port1 power outlet3 users total 2 total number of users that have access to this outlet lf more users are given access to this power outlet then increment the config ports port1 power outlet3 users total element accordingly To give this user access to network host 5 assuming the host is configured config s contig sdt hosts host5 users user1 John config s config sdt hosts host5 users total 1 total number of users having access to host To give another user called Peter access to the same host config s contig sdt hosts host5 users user2 Peter Console Server amp Router User Manual 249 Chapter 14 Command Line Configuration contig s contig sdt hosts host5 users total 2 total number of users having access to host To edit any of the user element values use the same approach as when adding user elements i e use the s parameter If any of the config elements do not exist they will automatically be created To delete the user called John use the delete node script del
498. sing the main LAN connection for accessing the console server an alternate access path is used By default the failover is not enabled To enable gt Select the Network page on the System IP menu gt Now select the Failover Interface to be used in the event of an outage on the main network This can be o an alternate broadband Ethernet connection which would be the Network LAN2 port on IM4200 family and ACM5004 2 or ETH 1 on the IM4004 5 or o the IM4200 family internal modem or o an external serial modem ISDN device connected to the IM42xx Console port for out dialing to an ISP or the remote management office DELER GUGA PANED vi A device to fail to in case of outage Devices must be configured and enabled for failover to work 192 168 254 254 The address of the first peer to probe for connectivity detection The address of the second peer to probe for connectivity detection 44 Console Server amp RMM Gateway User Manual User Manual gt Click Apply You have selected the failover method however it is not active until you have specified the external sites to be probed to trigger failover and set up the failover ports themselves This is covered in Chapter 5 System Name im4216 Model IM4216 Firmware 2 5 0 opengear Uptime 2 days 22 hours 12 mins 5 secs Current User root System IP Serial Port Network Interface Management LAN Interface General Settings Users amp Groups
499. sity will get lost when the portmanager opens the port the reason that portmanager sets things back to its config rather than using whatever is on the port is so the port is in a known good state and will work no matter what things are done to the serial port outside of portmanager 15 3 2 Accessing the console modem port The console dial in is handled by mgetty with automatic PPP login extensions mgetty is a smart getty replacement designed to be used with Hayes compatible data and data fax modems mgetty knows about modem initialization manual modem answering so your modem doesn t answer if the machine isn t ready UUCP locking So you can use the same device for dial in and dial out mgetty provides very extensive logging facilities All standard mgetty options are supported Modem initialization strings To override the standard modem initialization string either use the Management Console refer Chapter 5 or the command line config tool refer Dial In Configuration Chapter 14 Enabling Boot Messages on the Console f you are not using a modem on the DB9 console port and instead wish to connect to it directly via a Null Modem cable you may want to enable verbose mode allowing you to see the standard linux start up messages This can be achieved with the following commands bin contig set config console debug on bin contig run console reboot 216 Console Server amp RMM Gateway User Manual If at some p
500. sole server candidate to the Managed Console Server list o Select it from the Remote Console Servers drop down list and click Add o Enter IP Address and SSH Port if these fields have not been auto completed and enter a Description and unique Name for the Managed Console Server you are adding Model VCMS Firmware 3 2 0 System N opPengear Uptime H Pheu ts ae 20 secs Current User root as Backup Log Out Configure Managed Console Servers IP Address DNS localhost Name The managed console server s IP address or DNS name SSH Port 57452 The managed console server s SSH server port Managed Console Servers Description Engineering Test Room 3 User Authorization f fth Authentication A brief description of the managed console server Network Settings SMTP amp SMS Name Boston System Administration Short name to identify the managed console server SSL Certificates Date amp Time Remote Root TTT Configuration Backup Password i re The root password set on the managed console server This password will not be stored but used to propagate SSH keys and then forgotten Apply Statistics o Enter the Remote Root Password i e System Password that has been set on this Managed Console Server This password is used by the CMS to propagate auto generated SSH keys and then forgotten It will not be stored o Click Apply The CMS will now set up secure SSH connections to and from the Managed
501. soles of critical server systems and their supporting power and networking infrastructure Opengear console servers are built on the 2 6 uCLinux kernel as developed by the uCLinux project except for SD4001 4002 and CM4008 which have less flash and use 2 4 uCLinux kernel This is GPL code and source can be found at http cvs uclinux org Some uCLinux commands have config files that can be altered e g portmanager inetd init ssh sshd scp sshkeygen ucd snmpd samba tnord sslwrap Other commands you can run and do neat stuff with e g loopback bash shell fto hwclock iproute iptables netcat ifconfig mii tool netstat route ping portmap pppd routed setserial smtoclient stty stunel tcodump tftp tip traceroute Below are most of the standard uCLinux and BusyBox commands and some custom Opengear commands that are in the default build tree The Administrator can use these to configure the console server and monitor and manage attached serial console and host devices addgroup Add a group or add an user to a group adduser Add an user ageity alternative Linux getty arp Manipulate the system ARP cache arping send ARP requests replies bash GNU Bourne Again Shell busybox Swiss army knife of embedded Linux commands cat Concatenate FILE s and print them to stdout chat Useful for interacting with a modem connected to stdin stdout chgrp Change file access permissions chmod Change file access permissions chown
502. sors to automatically send alarms progressively from warning levels to critical Vibration Notooe trite Water Leak Dee Smoke Gas Beaks Sensor Detector Sensor tersa Open Detector Detector a a e EMD EMD EMD ERD Teppe atie Z Homidiy Sense Diarr te Z Heidy Seh hpt 4 Hews Mite Seasee Teme era dere A lity Sa 8 3 1 Connecting the EMD and its sensors The Environmental Monitor Device EMD connects to any serial port on the console server via a special EMD Adapter and standard CAT5 cable The sensors then screw into the EMD gt The EMD is powered over the serial port connection and communicates using a custom handshake protocol It is not an RS232 device and should not be connected without the adapter Console Server amp RMM Gateway User Manual 183 Chapter 8 Power Environmental amp Digital I O gt Plug the male RJ plug on the EMD Adapter into the EMD Then connect the Adapter to the console g server serial port using the provided UTP cable If the 6 foot 2 meter UTP cable provided with the EMD is not long enough it can be replaced with a standard EMD Adapter Cat5 UTP cable up to 33 feet 10meters in length gt Screw the bare wires on any smoke detector water detector vibration sensor open door sensor or general purpose open close status sensors into the terminals on A the EMD A EMD sensor Note You can attach two sensors onto the terminals on EMDs that are connected to console servers
503. special phone number and a manual process where the phone number and other parameters can be entered manually Console Server amp RMM Gateway User Manual 103 Chapter 5 Firewall Failover and Out of Band System Dial Serial Console Port 1 Internal Cellular Modem Users amp Groups Authentication Network Hosts Trusted Networks IPsec VPN OpenVPN Call Home Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices CDMA Modem Activation The CDMA Modem is not provisioned activated please contact your carrier and provide them with the ESN 1620743259 0x609A945B Some carriers require a second activation step before you can connect successfully to their service If your carrier requires OTASP enter the Phone number below and click Activate Activation Phone Number The phone number to dial for OTASP Over the Air Service Provisioning activation e g 22899 for Verizon In the case your carrier does not support OTASP activation enter your MSL MDN amp MSID below to manually activate the modem MSL The MSL for unlocking the NAM profile Advanced MDN Administration The Mobile Directory Number to use Advanced SSL Certificates MSID Configuration Backup Firmware The NAM profile MSID to use Advanced IP Nagios Configure Dashboard Dial Out Settings Always On Out of Band Enable Enable the cellular modem connection Phone Numb
504. ss and set up for each of these Hosts the services e g HTTPS IPMI2 0 and the related IP ports being redirected configure access to the console server itself this is shown as a Local Services host configure access with the enabled services for the serial port devices connected to the console server C Opengear SDTConnector File Edit Help 2 2 4 g 5 208 64 91 182 Services HP iLO 2 HTTP HTTPS ESXi a Telnet Ip Power Web Management Dell Server 2003 DRAC4 HP 2003 Server iLO 2 Dell 2003 Server Dell 2003 Server BMC HP 2003 Server IBM RSAII Local Services eee Note The Retrieve Hosts function will auto configure all classes of user i e they can be members of user or admin or some other group or no group however SDT Connector will not auto configure the root and it recommended that this account is only used for initial config and for adding an initial admin account to the console server 6 2 4 Make an SDT connection through the gateway to a host gt Simply point at the host to be accessed and click on the service to be used in accessing that host The SSH tunnel to the gateway is then automatically established the appropriate ports redirected through to the host and the appropriate local client application is launched pointing at the local endpoint of the redirection 124 Console Server amp RMM Gateway User Manual User Manual c Op
505. starts cipher BF CBC Blowfis Select a cryptographic cipher The client and server must use the same default settings cipher AES 128 CBC AES cipher DES EDE3 CBC Triple DES comp zo Enable compression on the OpenVPN link This must be enabled on both the client and the server syslog By default logs are located in syslog or if running as a service on l Keepalive cert lt file name gt key lt file name gt F Z U O W 5 Window in Program Files OpenVPN To initiate the OpenVPN tunnel following the creation of the client server configuration files gt Right click on the OpenVPN icon in the Notification Area gt Select the newly created client or server configuration For example IM4216_ client gt Click Connect as shown below 82 Console Server amp RMM Gateway User Manual User Manual dient 1M4004_ cient BPA Svelisne Notepad File Edit Format View File Edit Format View Help OpenVPN 2 0 9 win32 MinGw Vee roms len Rae Sica a ase coe a a LZO built on oct 1 2006 WARNING NO server certificate verification method has been enabled See http openvpn net LZO compression initialized control Channel MTU parms L 1542 D 138 EF 38 EB 0 ET 0 EL 0 Data Channel MTU ay ge 1542 D 1450 EF 42 EB 135 ET 0 EL 0 AF 3 1 Local Options hash VER v4 41690919 Expected Remote Options hash VER v4 530fdded uDPv4 link local undef UDPv4 link remote 192 168 250 152 1194
506. stem Name acm5002 Model ACM5002 Firmware 3 3 0 rer O opengear Uptime 0 days 4 hours 8 mins 59 secs Current User root Backup Log Out System DHCP Server Serial amp Network Serial Port Network Interface Users amp Groups Authentication Network DHCP Server Settings Subnet 192 168 254 0 255 255 255 0 Network Hosts Trusted Networks DHCP Server F IPsec VPN OpenVPN Enable DHCP Server Call Home Gateway Cascaded Ports UPS Connections The Default Gateway to assign RPC Connections Environmental Use interface address T Managed Devices as gateway Use this interface as the DHCP Gateway Alerts amp Logging Primary DNS The primary DNS to assign SMTP amp SMS SNMP Secondary DNS The secondary DNS to assign Administration Ais SSL Certificates Configuration Backup Firmware Default Lease gt IP The Domain Name to assign The Default Lease Time Maximum Lease DHCP Server Nagios The Maximum Lease Time Configure Dashboard Apply Port Access Dynamic Address Allocation Pools Active Users Statistics Pool Start Pool End oa ag Report No address pools currently allocated RPC Status Environmental Status Dashboard Reserved Addresses IP Address Host Name HW Address Devices No addresses currently reserved Port Logs Host Logs Power Terminal gt Enter the Gateway address that is
507. t a 0 Backup Log Out Serial amp Network PPTP VPN Serial amp Network PPTP Server Serial Port Users amp Groups Enable E Authentication Network Hosts Enable the PPTP server Trusted Networks Minium Authentication None least secure IPsec VPN Required OpenVPN PAP PPTP VPN CHAP Call Home Cacadod Poris 5 MSCHAPv2 most secure UPS Connections The least secure method to use when checking the PPTP user s credentials RPC Connections E F Environmental Required Encryption Level Only no encryption also disables compression Managed Devices 40bit or 128bit encryption n Only 40bit encryption _ amp Logging Only 128bit encryption Port Log Auto Response 5 Any encryption including none SMTP amp SMS The encryption to require for the PPTP connection Local Address IP address to assign to the server s end of the VPN connection Administration SSL Certificates Remote Addresses Configuration Backup s Firmware Pool of IP addresses to assign to the incoming client s VPN connections e g 192 168 1 10 20 IP Date amp Time MTU Dial Maximum transmission unit of the PPTP interface Defaults to 1400 DHCP Server DNS Server ios Configure Dashboard Optional IP address of a DNS server to hand to incoming clients WINS Server Port Access Optional IP address of a WINS server to hand to incoming clients Active Users Verbose logging F Enable v
508. t Equinox brand console server Es PIN SIGNAL DEFINITION DIRECTION emale RJ 45 on 1 RTS Request To Send Output 1 ER 2 DSR Data Set Ready Input 2 DCO 3 DCD Data Carrier Detect Input RD i 4 4 RXD Receive Data Input 5 m 5 TXD Transmit DataCTS Output 6 DTR 6 GND Signal Ground NA CTS T DTR Data Terminal Ready Output 8 8 CTS Clear To Send Input Cyclades RJ45 pinout option 01 Easy to replace Avocent Cyclades products for use with rolled RJ 45 cable female PIN SIGNAL DEFINITION DIRECTION pen RTS 1 RTS Request To Send Output 2 pee 2 DTR Data Terminal Ready Output _ TO 3p 3 TXD Transmit Data Output A 3 AE 4 GND Signal Ground NA 5 i oar 5 CTS Clear To Send Input 7 a 6 RXD Receive Data Input 8 7 DCD Data Carrier Detect Input 314 Console Server amp RMM Gateway User Manual 8 DSR Data Set Ready Input Cisco RJ45 pinout option 02 Straight through RJ 45 cable to equipment such as Cisco Juniper SUN and more ee PIN SIGNAL DEFINITION DIRECTION RJ 45 1 CTS Clear To Send Input 1 i ise 2 DSR Data Set Ready Input ie 3 RXD Receive Dat Input eceive Data npu 4 4 GND Signal Ground NA oa aa 5 GND Signal Ground NA E gt aa DTR 6 TXD Lanm Data Output g i 7 DTR Data Terminal Ready Output 8 RTS Request To Send Output Local Console Port Console servers with a dedicated LOCAL console modem port use a standard DB9 connector for this port To connect to the LOCA
509. t is configured in Local Console modem mode Conventional Cat5 cabling with RJ45 jacks is generally used for serial connections Opengear supplies an extensive range of cables and adapters that may be required to connect to the more popular servers and network appliances These are also overviewed in Appendix D Connectivity and Serial I O More detailed information is available online at http www opengear com cabling html Before connecting the console port of an external device to the console server serial port confirm that the device does support the standard RS 232C EIA 232 The console servers come with one to forty eight serial connectors for the RS232 serial ports The SD4001 and SD4002 CM4001 models have DB9 serial port connectors All other models have RJ45 serial port connectors The RJ45 serial ports are located on the rear panel of the IM4004 5 and CM4008 on the front face of the ACM5000 and ACM5500 and on the front panel of the rack mount IM4216 34 CM4100 and IM4200 The ACM5000 ACM5500 and IM4216 34 models have Cisco serial pinouts on the RJ45 connectors refer 2 4 3 below The CM4100 CM4000 and IM4004 5 models have Opengear Classic RJ45 pinout refer 2 4 1 The IM4200 console servers are available with a selection of alternate RJ45 pinouts e g the IM4208 2 IM4216 2 and IM4248 2 console servers have three RJ45 pinout configurations available Opengear Classic Cisco Straight or Cyclades Cisco Rolled ref
510. t password secret Terminal server mode Enable a TTY login for a local terminal attached to serial port 5 contig s contig ports port5 mode terminal contig s conftig ports port5 terminal vt220 vt102 vt100 linux ansi The default terminal is vt220 Serial bridge mode Create a network connection to a remote serial port via RFC 2217 on port 5 config s config ports ports mode bridge Optional configurations for the network address of RFC 2217 server of 192 168 3 3 and TCP port used by the RFC 2217 service 2500 contig s conftig ports port5 bridge address 192 168 3 3 contig s conftig ports port5 bridge port 2500 To enable RFC 2217 access config s config ports port5 bridge rfc2217 on To redirect the serial bridge over an SSH tunnel to the server config s config ports port5 bridge ssh enabled on Syslog settings Additionally the global system log settings can be set for any specific port in any mode config s config ports port syslog facility facility facility can be Default local 0 7 auth authpriv cron daemon ftp kern lpr mail news user uucp config s config ports port syslog priority priority priority can be Default warning notice Info error 248 Console Server amp RMM Gateway User Manual emergency debug critical alert 14 1 2 Adding and removing Users Firstly determine the total number of existing Users if you have no existing Users you can assume this
511. t the Required Encryption Level Access is denied to remote users attempting to connect not using this encryption level Strong 40 bit or 128 bit encryption is recommended Firmware V3 5 2 and beyond support multiple dial in users who are setup with dialin Group membership The User name and Password to be used for the dial in PPP link and any dial back phone numbers are configured when the User is set up Earlier firmware only supported one PPP dial in account Chapter 13 Advanced Configurations has examples of Linux commands that can be used to control the modem port operation at the command line level Using SDT Connector client Administrators can use their SDT Connector client to set up secure OoB dial in access to remote console servers The SDT Connector Java client software provides point and click secure remote access OoB access uses an alternate path for connecting to the console server to that used for regular data traffic Starting an OoB connection in SDT Connector may be achieved by initiating a dial up connection or adding an alternate route to the console server SDT Connector allows for maximum flexibility is this regard by allowing you to provide your own scripts or commands for starting and stopping the OoB connection Refer Chapter 6 5 5 2 3 gt V VV WV 5 2 4 Set up Windows XP 2003 Vista 7 client Open Network Connections in Control Panel and click the New Connection Wizard Select Connect to the Internet and clic
512. tStatusOldValue J E ogserialPortstatusDSR ogEnvAlertstatusStatus J a A GF og tert ba ogSerialPortStatusRTS G ogutAlertstatusEntry B g ogSerialPortActivelsersTable an A NutAlertStatusindex gt By ogSerialPortActiveUsersEntry 4 ogserialPortActiveUsersIndex a e g a ogSeriaPortActiveUsersPort a BERSA ogSerialPortActiveUsersName a ane e i AQ ogutAertstatusStatus G E ocRocstatusentry eo lami A ogRpcStatusIndex 0 ae a a ai a ogStatusComplance 2 A ocRocStatusMaxTemp EA A ooRpcStatusAlertCount a PB ogEmdstatusTable AB ockasiAlertStetusGroun gt SF ogEmdstatusEntry 3 A ogEmdStatusIndex ve amp ogEmdStatusName vl ogEmdStatusTemp MB ogEmdStatustiumicity z ogEmdStatusAlertCount S FE ogSignal lertStatusTable Ge ES ogSignalAlertStatusEntry oN ooSignalAlertStatusIndex ve amp ogSignalAlertStatusPort AB ooSionalAlertStatusl abel 15 5 4 etc config snmpd conf The net snmpd is an extensible SNMP which includes built in support for a wide range of MIB information modules and can be extended using dynamically loaded modules external scripts and commands snmpd when enabled should run with a default configuration Its behavior can be customized via the options in etc config snmpd cont Note that if the SNMP Service is enabled through the Web Based Management Console this configuration file will be overidden and you will lose any customization Changing standard system information
513. tatus information on demand snmpd is an SNMP agent which binds to a port and awaits requests from SNMP management software Upon receiving a request it processes the request s collects the requested information and or performs the requested operation s and returns the information to the sender Console Server amp Router User Manual 211 Chapter 16 KCS Client Configuration Note Initially only advanced console server models were equipped with an SNMP Service With V3 0 and later firmware this support was extended to all console servers Also the MIBS were extended and renamed for compliance with this firmware release All console servers can also be configured to send SNMP traps messages to multiple remote SNMP Network Managers on defined trigger events Refer Chapter 7 for configuration details 15 5 1 Retrieving status information using SNMP Console servers can provide serial and device status information through SNMP This includes Serial port status Active users Remote Power Control RPC and Power Distribution Unit PDU status Environmental Monitoring Device EMD status Signal alert status Environmental alert status and UPS alert status The MIBs in your console server are located in etc snmp mibs You also can view the current MIBs online at htto opengear com download snmp and they include OG STATUS MIB This new MIB contains serial and connected device status information for snmpstatusd a
514. te Click Next gt Onthe Incoming VPN Connection Options screen select Do not allow virtual private connections and click Next 142 Console Server amp RMM Gateway User Manual User Manual New Connection Wizard User Permissions You can specify the users who can connect to this computer Select the check box next to each user who should be allowed a connection to this computer Note that other factors such as a disabled user account may affect a user s ability to connect Users allowed to connect Dy Guest O g HelpAssistant Remote Desktop Help Assistant Account CE Remote Bob Remote Bab O ts SUPPORT_388545a0 CN Microsoft Corporation L Redmond S Washingt CJ Cg SUFFORT_ 151ab9 CN Dell Computer Comoration L Round Rock S Te__ lt ii gt Specify which Users will be allowed to use this connection This should be the same Users who were given Remote Desktop access privileges in the earlier step Click Next gt On the Network Connection screen select TCP IP and click Properties Incoming TCP IP Properties reali Allow callers to access my local area network TCP IP address assignment O Assign TCP IP addresses automatically using DHCP Specify TCP IP addresses Tota 2 w Allow calling computer to specify its own IP address gt Select Specify TCP IP addresses on the Incoming TCP IP Properties screen select TCP IP Nominate a From Note and a To TCP IP address and click Next Yo
515. ted Via Network 192 168 252 31 PDU R4A Specify the serial port or network host address for the power device RPC Type SNMP Controlled Baytech Specify the type of the connected power device Username Specify the login name for the power device Password Specify the login secret for the power device Confirm Confirm the login secret for the power device SNMP Community private SNMP v1 or v2c Community for Read Write access Log Status iv Periodically log RPC status Log Rate 1 Minutes between samples Check Log Status and specify the Log Rate minutes between samples if you wish the status from this RPC to be logged These logs can be views from the Status RPC Status screen Click Apply For SNMP PDUs the console server will now probe the configured RPC to confirm the RPC Type matches and will report the number of outlets it finds that can be controlled If unsuccessful it will report Unable to probe outlets and you ll need to check the RPC settings or network serial connection System Name img4004 5 Model IMG4004 5 Firmware 2 7 0p1 opengeafr Uptime 0 days 0 hours 16 mins 23 secs Current User root Serial amp Network RPC Connections Serial Port Probing RPC Users amp Groups Probed 8 outlets Authentication Network Hosts Return to RPC Connections Trusted Networks Cascaded Ports PING Cannarctianeg For serially connected RPC devices a new Managed Device with the same n
516. ter crashes it will no longer respond to ping requests If this happens the two commands pmpower and date will run The output from these commands is sent to the file tmp output log so that we have some kind of record The ping detect is also run in the background using the amp Remember the rc ocal script is only run by default when the system boots You can manually run the rc ocal script or the ping detect script if desired The ping detect script The above is just one example of using the ping detect script The idea of the script is to run any number of commands when a specific host stops responding to ping requests Here are details of the ping detect script itself bin sh Usage ping detect HOST COMMANDS This script takes 2 types of arguments hostname IPadadress to ping and the commands to run if the ping fails 5 times in a row This script can only take one host IPaddress per instance Multiple independent commands can be sent to the script The commands will be run one after the other PINGREP is the entire reply from the ping command LOSS is the percentage loss from the ping command 1 must be the hostname IPaddress of device to ping 2 must be the commands to run when the pings fail COUNTER 0 TARGET 1 Shift loop indefinitely while true do ping the device 10 times PINGREP ping c 10 i 1 TARGET get the packet loss percentage LOSS echo PINGREP grep s
517. tery power becomes critical for this UPS Shutdown Order 0 The order in which this UPS is shut down when any Managed UPS is set to Shutdown al Managed UPSes Os are shut down first then 1s 2s etc and 1s are never shut down Defaults to 0O Configure Dashboard Driver usbhid ups The driver for this UPS model see the hardware compatibility list for details Driver Options Port Access Option Argument Active Users Statistics Support Report Syslog Log Status T UPS Status RPC Status Periodically log UPS status Environmental Status Dashboard n 1 Minutes between samples Devices Apply Console Server amp RMM Gateway User Manual 175 Note gt Note gt 176 Chapter 8 Power Environmental amp Digital I O Select if the UPS will be Connected Via USB or over pre configured serial port or via SNMP HTTP HTTPS over the preconfigured network Host connection When you select a network UPS connection then the corresponding Host Name Description that you set up for that connection will be entered as the Name and Description for the power device Alternately if you selected to Connect Via a USB or serial connection then you will need to enter a Name and Description for the power device and these details will also be used to create a new Managed Device entry for the serial USB connected UPS devices Enter the login details This Username and Password is used by slaves of this UPS i e
518. the Serial Setting be changed to 38400 baud with Hardware Flow Control System Name cm4001 Model CM4001 Firmware 3 4 0 4 O opPengear Uptime 5 days 6 hours 46 mins 58 secs Current User root Backup Log Out System Dial Serial amp Network Serial DB9 Port Dial Setti ria ia s Serial Port ng Users amp Groups Disable Dial Authentication Disable modem communication Network Hosts Trusted Networks Enable Dial In Ersen Allow incoming modem communication UPS Connections Enable Dial Out RPC Connections Allow outgoing modem communication Environmental Managed Devices Alerts amp Logging Serial Settings Baud Rate 115200 The port speed in characters per second Flow Control None o Aaii The method of flow control to use gt Configuration Backup You can further configure the console modem port e g to include modem init strings by editing etc mgetty config files as described in the Chapter 14 Advanced Check the Enable Dial In Access box In the Remote Address field enter the IP address to be assigned to the dial in client You can select any address for the Remote IP Address However it must be in the same network range as the Local IP Address e g 200 100 1 12 and 200 100 1 67 In the Local Address field enter the IP address for the Dial In PPP Server This is the IP address that will be used by the remote client to access console server once the modem conn
519. this console server Many SMTP servers check the sender s email address with the host domain name to verify the address as authentic So it may be useful to assign an email address for the console server such as consoleserver2 mydomian com You may also enter a USername and Password if the SMTP server requires authentication Similarly can specify the specific Subject Line that will be sent with the email Click Apply to activate SMTP Send SMS alerts With any model console server you can use email to SMS services to send SMS alert notifications to mobile devices Almost all mobile phone carriers provide an SMS gateway service that forwards email to mobile phones on their networks There s also a wide selection of SMS gateway aggregators who provide email to SMS forwarding to phones on any carriers Alternately if your console server has an embedded or externally attached cellular modem you will be given the option to send the SMS directly over the carrier connection SMS via Email Gateway To use SMTP SMS the Administrator must configure a valid SMTP server for sending the email SMS Settings SMS Gateway Use an external SMS gateway Cellular Modem Use an attached or internal Cellular Modem SMS via Email Gateway Server The outgoing SMTP SMS server address Secure Connection None v If this server uses a secure connection specify its type SMTP port Specify the SMTP port Default is 25 Sender The from
520. this option is absent or if password _file is empty the password will default to NULL h Get basic usage help from the command line H lt address gt Remote server address can be IP address or hostname This option is required for lan and anplus interfaces lt interface gt Selects IPMI interface to use Supported interfaces that are compiled in are visible in the usage help output L lt privivi gt Force session privilege level Can be CALLBACK USER OPERATOR ADMIN Default is ADMIN m lt ocal_address gt set the local IPMB address The default is 0x20 and there should be no need to change it for normal operation 0 lt oemtype gt Select OEM type to support This usually involves minor hacks in place in the code to work around quirks in various BMCs from various manufacturers Use o list to see a list of current supported OEM types p lt port gt Remote server UDP port to connect to Default is 623 P lt password gt Remote server password is specified on the command line If supported it will be obscured in the process list Note Specifying the password as a command line option is not recommended t lt target_address gt Bridge IPMI requests to the remote target address U lt username gt Remote server username default is NULL user V Increase verbose output level This option may be specified multiple times to increase the level of debug output If given three times you will get hexdumps of all incoming and outgoing
521. through a single TCP UDP port over an unsecured network thus providing secure access to multiple sites and secure remote administration to a console server over the Internet OpenVPN also allows the use of Dynamic IP addresses by both the server and client thus providing client mobility For example an OpenVPN tunnel may be established between a roaming windows client and an Opengear advanced console server within a data centre Configuration of OpenVPN can be complex so Opengear provides a simple GUI interface for basic set up as described below However for more detailed information on configuring OpenVPN Access server or client refer to the HOW TO and FAQs at http www openvpn net 4 10 1 Enable the OpenVPN gt Select OpenVPN on the Serial amp Networks menu System Name img4004 5 Model IMG4004 5 Firmware 3 2 0p0 Aa 0 opengedf Uptime 3 days 22 hours 3 mins 5secs Current User root Backup Log Out Serial amp Network OpenVPN OpenVPN Tunnels Tunnel Name Tunnel Configuration Protocol Details Enabled Mode Method Network Hosts Trusted Networks No OpenVPN tunnels have been configured Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices OpenGear 2010 Customer Support Site gt Click Add and complete the Add OpenVPN Tunnel screen gt Enter any descriptive name you wish to identify the OpenVPN Tunnel you are adding for example NorthStOutlet VPN Add Ope
522. tig interfaces lan dhcpd dns1 192 168 2 3 config s conftig interfaces lan dhcpd dns2 192 168 2 4 contig s contig interfaces lan dhcpd domain company com config s contig interfaces lan dhcpd gateway 1 92 168 0 1 contig s contig interfaces lan dhcpd pools poo l1 start 192 168 0 20 contig s config interfaces lan dhcpd pools pool1 end 192 168 0 100 config s config interfaces lan dhcpd pools total 1 config s config interfaces lan dhcpd staticips staticip 1 ip 192 168 0 50 contig s contig interfaces lan dhcpd staticips staticip 1 mac 00 1e 67 82 72 d9 config s config interfaces lan dhcpd staticips staticip 1 host John PC contig s contig interfaces lan dhcpd staticips total 1 The following command will synchronize the live system with the new configuration config a Console Server amp Router User Manual 263 Chapter 14 Command Line Configuration 14 1 21 Services You can manually enable or disable network servers from the command line For example if you wanted to guarantee the following server configuration HTTP Server Enabled HTTPS Server Disabled Telnet Server Disabled SSH Server Enabled SNMP Server Disabled Ping Replies Respond to ICMP echo requests Disabled TFTP server Enabled contig s config services htto enabled on contig d config services https enabled contig d config services telnet enabled contig s config services ssh enabled on config d config services snmp e
523. ting on the server whose members will be given admin access gt Ensure the LDAP service is operational and group names are correct within the Active Directory Console Server amp RMM Gateway User Manual 199 Chapter 9 Authentication i o a Xe om ai eT a Active Directory Users and Com T Saved Queries Environment Sessions Remote control Terminal Services Profile COM oar JPeEngE Ar EUN General Address Account Profile Telephones Organization J Builtin Published Certificates Member Of Dian Object Security Computers F a Domain Controllers Member of _ ForeignSecurityPrincipal Aee E CH LostAndFound admiri opengear corLsers NTOS Quotas Domain Users opengear cam Users Program Data MyGroup opengear comLsers J System hd Users Add Remove Primary group Domain Users pray artes ay Fite There i no need to change Primary group unless Dere vou have Macintosh chenta or POSI compliant applications cancel Aly 9 1 9 Idle timeout You can specify amount of time in minutes the console server waits before it terminates an idle ssh pmshell or web connection Web Management Session Timeout Web Management Console session idle timeout in minutes The default setting is 20 minutes CLI Management Session Timeout CLI Management Console session idle timeout in minutes The default setting is to never expire Console Server Session Timeout Serial console
524. tion The Engine ID is used to localize the SNMPv3 user It will be automatically generated from a Network Interface ethO hardware address if left blank or must be entered as a hex value e g 0x01020304 O o Specify the Security Level noauth No authentication or encryption is required This is the minimum level of security auth Authentication will be required but encryption is not enforced An authentication protocol SHA or MD5 and password will be required priv Enforces the use of encryption This is the highest level of security and requires an encryption protocol DES or AES and password in addition to the authentication protocol and password o Complete the Read Only Username Enter the read only security name This field is mandatory and must be completed when configuring the console server for SNMPv3 o Fora Security Level of auth select the Auth Protocol SHA or MD5 and the Auth Password A password of at least 8 characters is required o Fora Security Level of priv select the Privacy Protocol DES or AES and the Privacy Password AES is recommended as it provides stronger privacy but requires more intense calculations A password of at least 8 characters is required gt Click Apply 280 Console Server amp RMM Gateway User Manual SNMP v3 Engine ID Security Level Read Only Username Auth Protocol Auth Password Confirm Password Privacy Protocol Privacy Password Confirm Password Oo E O
525. tion 6 2 1 SDT Connector client installation 6 2 2 Configuring a new gateway in the SDT Connector client 6 2 3 Auto configure SDT Connector client with the user s access privileges 6 2 4 Make an SDT connection through the gateway to a host 6 2 5 Manually adding hosts to the SDT Connector gateway 6 2 6 Manually adding new services to the new hosts 6 2 7 Adding a client program to be started for the new service 6 2 8 Dial in configuration 6 3 SDT Connector to Management Console 6 4 SDT Connector telnet or SSH connect to serially attached devices 6 5 Using SDT Connector for out of band connection to the gateway 6 6 Importing and exporting preferences 6 7 SDT Connector Public Key Authentication 6 8 Setting up SDT for Remote Desktop access 6 8 1 Enable Remote Desktop on the target Windows computer to be accessed 6 8 2 Configure the Remote Desktop Connection client 6 9 SDT SSH Tunnel for VNC 6 9 1 Install and configure the VNC Server on the computer to be accessed 6 9 2 Install configure and connect the VNC Viewer 6 10 Using SDT to IP connect to hosts that are serially attached to the gateway 6 10 1 Establish a PPP connection between the host COM port and console server 6 10 2 Set up SDT Serial Ports on console server 6 10 3 Set up SDT Connector to ssh port forward over the console server Serial Port 6 11 SSH Tunneling using other SSH clients e g PUTTY ALERTS AUTOMATED RESPONSE AND LOGGING 7 1 Configure Auto Response 7 2 Check Conditions
526. tion synchronization action pushing all changes to the live system h help Display a brief usage message v verbose Log extra debug information d del id Remove the given configuration element specified by a separated identifier g get id Display the value of a configuration element p path file Specify an alternate configuration file to use The default file is located at etc config config xml r run configurator Run the specified registered configurator Registered configurators are listed below S set id value Change the value of configuration element specified by a separated identifier e export file Save active configuration to file i import file Load configuration from file t test import file Pretend to load configuration from file S separator char The pattern to separate fields with default is P password id Prompt user for a value Hash the value then save it in id The registered configurators are Console Server amp Router User Manual 245 Chapter 14 Command Line Configuration alerts ipconfig auth nagios cascade power console serialconfig dhcp services dialin slave eventlog systemsettings hosts time jpaccess ups users There are three ways to delete a config element value The simplest way is use the delete node script detailed later in Chapter 15 You can also assign the config element to or delete the entire config node using d bin contig d element nam
527. tional Components V Telnet Client Telnet Server EJ TFTP Client V Windows DFS Replication Service i Windows Fax and Scan M Windows Meeting Space z Windows Process Activation Service v Windows Ultimate Extras r Cancel If the remote communications are being tunneled with SDT Connector then Telnet can be used for securely accessing these attached devices refer Note below In Console Server mode Users and Administrators can use SDT Connector to set up secure Telnet connections that are SSH tunneled from their client computers to the serial port on the console server SDT Connector can be installed on Windows 7 2000 XP 2003 Vista PCs and on most Linux platforms and it enables secure Telnet connections to be selected with a simple point and click To use SDT Connector to access consoles on the console server serial ports you configure SDT Connector with the console server as a gateway then as a host and you enable Telnet service on Port 2000 serial port i e 2001 2048 Refer Chapter 6 for more details on using SDT Connector for Telnet and SSH access to devices that are attached to the console server serial ports You can also use standard communications packages like PuTTY to set a direct Telnet or SSH connection to the serial ports refer Note below Note PuTTY also supports Telnet and SSH and the procedure to set up a Telnet session is simple Enter the console server s IP address as
528. to 64 this limit is easily changeable The program can run other external programs or scripts after events like reception of anew message successful sending and also when the program detects a problem These programs can inspect the related text files and perform automatic actions The SMS Server Tools software needs a GSM modem or mobile phone with SMS command set according to the European specifications GSM 07 05 ETSI TS 300 585 and GSM 03 38 ETSI TS 100 900 AT command set is supported Devices can be connected with serial port infrared or USB For more information refer htto smstools3 kekekasvi com or the online Opengear fag html 15 14 Multicast By default all Opengear console servers come with Multicasting enabled Multicasting provides Opengear products with the ability to simultaneously transmit information from a single device to a select group of hosts Multicasting can be disabled and re enabled from the command line Firmware releases V3 1 and later To disable multicasting type ifcontig ethO multicast To re enable multicasting from the command line type ifconfig ethO multicast IPv6 may need to be restarted when toggling between multicast states 302 Console Server amp RMM Gateway User Manual Linux Commands amp Source Code APPENDIX A Linux Commands amp Source Code The console server platform is a dedicated Linux computer optimized to provide monitoring and secure access to serial and network con
529. to the attached serial device System Name acm5004 g Model ACM5004 G Firmware 3 3 0 Aa O opengear Uptime 1 days 19 hours 8 mins 27 secs Current User root Backup Log Out Manage Devices Serial Port Managed Devices Network Serial Power Users amp Groups Authentication Type Device Actions lt gt Port 1 lt gt Port 2 UPS Connections RPC Connections T Port 3 Environmental Managed Devices T Port 4 BS Alerts amp Logging Port Log Alerts SMTP amp SMS SNMP Note The Web Terminal feature was introduced in firmware V3 3 Earlier releases had an open source jcterm java terminal applet which could be downloaded into your browser to connect to the console server and attached serial port devices However jcterm had some JRE compatibility issues and is no longer supported 13 3 2 SDT Connector access Administrator and Users can communicate directly with the console server command line and with devices attached to the console server serial ports using SDT Connector and their local tenet client or using a Web terminal and their browser 242 gt Select Manage Terminal gt Click Connect to SDT Connector This will to activate the SDT Connector client on the computer you are browsing and load your local telnet client to connect to the command line or serial port using SSH Console Server amp RMM Gateway User Manual System Name im4216 Model IM4216 Firmware 2 5
530. to use for DHCP Managed Devices The DHCP server also supports pre assigning IP addresses to be allocated only to specific MAC addresses and reserving IP addresses to be used by connected hosts with fixed IP addresses To reserve an IP addresses for a particular host gt Click Add in the Reserved Addresses field gt Enter the Hostname the Hardware Address MAC and the Statically Reserved IP address for the DHCP client and click Apply System Name acm5002 Model ACM5002 Firmware 3 3 0 Aa opPengear Uptime 0 days 4 hours 22 mins 30 secs Current User root Backup Log Out System DHCP Server Serial Port Network Interface Users amp Groups Authentication Network Hosts Statically Reserved Address Trusted Networks IPsec VPN Host Name OpenVPN Call Home The name to identify this host by Cascaded Ports F UPS Connections Statically Reserved IP RPC Connections Environmental IP Address reserved for specific host Managed Devices eae Akies MAC Address to reserve IP for Port Log Alerts SMTP amp SMS When DHCP has initially allocated hosts addresses it is recommended to copy these into the pre assigned list so the same IP address will be reallocated in the event of a reboot 3 6 3 Select Failover or broadband OoB The IM4200 family ACM5508 2 I M ACM5504 5 G 1 IM4004 5 and ACM5004 2 console servers provide a failover option so in the event of a problem u
531. ts IM4216 34 Two RJ 45 10 100Base T Ethernet ports and 32x RJ 45 10 100Base T management LAN switched ports IM4004 5 amp ACM5004 5 G I One RJ 45 10 100Base T primary Ethernet port and 4x RJ 45 10 100Base T management LAN switched ports CM41xx One RJ 45 10 100Base T Ethernet ports Console Server amp Router User Manual 311 Connectivity TCP Ports amp Serial I O APPENDIX C Safety amp Certifications Please take care to follow the safety precautions below when installing and operating the console server Do not remove the metal covers There are no operator serviceable components inside Opening or removing the cover may expose you to dangerous voltage which may cause fire or electric shock Refer all service to Opengear qualified personnel To avoid electric shock the power cord protective grounding conductor must be connected through to ground Always pull on the plug not the cable when disconnecting the power cord from the socket Do not connect or disconnect the console server during an electrical storm Also it is recommended you use a surge suppressor or UPS to protect the equipment from transients FCC Warning Statement This device complies with Part 15 of the FCC rules Operation of this device is subject to the following conditions 1 This device may not cause harmful interference and 2 this device must accept any interference that may cause undesired operation 312 Console Server amp RMM Gateway Us
532. ts A unique name for the user Trusted Networks IPsec VPN OpenVPN PPTP VPN A brief description of the user s role Call Home Cascaded Ports C admin Provides users with unlimited configuration and management privileges UPS Connections Z pptpd Group to allow access to the PPTP VPN server Users in this group will have their password stored in clear RPC Connections text Environmental ae Managed Devices O dialin Group to allow dialin access via modems Users in this group will have their password stored in clear text C ftp Group to allow ftp access and file access to storage devices Alerts amp Logging E pmshell Group to set default shell to pmshell Port Log E users Provides users with basic management privileges Auto Response SMTP amp SMS SNMP A group with predefined privileges the user will belong to SA The users authentication secret Wote A password may not be required if remote authentication is being used SSL Certificates Confirm Configuration Backup Firmware Re enter the users password for confirmation Set up a remote PPTP client Ensure the remote VPN client PC has Internet connectivity To create a VPN connection across the Internet you must set up two networking connections One connection is for the ISP and the other connection is for the VPN tunnel to the Opengear appliance Note This procedure sets up a PPTP client in the Wi
533. twork Hosts Trusted Networks Action G Tum On Tum Of Pr Cascaded Ports Perform an action on the power device Port Log o a ee Alerts l Outlet True RMS Peak RMS True RMS l Average Volt SMTP Group Current Current Voltage l Power Amps l w SP OO O SS SSS SSS SSS Outlet 1 8 0 1 Amps 0 2 Amps 242 0 Volts 34 Watts 44 VA Administration Internal Temperature 92 3 F Firmware Switch 1 Open 2 Open IP 1 Outlet 1 On Date amp Time 2 Outlet 2 On Dial 3 Outlet 3 On s Sai 4 Outlet 4 On 5 Outlet 5 On Nagios 6 Outlet 6 On UPS Connections 7 Outlet 7 on _ _ d amp Outlet 6 On 8 1 4 RPC status You can monitor the current status of your network and serially connected PDUs and IPMI RPCs gt Select the Status RPC Status menu and a table with the summary status of all connected RPC hardware will be displayed 172 Console Server amp RMM Gateway User Manual User Manual System Name img4004 5 Model IMG4004 5 Firmware 2 6 0p1 opengedf Uptime 0 days 1 hours 44 mins 27 secs Current User root Status RPC Status Serial Port Users amp Groups RPC Status RPC Logs Authentication Network Hosts RPC Status 7 rags Name Description RPC Type Connected Via Outlet Status UPS Connections IPPower IP Power 9825 IP Power
534. u can choose any TCP IP addresses so long as they are addresses which are not used anywhere else on your network The From address will be assigned to the Windows XP 2003 computer and the To address will be used by the console server For simplicity use the IP address as shown in the illustration above From 169 134 13 1 To 169 134 13 2 Alternately you can set the advanced connection and access on the Windows computer to use the console server defaults Specify 10 233 111 254 as the From address Select Allow calling computer to specify its own address Also you could use the console server default username and password when you set up the new Remote Desktop User and gave this User permission to use the advance connection to access the Windows computer Console Server amp RMM Gateway User Manual 143 Chapter 6 Secure SSH Tunneling amp SDT Connector The console server default Username is portXX where XX is the serial port number on the console server The default Password is portXx So to use the defaults for a RDP connection to the serial port 2 on the console server you would have set up a Windows user named port02 gt When the PPP connection has been set up a network icon will appear in the Windows task bar Note The above notes describe setting up an incoming connection for Windows XP The steps are similar for Vista 7 and Windows Server 2003 2008 however the set up screens present slightly differently T Incomin
535. ual customers can copy scripts binaries and configuration files directly to the console server Opengear also freely provides a development kit which allows changes to be made to the software in console server firmware image The customer can use the CDK to generate a firmware image without certain programs such as telnet which may be banned by company policy generate an image with new programs such as custom Nagios plug in binaries or company specific binary utilities generate an image with custom defaults e g it may be required that the console server be configured to have a specific default serial port profile which is reverted to even in event of a factory reset place configuration files into the firmware image which cannot then be modified e g bin config set tools update the configuration files in etc config which are read write whereas the files in etc are read only and cannot be modified The CDK essentially provides a snapshot of the Opengear build process taken after the programs have been compiled and copied to a temporary directory romfs just before the compressed file systems are generated You can obtain a copy of the Opengear CDK for the particular appliance you are working with from ftp ftp opengear com cdk and find further information online at htto www opengear com fag284 html Note The CDK is free however Opengear does not provide free technical support for systems modified using the CDK and any change
536. ugh the SSH gateway console server You may have to restart SDT Connector to shut down any existing tunnels that were established using password authentication Also if you have a host behind the console server that you connect to by clicking the SSH button in SDT Connector you may also wish to configure access to it for public key authentication as well This configuration is entirely independent of SDT Connector and the SSH gateway You must configure the SSH client that SDT Connector launches e g Putty OpenSSH and the host s SSH server for public key authentication Essentially what you are using is SSH over SSH and the two SSH connections are entirely separate 6 8 Setting up SDT for Remote Desktop access Microsoft s Remote Desktop Protocol RDP enables the system manager to securely access and manages remote Windows computers to reconfigure applications and user profiles upgrade the server s operating system reboot the machine etc Opengear s Secure Tunneling uses SSH tunneling so this RDP traffic is securely transferred through an authenticated and encrypted tunnel SDT with RDP also allows remote Users to connect to Windows XP Vista Server2003 Server 2008 computers and to Windows 2000 Terminal Servers and to have access to all of the applications files and network resources with full graphical interface just as though they were in front of the computer screen at work To set up a secure Remote Desktop connection you must
537. uld not rely on the default certificate as the secured global access mechanism for use through Internet 202 Console Server amp RMM Gateway User Manual User Manual System Name cm4116 Model CM4116 Firmware 2 9 0p0 eT el 4 als Aa Uptime 1 days 1 hours 59 mins 31 secs Current User root Log Out System Services Serial amp Network Serial Port HTTP Server a Users amp Groups Allow access to the Management Console via HTTP Authentication HTTPS Server F AAE Allow access to the Management Console via HTTPS Trusted Networks Cascaded Ports Telnet Server F UPS Connections Allow access to system command line shell via Telnet RPC Connections Environmental Manaaed Devices SSH Server J Allow access to the system command line shell via SSH gt Activate your preferred browser and enter https IP address Your browser may respond with a message that verifies the security certificate is valid but notes that it is not necessarily verified by a certifying authority To proceed you need to click yes if you are using Internet Explorer or select accept this certificate permanently or temporarily if you are using Mozilla Firefox gt You will then be prompted for the Administrator account and password as normal However it is recommended you generate and install a new base64 X 509 certificate that is unique for a particular console Server System Name cm4116 Model C
538. umentation OpenSSL is based on the excellent SSLeay library developed by Eric A Young and Tim J Hudson The OpenSSL toolkit is licensed under an Apache style licence which basically means that you are free to get and use it for commercial and non commercial purposes subject to some simple license conditions In the console server OpenSSL is used primarily in conjunction with http in order to have secure browser access to the GUI management console across insecure networks More documentation on OpenSSL is available from http www openssl org docs apps openssl html http www openssl org docs HOWT O certificates txt 15 8 HTTPS The Management Console can be served using HTTPS by running the webserver via stunnel The server can be launched on request using inetd The HTTP server is a lighttpd server early versions used fnord httpd The SSL implementation is provided by stunnel early versions used ss wrap compiled with OpenSSL support If your default network address is changed or the unit is to be accessed via a known Domain Name you can use the following steps to replace the default SSL Certificate and Private Key with ones tailored for your new address 15 8 1 Generating an encryption key To create a 1024 bit RSA key with a password issue the following command on the command line of a linux host with the openssl utility installed openssl genrsa des3 out ssl_key pem 1024 15 8 2 Generating a self signed certificate with Ope
539. up Groups A group with predefined privileges the user will belong to Description A brief description of the groups role Accessible Host s 192 168 0 100 LinuxT1 Ubuntu test server 192 168 0 54 PDU R3C Baytech PDU Rack3C M 192 168 252 31 PDU R4A Baytech PDU Rack4A 192 168 0 34 Powerpack Main TrippLite UPS Explicitly allow connections to hosts Accessible Port s Select Unselect all Ports Port 1 Port 2 Port 3 Port 4 Accessible RPC Outlet s PDD R3A Add a Group name and Description for each new Group then nominate the Accessible Hosts Accessible Ports and Accessible RPC Outlet s that you wish any users in this new Group to be able to access To set up new users and to classify users as members of particular Groups gt Select Serial amp Network Users amp Groups to display the configured Groups and Users opengear Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks IPsec VPN OpenVPN PPTP VPN Call Home Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices Alerts amp Logging Port Log Auto Response SMTP amp SMS SNMP Administration SSL Certificates Configuration Backup Firmware IP Date amp Time Dial Firewall DHCP Server Nagios Configure Dashboard Dial in Opti
540. urs 8 mins 26 secs Current User root Backup Log Out Alerts amp Logging Auto Response Serial amp Network Serial Port Users amp Groups Name Check Type Status Modify Delete Cancel Authentication Network Hosts Local ping test net_ping Normal B E x Trusted Networks IPsec VPN OpenVPN New Auto Response Call Home Cascaded Ports Z UPS Connections Global Auto Response Settings RPC Connections Environmental Log Events l Managed Devices Log Events and actions related to Auto Responses Configured Auto Responses Alerts amp Logging Port Log Dely after system boot before processing events Auto Response SMTP amp SMS Save Settings SNMP 150 Console Server amp RMM Gateway User Manual User Manual To configure a new Auto Response gt gt gt Select New Auto Response in the Configured Auto Response field You will be presented with a new Auto Response Settings menu Enter a unique Name for the new Auto Response Specify the Reset Timeout for the time in seconds after resolution to delay before this Auto Response can be triggered again Check Repeat Trigger Actions to continue to repeat trigger action sequences until the check is resolved Enter any required delay time before repeating trigger actions in Repeat Trigger Action Delay This delay starts after the last action is queued System Name im4216 Model IM4216 Firmware
541. utlet on the power target to apply to The remote host address for the power target Override the configured username Override the configured password on This action switches the specified device or outlet s on off This action switches the specified device or outlet s off cycle This action switches the specified device or outlet s off and on again status This action retrieves the current status of the device or outlet QO x Cc Examples To turn outlet 4 of the power device connected to serial port 2 on pmpower I port02 o 4 on To turn an IPMI device off located at IP address 192 168 1 100 where username is root and password is calvin pmpower r 192 168 1 100 u root p calvin off Default system Power Device actions are specified in etc oowerstrips xml Custom Power Devices can be added in etc contig powerstrips xml lf an action is attempted which has not been configured for a specific Power Device pmpower will exit with an error 15 9 3 Adding new RPC devices There are a number of simple paths to adding support for new RPC devices The first is to have scripts to support the particular RPC included in either the open source PowerMan project http sourceforge net projects oowerman or the open source NUT UPS Tools project The PowerMan device specifications are rather weird and it is suggested that you leave the actual writing of these scripts to the PowerMan authors However documentation on how they work can
542. utomatically obtains an IP address from a DHCP server on the network it is to be connected to gt On the System IP menu select the Network Interface page then check DHCP or Static for the Configuration Method gt If you selected Static you must manually enter the new IP Address Subnet Mask Gateway and DNS server details This selection automatically disables the DHCP client opengear Serial Port Users amp Groups Authentication Network Hosts Trusted Networks Configuration IPsec VPN Method OpenVPN PPTP VPN Call Home Cascaded Ports IP Address UPS Connections RPC Connections Environmental Managed Devices Subnet Mask Alerts amp Logging Port Log Gateway Auto Response SMTP amp SMS SNMP Primary DNS Administration SSL Certificates Configuration Backup Firmware Secondary DNS Media IP Date amp Time Dial Firewall DHCP Server Nagios Configure Dashboard DHCP Server IP Alias Port Access Network Interface IP Settings Network System Name im4216 Model IM4216 Firmware 3 5 2u1 Uptime 0 days 1 hours 18 mins 23 secs Current User root a Backup Log Out System IP Management LAN Interface General Settings Route Settings DHCP Static The mechanism to acquire IP settings A statically assigned IP address A statically assigned network m
543. vation step before you can connect successfully to their service If your carrier requires OTASP enter the Phone number below and click Activate Activation Phone Number The phone number to dial for OTASP Over the Air Service Provisioning activation e g 22899 for Verizon In the case your carrier does not support OTASP activation enter your MSL MDN amp MSID below to manually activate the modem MSL The MSL for unlocking the NAM profile Advanced MDN The Mobile Directory Number to use Advanced MSID The NAM profile MSID to use Advanced Enter the MSL MDN and MSID values These values are specific to your carrier and for manual activation you will have to investigate what values your carrier uses in each field For example Verizon have been known to use an MSL of 000000 and the phone number assigned to the Opengear device as both the MDN and MSID with no Spaces or hyphens e g 5551231234 for 555 123 1234 Click Activate If no errors occur you will see the new values entered into the NAM Profile at the Cellular page on Status Statistics NAM Profile Account MDN 0000003259 MIN 0000003259 SID 0 NID 0 Navigate to the Internal Cellular Modem tab on System Dial To connect to your carriers 3G network enter the appropriate phone number usually 777 and a Username and Password if directed to by your account plan documentation Select Enable and then click Apply to initiate the Always On Out of Band connection
544. ver second Ethernet connections VPN IPSec or Open VPN connection over any network interface gt Check uncheck for each network which service access is to be enabled disabled In the example shown below local administrators on local Network Interface LAN have HTTP and Telnet access to the console server and attached serial consoles while remote administrators using Dial In only can access the Nagios NUT SNMP status System Name acm5002 Model ACM5002 Firmware 3 3 0 X 0 opengear Uptime 0 days 5 hours 45 mins 19 secs Current User root aa Backup Log Out System Firewall Serial amp Network Serial Port Service Access Port Forwarding Port Rules Forwarding amp Masquerading jy Jsers amp Groups Authentication Service Access Network Hosts Trusted Networks Services Network Interface Dialout Cellular Dial in VPN sec VPN HTTP Web Management Cascaded Ports HTTPS Web Management F Fj 7 UPS Connections RPC Connections Telnet command shell Environmental Managed Devices SSH command shell F 7 7 7 Alerts amp Logging Telnet direct to serial Za F Port Log Alerts SSH direct to serial ports 7 v v SMTP amp SMS SNMP RAW TCP access to serial 7 a v ports n RFC 2217 access to serial 7 F Administration ports SSL Certificates Configuration Backup Unauthenticated telnet 7 A Firmware access to serial ports 7 E E IP Date amp Time Nagios NRPE
545. ver only requires one SIM to operate Unscrew the SIM card access panel and insert the first carrier SIM card in the top SIM slot with contacts facing downward and the notch to RHS A second carrier SIM can then be installed in the slot underneath the first screw the cover plate back on 2 6 2 ACM5004 G G I GV and ACM5504 5 G I antenna Screw the provided antenna on to have MAIN SMA antenna connector on the rear of the ACM5004 G GI Then place the unit and or aerial in a location that will ensure the best signal The ACM5504 5 G I ACM5004 G I and current revisions of the ACM5004 G GV all come with dual SMA antenna connectors The AUX connector can be used for receive diversity This requires an external antenna accessory Part 569006 and cable Part 449041 With the ACM5504 5 G I and ACM5004 G I models the AUX connector can also be used for GPS An external GPS passive antenna with magnetic base SMA connector and 2 meter cable is available Part 569008 Note The ACM5004 G G I GV has two cellular status LEDs The SIM LED on top of unit should go on solid when the ACM5004 G G I has been powered and a SIM card has been inserted and detected The WWAN LED on top of unit should go on at a fast blink once a radio connection has been established with your cellular carrier i e after an APN has been properly configured WWAN LED Status Off In reset mode or not powered Slow blink Searching for service Solid Green Active servic
546. verride the automaticaly generated SNMPv3 Engine ID Optienal noauth auth O priw The SNMPv3 Security Level pri amp recommended for enforcing both authentication and encryption The SNMPv3 read only security name Mandatary for SNMP V3 SHA The SNMPv3 authentication protocol The SNMPv3 users authentication password Confirm the SNMPv3 users authentication password DES The SNMPv3 privacy protocol sd The SNMPv3 encryption password sd Confirm the SNMPv3 encryption password gt Setup serial ports and devices as per operational requirements such as UPS RPC PDU and EMD gt Copy the mibs from etc snmp mibs on the Opengear product to a local directory using scp or Winscp For example scp root im4004 etc snmp mibs gt Using the snmpwalk and snmpget commands the status information can be retrieved from any console server For example snmpwalk Oa v1 M usr share snmp mibs c public im4004 OG STATUS MIB ogStatus Console Server amp Router User Manual 201 Chapter 16 KCS Client Configuration OG S TATUS MI O3 S TATUS MI OG S TATUS MI OG S TATUS MI OG STATUS MI OG STATUS MI OG STATUS MI OG STATUS MI OG STATUS MI OG STATUS MI OG STATUS MI OG STATUS MI OG STATUS MI OG STATUS MI OG STATUS MI OG STATUS MI OG STATUS MI OG STATUS MI OG STATUS MI OG STATUS MI OG STATUS MI OG STATUS MI OG STATUS MI B og erialPort tatusFort i IHTEGER 2 B oqSerial
547. ware 2 6 0p2 Uptime 0 days 9 hours 8 mins 56 secs Current User root opengear Status Environmental Status Serial Port Users amp Groups Authentication Environmental Status Environmental Logs Network Hosts Environmental Status Trusted Networks Name Description Sensor Status Connected Cascaded Ports Via UPS Connections RPC Connections Comms Telco closet Name Type Value Status Serial Port 3 View Environmental room Log Temperature Temperature u Alerts amp Logging Port Log Humidity Humidity Alerts k SMTP amp SMS Fire warning Dry Contact SNMP Alarm 2 Dry Contact gt Click on View Log or select the Environmental Logs menu and you will be presented with a table and graphical plot of the log history of the select EMD System Name img4004 5 Model IMG4004 5 Firmware 2 6 0u1 Uptime 0 days 0 hours 15 mins 10 secs Current User root opengear Status Environmental Status Serial Port Users amp Groups Authentication Network Hosts Trusted Networks Cascaded Ports UPS Connections RPC Connections Environmental Environmental Status Environmental Logs EMD Engineering Temperature Graph Alerts amp Logging Port Log Alerts SMTP amp SMS SNMP Administration 20 48 W Temperature W Humidity 20 45 EMD Engineering Log Firmware IP Time Temperature Humidity Alarm 1 Alarm
548. way to that used for regular data traffic OoB access is useful for when the primary link into the gateway is unavailable or unreliable Typically a gateway s primary link is a broadband Internet connection or Internet connection via a LAN or VPN and the secondary out of band connectivity is provided by a dial up or wireless modem directly attached to the gateway So out of band access enables you to access the hosts and serial devices on the network diagnose any connectivity issues and restore the gateway s primary link In SDT Connector OoB access is configured by providing the secondary IP address of the gateway and telling SDT Connector how to start and stop the OoB connection Starting an OoB connection may be achieved by initiating a dial up connection or adding an alternate route to the gateway SDT Connector allows for maximum flexibility is this regard by allowing you to provide your own scripts or commands for starting and stopping the OoB connection Ce Opengear SDTConnector Ee New SDT Gateway General Out Of Band Remote UDP Gateway Secondary Address Port 22 Start Command onnection wait min rasdial OOB login password Stop Command hiit min rasdial network_connection login password amp OK 36 Cancel To configure SDT Connector for OoB access gt When adding a new gateway or editing an existing gateway select the Out Of Band tab gt Enter the secondary OoB IP add
549. widget 238 Console Server amp RMM Gateway User Manual Create a file called widget lt name gt sh in the folder etc config scripts where lt name gt can be anything You can have as many custom dashboard files as you want Inside this file you can put any code you wish When configuring the dashboard choose widget lt name gt sh in the dropdown list The dashboard will run the script and display the output of the script commands directly on the screen inside the specific widget The best way to format the output would be to send HTML commands back to the browser by adding echo commands in the script echo lt table gt You can of course run any command and its output will be displayed in the widget window directly Below is an example script which writes the current date to a file and then echo s HTML code back to the browser The HTML code gets an image from a specific URL and displays it in the widget bin sh date gt gt tmp test echo lt table gt echo lt tr gt lt td gt This is my custom script running lt td gt lt tr gt echo lt tr gt lt td gt echo lt img src http www vinras conm images linux online inc jog gt echo lt td gt lt tr gt echo lt table gt exit O Console Server amp Router User Manual 239 Chapter 13 Management MANAGEMENT The console server has a small number of Manage reports and tools that are available to both Administrators and Users Acc
550. y etc scripts ups status alert Fora environmental power and alarm sensor alerts temperature humidity power load and battery charge alerts etc scripts environmental alert For an interface failover alert etc scripts interface failover alert All of these scripts do a check to see whether you have created a custom script to run instead The code that does this check is shown below an extract from the file etc scripts portmanager pattern alert If there s a user configured script run it instead scripts 0 etc conftig scripts pattern alert ALERT_PORTNAME scripts 1 etc contig scripts oortmanager pattern alert for i 0 i lt scripts i do if f scripts i then exec bin sh scripts i fi done This code shows that there are two alternative scripts that can be run instead of the default one This code first checks whether a file etc config scripts pattern alert ALERT_PORTNAME exists The variable ALERT_PORTNAME must be replaced with port01 or port13 or whichever port the alert should run for If this file cannot be found the script checks whether the file etc config scripts oortmanager pattern alert exists If either of these files exists the script calls the exec command on the first file that it finds and runs that custom file script instead As an example you can copy the etc scripts oortmanager pattern alert script file to etc config scripts portmanager patte
551. y Hour and Minute using the Date and Time selection boxes then click Set Time The gateway can synchronize its system time with a remote time server using the Network Time Protocol NTP Configuring the NTP time server ensures that the console server clock will be accurate soon after the Internet connection is established Also if NTP is not used the system clock will be reset randomly every time the console server is powered up To set the system time using NTP gt Select the Enable NTP checkbox on the Network Time Protocol page gt Enter the IP address of the remote NTP Server and click Apply Settings You must now also specify your local time zone so the system clock can show local time and not UTP gt Set your appropriate region locality in the Time Zone selection box and click Set Timezone 228 Console Server amp RMM Gateway User Manual With Version 3 2 0 firmware the Time Zone can also be set to UCT Coordinated Universal Time which replaced Greenwich Mean Time as the World standard for time in 1986 opengcear Serial amp Network Serial Port System Name acm5003 m Model ACM5003 M Firmware 3 3 2 E 3 O Uptime 1 days 0 hours 11 mins 40 secs Current User root Backup Log Out System Date amp Time Current System time 00 56 10 Dec 15 2010 Time Zone Users amp Groups IaH ue Network Hosts UIC z Trusted Networks Turkey a IPsec VPN UCT OpenVPN US Alaska
552. y correctly Login to the SDT for Nagios web UI on the central Nagios server and select Service Detail from the Monitoring menu to see the imported hosts and service checks Note The wizard keeps a backup copy of each file it modifies and it displays the name of each of these backup files as it runs If you wish to roll back the changes made by the wizard simply move these files to their original names Otherwise once you are satisfied with the new configuration you may remove the backup files 10 2 4 Setup the clients The final step is to set up SDT Connector on each of the client PCs The client PCs use a web browser to view the Nagios web UI running on the central Nagios server This web UI links to SDT Connector to enable point and click access through the distributed Opengear console servers to attached hosts and serial ports and the Opengear unit itself Detailed setup and configuration instructions for SDT Connector are contained elsewhere in this manual but here are the basic steps you need to follow gt Download SDT Connector 1 5 0 or later from http www opengear com download htm gt Follow the usual SDT Connector setup procedure for your operating system i e for Windows clients run the setup executable for other clients decompress the distribution archive Close any running web browsers Launch SDT Connector SDT Connector will prompt you to Enable sat links Click Yes Select File the New Gateway Vv Y VV WV
553. y smoke detector water detector vibration sensor open door sensor or general purpose open close status sensors into the SENSOR or D O terminals on the green connector block gt When configured as Inputs the SENSOR and DIO ports are notionally attached to the internal EMD So go to the Serial amp Network Environmental page and enable the Internal EMD Then configure the attached sensors as alarms as covered in the next section System Name lesi204a Model LES1204A Firmware 3 1 0u1 O opengear Uptime 1 days 8 hours 29 mins 8 secs Current User root a Backup Log Out Serial amp Network Environmental Serial Port Enabled T Users amp Groups Enable or disable the environmental monitor Authentication Network Hosts Trusted Networks IPsec VPN gt P sia Parts Edit Environmental Monitor UPS Connections Name Internal environmental sensor a RPC Connections A descriptive name for the environmental monitor Environmental Managed Devices Connected Via intemal Specify the connection port for the environmental monitor Description A brief description for the environmental monitor Temperature Offset 0 System Fine tuning adjustment for the temperature sensor Administration Temperature in F SSL Certificates i T K Configuration Backup Fahrenheit Indicates if the temperature is reported in Fahrenheit rather than Celcius Firmware gt Alarm 1 Label Date amp Time A lab
554. ynamic DNS DDNS configuration System Firewall Service Access Communications Software SDT Connector PuTTY SSHTerm Management Network Configuration Enable the Management LAN Configure the DHCP server Select Failover or broadband OoB Aggregating the network ports Wireless LAN Static routes SERIAL PORT HOST DEVICE amp USER CONFIGURATION Console Server amp RMM Gateway User Manual 12 16 16 17 18 18 19 19 20 20 21 21 21 21 22 22 22 23 23 24 25 26 26 27 27 27 28 28 28 29 29 30 30 30 31 32 33 34 35 35 36 39 39 40 4 41 4 43 44 45 46 48 50 User Manual 4 1 Configure Serial Ports 4 1 1 Common Settings 4 1 2 Console Server Mode 4 1 3 SDT Mode 4 1 4 Device RPC UPS EMD Mode 4 1 5 Terminal Server Mode 4 1 6 Serial Bridging Mode 4 1 7 Syslog 4 1 58 NMEA Streaming 4 2 Add Edit Users 4 2 1 Setup new Group 4 2 1 Set up new Users 4 3 Authentication 4 4 Network Hosts 4 5 Trusted Networks 4 6 Serial Port Cascading 4 6 1 Automatically generate and upload SSH keys 4 6 2 Manually generate and upload SSH keys 4 6 3 Configure the slaves and their serial ports 4 6 4 Managing the slaves 4 7 Serial Port Redirection PortShare 4 8 Managed Devices 4 9 IPsec VPN 4 9 1 Enable the VPN gateway 4 10 OpenVPN 4 10 1 Enable the OpenVPN 4 10 2 Configure as Server or Client 4 10 3 Windows OpenVPN Client and Server set up 4 11 PPTP VPN 4 11 1 Enable the PPTP VPN server 4 11 2 Add a PPTP
Download Pdf Manuals
Related Search