Tripp Lite B092-016 KVM switch
Contents
1. To configure a COM port you have created simply click on the desired COM x label in the left hand menu tree In the Properties window you can edit the IP address or TCP Port to be used to connect to that COM port You can then configure the COM port in the Connection and Advanced windows 54 a VirtualPort Configuration 192 168 252 133 Properties Connection Advanced COM9 a S 192 176 233 8 COM11 COM13 V Connect at system startup Time between connection retries 1000 E Send keep alive packets Keep alive interval Keep Alive Timeout Disable Nagle Algorithm Connect at system startuop When enabled VirtualPort will try to connect to the Console Server when the VirtualPort service starts as opposed to waiting for the application to open the serial port before initiating the connection to the Console Server The Time between connection retries specifies the number of seconds between TCP connection retries after a client initiated connection failure Valid values are 1 255 The default is 1 second and VirtualPort will continue attempting to reconnect forever to the Console Server at this interval The Send keep alive packets option tests if the TCP connection is still up when no data has been sent for awhile This is done by sending keep alive messages Select this option and specify a period of time in milliseconds after which VirtualPort sends a command to the2. i __ TRIPP LITE Firmware Rev 3 0 1 Current User root Backup Log Out Up time 0 days 1 5 24 mins 35 secs POWER PROTECTION System Configure Dashboard Serial amp Network Serial Port Dashboard Configurations Users amp Groups Authentication Select group user group admin X Network Hosts Select which group user to configure the dashboard for Trusted Networks Cascaded Ports UPS Connections Note You can configure a custom dashboard for any admin user or for the admin group or you can reconfigure the default dashboard The Status Dashboard screen is the first screen displayed when admin users other than root log into the Console Server If you log in as John and John is a member of the admin group and there is a dashboard layout configured for John then you will see the dashboard for John on log in and each time you click on the Status Dashboard menu item If there is no dashboard layout configured for John but there is an admin group dashboard configured then you will see the admin group dashboard instead If there is no user dashboard or admin group dashboard configured then you will see the default dashboard The root user does not have its own dashboard The above configuration options are intended to enable admin users to setup their own custom dashboards 159 The Dashboard displays six widgets These widgets include each of the Status screens alerts devices ports U
3. Out of band enabled for Remote When you connect to a service on a host behind the gateway or to the Console Server gateway itself SDT Connector will initiate the OoB connection using the provided Start Command The OoB connection isn t stopped using the provided Stop Command until Out Of Band under Gateway Actions is clicked off at which point the status bar will return to its normal color 86 6 6 Importing and exporting Preferences To enable the distribution of pre configured client config files SDT Connector has an Export Import facility cE Tripp Lite SDTConnector File Edit Help Cea New Gateway Import Preferences Export Preferences gt D Ext gt To save a configuration xml file for backup or for importing into other SDT Connector clients select File gt Export Preferences and select the location to save the configuration file gt To import a configuration select File gt Import Preferences and select the xml configuration file to be installed 6 7 SDT Connector Public Key Authentication SDT Connector can authenticate against an SSH gateway using your SSH key pair rather than requiring your to enter your password This is Known as public key authentication To use public key authentication with SDT Connector you must first add the public part of your SSH key pair to your SSH gateway gt gt Ensure the SSH gateway allows public key authentication Th
4. Software and None 175 14 5 2 Supported Protocol Configuration To ensure remote access to serial port 5 is configured as follows Telnet Access LAN Disabled SSH Access LAN Enabled Raw TCP via LAN Disabled You would need to issue the following commands from the command line to set system configuration bin config set config ports port5 ssh on bin config del config ports port5 Telnet bin config del config ports port5 tcp The following command will synchronize the live system with the new configuration bin config run serialcontig Note bin config commands can be combined into one command for convenience 14 5 3 Users You can add a User to the system from the command line by performing the following instructions Determine the total number of existing Users If you have no existing Users you can assume this is 0 bin config get config users total This command should display contig users total 1 Note that if you see contig users total This means you have 0 Users configured So your new User will be the existing total plus 1 so if the previous command gave you 0 then you start with user number 1 If you already have 1 user your new user will be number 2 etc 176 If you want a user named user1 with a password of secret who will have access to serial port 5 from the network you need to issue the these commands assuming you have a previous user in pl
5. To Initiate a pre configured dial up connection under Windows use the following Start Command 85 cmd c start Starting Out of Band Connection wait min rasdial network_connection login password The network connection in the above is the name of the network connection as displayed in Control Panel gt Network Connections Login is the dial in username and password is the dial in password for the connection To initiate a pre configured dial up connection under Linux use the following Start Command pon network_connection The network_connection in the above is the name of the connection gt Enter the command or path to a script to stop the OoB connection in Stop Command To stop a pre configured dial up connection under Windows use the following Stop Command cmd c start Stopping Out of Band Connection wait min rasdial network_connection disconnect The network_connection in the above is the name of the network connection as displayed in Control Panel gt Network Connections To stop a pre configured dial up connection under Linux use the following Stop Command poff network_connection To make the OoB connection using SDT Connector gt Select the gateway and click Out Of Band The status bar will change color to indicate this gateway Is now being access using the OoB link rather than the primary link R Tripp Lite SDTConnector File Edit Help 22a 8 eS 208 64 91 182 _ Ea Remote
6. 192 168 1 21 Select Connect PowerAlert on the control panel The PowerAlert software will be launched Selecting System Terminal on the control panel logs you in at the command line to the B092 016 Linux kernel As detailed in Chapters 14 and 15 this enables you to configure and customize your B092 016 using the config and portmanager commands or general Linux commands 226 Disconnect Options Clipboard Send Ctr Alt Del Refresh g Conngure E Connect Lous S status system Shutdown Reboot Logout m umask p 8 mode unalias a name sll unset f v name until COMMANDS do COMMANDS done variables Some variable names an wait n while COMMANDS do COMMANDS done COMMANDS etc lost found sbin Wer share var 16 2 2 System Shutdown Reboot Clicking System Shutdown on the control panel will shut down the B092 016 system You will need to cycle the power to reactivate the B092 016 with a soft reset Similarly by clicking System Reboot you will initiate a soft reset With a soft reset the B092 016 reboots with all settings such as the assigned network IP address preserved However a soft reset disconnects all Users and ends any SSH sessions that had been established A soft reset will also occur when you switch OFF power from the B092 016 and then switch the power back ON However if you cycle the power while the unit is writing to flash you could corrupt
7. 80 lt PuTTY Configuration 11 forwarding _ Enable X11 forwarding Xas eyloeton OOO Remote X11 authentication protocol Window MIT Magic Cookie 1 XDM Authorization 1 o i Appearance Behaviour Port forwarding _ Local ports accept connections from other hosts _ Remote ports do the same SSH v2 only Forwarded ports a Add new forwarded port Souce pat 124 Desinsion poro Local gt Select Local and click the Add button gt Click Open to SSH connect the Client computer to the Console Server You will now be prompted for the Username Password for the Console Server User you SDT enabled Note You can also secure the SDT communications from local and enterprise VPN connected Client computers using SSH as above This will protect against the risk of the man in the middle attacks to which RDP has a vulnerability http www securiteam com windowsntfocus 5EP010KGO0G html To set up the secure SSH tunnel from the Client Viewer computer to the Console Server for VNC follow the steps above However when configuring the VNC port redirection specify port 5900 rather than port 3389 as was used for RDP e g if using PuTTY 81 ES Rutty Configuration Options controling 5SH tunnelling 11 forwarding Enable X11 forwarding Xaser OO Remote X11 authentication protocol MIT Magic Cookie 1 C XDM Authorization 1 Port forwarding Local ports accept connections from
8. Enable NTP E So Enable Network Time Protocol Support gt Select the System Date amp Time menu option gt Manually set the Year Month Day Hour and Minute using the Date and Time selection boxes then click Apply 151 The Console Server can synchronize its system time with a remote time server using the Network Time Protocol NTP Configuring with the NTP time server ensures that the Console Server clock will be accurate soon after the Internet connection is established Also if NTP is not used the system clock will be reset randomly every time the Console Server is powered up To set the system time using NTP gt Select the Enable NTP checkbox on the Network Time Protocol page gt Enter the IP address of the remote NTP Server and click Apply Specify your local time zone so the system clock can show local time and not UTP gt Set your appropriate region locality in the Time Zone selection box and click Apply 11 4 Configuration Backup B095 004 003 only It is recommended that you back up the Console Server configuration whenever you make significant changes such as adding new Users or M anaged Devices or before performing a firmware upgrade Note The configuration files can be backed up from the command line refer Chapter 14 A new Back Up menu feature was introduced with Revision 3 0 1 firmware so is only currently available on BO95 004 1E BO95 003 1E M Console Servers TRIPP LITE ma D o P
9. Port Log saysi Alerts a wear To restore a remote backup gt gt Click Browse in the Remote Configuration Backup menu and select the Backup File you wish to restore Click Restore and click OK This will overwrite all the current configuration settings in your Console Server Alternately you can save the backup file locally onto the Console Server USB storage To do this your Console Server must support USB and you must have an internal or external USB flash drive installed System Name 995 003 1le Model Number B095 003 1E M Ra 1 TRIPP LITE Firmware Rev 3 0 1 Current User oot Backup Log Out Up time 0 days 1 nours 14 mins 38 secs POWER PROTECTION SE A System Configuration Backup Serial amp Network Serial Port Remote Backup Local Backup Users amp Groups Authentication Network Hosts Local Backup Trusted Networks r Cod Pois Before saving configuration locally you must prepare the USB storage device for use UPS Connections RPC Connections Disconnect all USB storage devices except for the storage device you wish to prepare then click here to proceed Environmental After the USB storage device has been prepared you may reconnect other USB storage devices Managed Devices To backup and restore using USB gt Ensure the USB flash Is the only USB device attached to the Console Server and click Prepare Storage in the Local Configuration Backup menu T
10. gt Select the desired Device Type UPS RPC or EM D gt Proceed to the appropriate device configuration page Serial amp Network UPS Connections RPC Connection or Environmental as detailed in Chapter 8 Power amp Environmental M anagement gt The B092 016 Console Server also allows you to configure ports as UPS devices that PowerAlert will manage PowerAlert will discover the attached UPS device and auto configure See www tripplite com EN support PowerAlert Downloads cfm for a complete PowerAlert manual Device Settings Device Type None UPS NUT laar Aia a diecnuar the attarhad dauire UPS PowerAlert PowerAlert to discover the attached device RPC Environmental 4 1 5 Terminal Server Mode gt Select Terminal Server Mode and the Terminal Type vt220 vtl02 vt100 Linux or ANSI to enable a getty on the selected serial port 40 Terminal Server Settings Terminal Server O Mode Enable a TTY login for a local terminal attached to this serial port Terminal Type vt220 R The terminal standard to use bn this serial port The getty will then configure the port and wait for a connection to be made An active connection on a serial device is usually indicated by the Data Carrier Detect DCD pin on the serial device being raised When a connection Is detected the getty program issues a login prompt and then invokes the login program to handle the actual system login Note Selecting Terminal Server mode will disable Port Man
11. 36 Telnet Check to enable Telnet access to the serial port When enabled a Telnet client on a User or Note Administrator s computer can connect to a serial device attached to this serial port on the Console Server The default port address is IP Address _ Port 2000 serial port i e 2001 2048 Telnet communications are unencrypted so this protocol is generally recommended for local connections only However if the remote communications are being tunneled with SDT Connector then Telnet can be used to securely access these attached devices see Note below With Win2000 XP NT you can run Telnet from the command prompt cmd exe Vista comes with a Telnet client and server but they are not enabled by default To enable Telnet simply Login as Admin and go to Start Control Panel Programs and Features Select Turn Windows Features On or Off check the Telnet Client and click OK a Windows Features Turn Windows features on or off To turn a feature on select its check box To turn a feature off clear its check box A filled box means that only part of the feature is turned on D me SNMP feature FIE Subsystem for UNIX based Applications W Tablet PC Optional Components Telnet Client Fli Telnet Server E TFTP Client WI Windows DFS Replication Service W Windows Fax and Scan WIA Windows Meeting Space amp Windows Process Activation Service Wi Windows Ultimate Extras In Console
12. Mozilla Firefox Browser File Edit View History Bookmarks Tools Help Cisco 5904 3 b E gt Acc Dell DRAC4 ai Cisco eee wiki vt tet iy 5 cisco gt Test IMG4216 25 gt als httpwww cisco com en D gt IIG Google Ea Add Delete Edit Solutions Products amp Services Ordering Support Training amp Event Support Support Wiki NetPro Community em A forum for peer and expert wisdom to get the A dynamic know answers you need Ask questions and resolve B collaborate crea issues that concern you now i technical conten Join the Discussion problems in real Discover the Wi overview or View Informatio Type S Troubleshoot Application Networking aeoe Select a Task Download Safire 0 hee Firefo Java Firefox 1335 2007 Contributors All Rights Reserved LICENSEE Firefox and the Firefox logos are trademarks of the Mozilla Foundation All rights reserved some trademark rights used under license from The Java and all Java based trademarks and Charlton Company logos are trademarks or registered Mozilla S 0 x11 U Linux i586 en US trademarks of Sun Microsystems Inc in rve1 8 1 11 Gecko 20080730 Firefox2 0 0 11 the U S and other countries 16 1 3 Connect VNC gt Select Connect VNC on the control panel and click on the VNC server Host to be accessed
13. SSH Tunneled Serial Bridging 170 170 171 172 T2 173 174 175 Z3 176 176 177 178 178 178 179 179 180 181 184 185 187 189 190 192 193 194 194 195 196 196 198 200 201 15 6 8 SDT Connector Public Key Authentication 15 7 Secure Sockets Layer SSL Support 15 8 HTTPS 15 9 Power Strip Control 15 9 1 PowerM an 15 9 2 pmpower 15 9 3 Adding New RPC Devices 15 10 IPM Itool 15 11 Scripts for Managing Slaves 16 THIN CLIENT B092 016 16 1 Local Client Service Connections 16 1 1 Connect Serial Terminal 16 1 2 Connect Browser 16 1 3 Connect VNC 16 1 4 Connect SSH 16 1 5 Connect IPM 16 1 6 Connect Remote Desktop RDP 16 1 7 Connect Citrix ICA 16 1 8 Connect PowerAlert 16 2 Advanced Control Panel 16 2 1 System Terminal 16 2 2 System Shutdown Reboot 16 2 3 System Logout 16 2 4 Custom 16 2 5 Status 16 2 6 Logs 16 3 Remote Control Appendix A 229 Appendix B 230 Appendix C 232 Appendix D 239 204 205 206 208 208 210 210 212 216 218 218 220 220 221 222 229 224 229 226 226 226 227 227 227 DaF 22I 228 Hardware Specification Serial Port Connectivity End User Licence Agreement Service and Warranty 1 INTRODUCTION This M anual This User M anual is provided to help you get the most from your B096 016 B096 048 Console Server Management Switch BO92 016 Console Server with PowerAlert or BO95 004 1E B095 003 1E M Console Server product These products are refe
14. Serial Port Users amp Groups Authentication Network Hosts Trusted Networks Cascaded Ports UPS Connections RPC Connections Environmental Alerts amp Logging Port Log Alerts SMTP amp SMS SNMP Administration Firmware IP Date amp Time Dial Services DHCP Server Nagios TRIPP LITE POWER PROTECTION Model Number Firmware Rev 2 6 1u1 Current User pot System Name Up time 1 days Serial amp Network Environmental Add Environmental Monitor Name A descriptive name for the environmental monitor Connected Via Serial Pot2 Specify the serial port for the environmental monitor Description A brief description for the environmental monitor Alarm 1 Label A label for the first environmental monitor alarm e g Door Open Alarm 2 Label A label for the second environmental monitor alarm e g Smoke Abrm Log Status Periodically log environmental status Log Rate 15 Minutes between samples gt Enter a Name and Description for the EM D and select pre configured serial port that the EM D will be Connected Via gt Provide Labels for each of the two alarms gt Check Log Status and specify the Log Rate minutes between samples if you wish the status from this EM D to be logged These logs can be views from the Status Environmental Status screen gt Click Apply 8 3 2 Environmental Alerts You can now set
15. Signals Sending a SIGHUP signal to the portmanager will cause it to reread its configuration file 15 2 External Scripts and Alerts The portmanager has the ability to execute external scripts on certain events These events are When a port is opened by the portmanager When the portmanager opens a port it attempts to execute etc config scripts portxXx init where XX is the number of the port e g 08 The script is run with STDIN and STDOUT both connected to the serial port If the script cannot be executed then portmanager will execute etc config scripts portXX chat via the chat command on the serial port II When an alert occurs on a port 187 When an alert occurs on a port the portmanager will attempt to execute etc config scripts portXx alert where XX is the port number e g 08 The script is run with STDIN containing the data which triggered the alert and STDOUT redirected to dev null NOT to the serial port If you wish to communicate with the port use pmshell or pmchat from within the script If the script cannot be executed then the alert will be mailed to the address configured in the system administration section When a user connects to any port If a file called etc contig pmshell start sh exists it is run when a user connects to a port It is provided with 2 arguments the Port number and the Username Here is a simple example lt etc contig pmshell start sh gt 1 bin sh POR
16. The B092 016 Console Server has an internal VNC server When enabled it allows remote users to connect to the Console Server and run the PowerAlert software and any other embedded thin client programs as if they were plugged in locally to the KVM connectors on the B092 016 refer to Chapter 16 for more details Users connect using port 5900 and need to run a VNC client applet Secure VNC This enables a secure encrypted remote connection using VNC over SSL on port 5800 to the B092 016 Console Server refer to Chapter 16 PowerAlert This configuration option will automatically start the PowerAlert application on the B092 016 and display the console as soon as you log into the local display or VNC session refer to Chapter 16 The complete PowerAlert manual can be downloaded at www tripplite com EN support PowerAlert Downloads cfm Zi Syslog UPS Status RPC Status Environmental Statu Alternate Unauthenticated Telnet a Base A secondary TCP port range for Unauthenticated Telnet access to serial ports 7his amp in addition to the default port 6000 VNC Server 7 Enable the standard VNC server for remote access to the local display VNC on port 5900 Devices Port Logs Secure VNC Server Host Logs Enable the Secure encrypted VNC server for remote access to the local display VNC over SSL on port 5800 Power Terminal KVM Console Server Automatically start PowerAlert console after logging in
17. 137 gt Click Apply Now set the Console Server to send alerts to the Nagios server Select Alerts from the Alerts amp Logging menu and click Add Alert In Description enter Administrator connection Check Nagios NSCA In Applicable Ports check the serial port that has the router console port attached In Applicable Hosts check the IP address DNS name of the IIS server gt Click Connection Alert gt Click Apply Y VV WV Lastly add a User for the client running SDT Connector gt Select Users amp Groups from the Serial amp Network menu gt Click Add User gt In Username enter sdtnagiosuser then enter and confirm a Password gt In Accessible Hosts click the IP address DNS name of the IIS server In Accessible Ports click the serial port that has the router console port attached gt Click Apply 10 3 Configuring Nagios Distributed Monitoring To activate the Console Server s Nagios distributed monitoring Nagios integration must be enabled and a path established to the central upstream Nagios server If the Console Server is to periodically report on Nagios monitored services then the NSCA client embedded in the Console Server must be configured the NSCA program enables scheduled check ins with the remote Nagios server and is used to send passive check results across the network to the remote server If the Nagios server is to actively request status updates from the Console Server then th
18. 40 40 40 41 42 42 45 45 47 48 48 49 51 52 52 52 53 56 56 57 60 60 61 62 62 63 64 64 64 66 68 69 6 2 6 2 1 6 2 2 6 2 3 6 2 4 6 2 5 6 2 6 6 2 7 6 2 8 6 2 9 6 3 6 4 6 5 6 6 6 7 6 8 6 8 1 6 8 2 6 9 6 9 1 6 9 2 6 10 6 10 1 6 10 2 6 10 3 7 1 7 1 1 7 1 2 7 1 3 7 1 4 7 2 7 2 1 7 2 2 7 2 3 SDT Connector Configuration SDT Connector Client Installation Configuring a New Gateway in the SDT Connector Client Auto Configure SDT Connector Client with the User s Access Privileges M ake an SDT Connection Through the Gateway to a Host M anually Adding Hosts to the SDT Connector Gateway M anually Adding New Services to the New Hosts Adding a Client Program to be Started for the New Service Dial In Configuration Choosing an Alternate SSH Client e g PUTTY SDT Connector to Management Console SDT Connector Telnet or SSH Connect to Serially Attached Devices Using SDT Connector for Out of Band Connection to the Gateway Importing and exporting Preferences SDT Connector Public Key Authentication Setting up SDT for Remote Desktop Access Enable Remote Desktop on the Target Windows Computer to be Accessed Configure the Remote Desktop Connection Client SDT SHH Tunnel for VNC Install and Configure the VNC Server on the Computer to be Accessed Install Configure and Connect the VNC Viewer Using SDT to IP Connect to Hosts that are Serially Attached to the Gateway Establish a PPP Connect
19. Advanced System Restore Automatic Updates Remote lt 5j Select the ways that this computer can be used from another location Remote Assistance C Allow Remote Assistance invitations to be sent from this computer What is Remote Assistance Remote Desktop Allow users to connect remotely to this computer Full computer name Bigbob What is Remote Desktop Select Remote Users For users to connect remotely to this computer the user account must have a password Windows Firewall will be configured to allow Remote Desktop connections to this computer gt Check Allow users to connect remotely to this computer gt Click Select Remote Users 88 Remote Desktop Users The users listed below can connect to this computer and any members of the Administrators group can connect even if they are not listed Remote Bob gt To set the user s who can remotely access the system with RDP click Add on the Remote Desktop Users dialog box Note Ifyou need to set up new users for Remote Desktop access open User Accounts in the Control Panel and proceed through the steps to nominate the new user s name password and account type Administrator or Limited Note With Windows XP Professional and Vista you have only one Remote Desktop session and it connects directly to the Windows root console With Windows Server 2008 you can have multiple sessions and with Server 2003 you have
20. Configuration DHCP Method O l O Static The mechanism to acquire IP settings IP Address A statically assigned IP address Subnet Mask A statically assigned network mask i A statically assigned gateway Primary DNS A statically assigned primary name server Note The second Ethernet port on the BO96 048 016 can be configured as either a Management LAN gateway port or it can be configured as an OoB Failover port but not both So be sure that you did not allocate Management LAN as the Failover Interface when you configured the principal Network connection on the System IP menu The B096 048 016 Console Server Management Switches also host a DHCP server which by default is set at disabled The DHCP server enables the automatic distribution of IP addresses to hosts running DHCP clients on the Management LAN To enable the DHCP server gt On the System IP menu select the Management LAN page and click the Disabled label in the DHCP Server field or go to the System DHCP Server menu and check Enable DHCP Server 31 Management LAN DHCP Server Settings Subnet Unavailable DHCP Server C Enable DHCP Server Gateway The Default Gateway to assign Primary DNS The primary DNS to assign Secondary DNS The secondary DNS to assign Domain Name The Domain Name to assign Default Lease The Default Lease Time Maximum Lease The Maximum Lease Time A
21. Enable Nagios Nagios Checks 1 Check by SSH Ml hange then edit and click update Click Apply to commit changes to configuration pwer device ower device confirmation his power device befaults to host name if unset User Comma sepata VS Default Args I USER H HOST C COMMAND 148 11 SYSTEM MANAGEMENT Introduction This chapter describes how the Administrator can perform a range of general system administration and configuration tasks on the Console Server such as Applying Soft and Hard Resets to the gateway Re flashing the firmware Configuring the Date Time and NTP Setting up Backup of the configuration files B095 004 003 only Configuring the console server in FIPS mode B095 004 003 only System administration and configuration tasks covered elsewhere Include Resetting the System Password and entering a new System Name and Description for the Console Server Chapter 3 2 Setting the Console Server s System IP Address Chapter 3 3 Setting the permitted Services used to access the Console Server Chapter 3 4 Setting up OoB Dial in Chapter 5 Configuring the Dashboard B095 004 003 only Chapter 12 11 1 System Administration and Reset The Administrator can reboot or reset the Console Server to default settings A soft reset is performed by gt Selecting Reboot in the System Administration menu and clicking Apply Reboot F Safe
22. Select Enable Nagios specify the name of the device as it will appear on the upstream Nagios server gt Click New Check to add a specific check which will be run on this host gt Select Check Permitted TCP UDP to monitor a service that you have previously added as a Permitted Service gt Select Check TCP UDP to specify a service port that you wish to monitor but do not wish to allow external SDT Connector access gt Select Check TCP to monitor 142 Nagios Settings Enable Nagios Switch Nagios on for this host Host Name Name of host in Nagios Generated using host description if unspecified Nagios Use Defaut args W Commana heck host ai ane Use Default args we omman check host aive Check NRPE Oe O Check Ping Check Permitted TCP Default dregs H ROSTOS o COMMANDOS Check Permitted UDP New Check TCP Check UDP Apply gt The Nagios Check nominated as the check host alive check is used to determine whether the network host itself is up or down gt Typically this will be Check Ping although in some cases the host will be configured not to respond to pings If no check host alive check is selected the host will always be assumed to be up You may deselect check host alive by clicking Clear check host alive If required customize the selected Nagios Checks to use custom arguments Y Y V WV Click Apply Nagios Settings Enable L Magios Switch Nagios an for this
23. THE ENTIRE RISK AS TO SATISFACTORY QUALITY PERFORMANCE ACCURACY AND EFFORT IS WITH YOU ALSO THERE IS NO WARRANTY AGAINST INTERFERENCE WITH YOUR ENJOYMENT OF THE SOFTWARE OR AGAINST INFRINGEMENT IF YOU HAVE RECEIVED ANY WARRANTIES 233 REGARDING THE DEVICE OR THE SOFTWARE THOSE WARRANTIES DO NOT ORIGINATE FROM AND ARE NOT BINDING ON TRIPP LITE NO LIABILITY FOR CERTAIN DAMAGES EXCEPT AS PROHIBITED BY LAW TRIPP LITE SHALL HAVE NO LIABILITY FOR COSTS LOSS DAMAGES OR LOST OPPORTUNITY OF ANY TYPE WHATSOEVER INCLUDING BUT NOT LIMITED TO LOST OR ANTICIPATED PROFITS LOSS OF USE LOSS OF DATA OR ANY INCIDENTAL EXEMPLARY SPECIAL OR CONSEQUENTIAL DAMAGES WHETHER UNDER CONTRACT TORT WARRANTY OR OTHERWISE ARISING FROM OR IN CONNECTION WITH THIS EULA OR THE USE OR PERFORMANCE OF THE SOFTWARE IN NO EVENT SHALL TRIPPLITE BE LIABLE FOR ANY AMOUNT IN EXCESS OF THE LICENSE FEE PAID TO TRIPPLITE UNDER THIS EULA SOME STATES AND COUNTRIES DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES SO THIS LIMITATION MAY NOT APPLY TO YOU JSch License SDT Connector includes code from JSch a pure Java implementation of SSH2 JSch is licensed under BSD style license and it Is Copyright c 2002 2003 2004 Atsuhiko Yamanaka JCraft Inc All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 R
24. Use DSMPlugin No Plugin detected Contig Frosp Repeater a Save connection settings as default Delete saved settings B When the Viewer computer is connected directly to the Console Server either locally or remotely through a VPN or dial in connection and the VNC Host computer Is serially connected to the Console Server then enter the IP address of the Console Server unit with the TCP port that the SDT tunnel will use The TCP port will be 7900 plus the physical serial port number i e 7901 to 7948 so all traffic directed to port 79xx on the Console Server is tunneled through to port 5900 on the PPP connection on serial Port xx For example for a Windows Viewer computer using UltraVNC connecting to a VNC Server which is attached to Port 1 on a Console Server enter 192 168 0 1 Litra ye Win22 Viewer 1 0 7 Release VNC Server 192 168 0 1 7901 kii host display or host port Quick Options AUTO Auto select best settings Connect O ULTRA gt 2M bit s Experimental C LAN gt TMbit s Max Colors Cancel CO MEDIUM 128 256K bit s 256 Colors MODEM 19 128Kbit s 64 Colors C SLOW lt TIkKbits amp Colors View Only Auto Scaling Options plions C Use OSMPlugin No Plugin detected Contig Frosp Repeater R Save connection settings as default Delete saved settings gt You can then establish the VNC connection b
25. band connection to the Console Server refer to Section 6 2 9 6 2 2 Configuring a New Gateway in the SDT Connector Client To create a secure SSH tunnel to a new Console Server gt Click the New Gateway icon or select the File New Gateway menu option cE Tripp Lite SDTConnector Fie Edit Help New Gateway is New Host Import Preferences Z Export Preferences Exit gt Enter the IP or DNS Address of the Console Server and the SSH port that will be used typically 22 Note If SDT Connector is connecting to a remote Console Server through the public Internet or routed network you will need to Determine the public IP address of the Console Server or of the router firewall that connects the Console Server to the Internet as assigned by the ISP One way to find the public IP address is to access http checkip dyndns org or hittp Wwww whatismyip com from a computer on the same network as the Console Server and note the reported IP address Set port forwarding for TCP port 22 through any firewall NAT router that is located between SDT Connector and the Console Server so that it points to the Console Server http Awww portforward com has port forwarding instructions for a range of routers Also you can use the Open Port Check tool from http Wwww canyouseeme org to check if port forwarding through local firewall NAT router devices has been properly configured gt Enter the Username and Password of a
26. but not a full Nagios server Clients Typically a client PC laptop etc running Windows Linux or M ac OS X Runs Tripp Lite SDT Connector client software 1 5 0 or later Connect to the central Nagios server web UI to view status of monitored hosts and serial devices Then use SDT Connector to connect through the distributed Console Servers to manage monitored hosts and serial devices 10 2 1 Set Up Central Nagios Server The Nagios server software Is available for most major distributors of Linux using the standard package management tools Your distributor will have documentation available on how to install Nagios This is usually the quickest and simplest way to get up and running Note that you will need the core Nagios server package and at least one of the NRPE or NSCA add ons NSCA Is required to utilize the alerting features of the distributed hosts installing both NRPE and NSCA is recommended 135 You will also require a web server such as Apache to display the Nagios web UI and this may be installed automatically as a dependency of the Nagios packages Alternatively you may wish to download the Nagios source code directly from the Nagios website and build and install the software from scratch The Nagios website http www nagios org has several Quick Start Guides that walk through this process Once you are able to browse to your Nagios server and see its web UI and the local services it monitors by defaul
27. gt Select System Administration on M aster s Management Console gt Browse to the location you have stored RSA or DSA Public Key and upload it to SSH RSA DSA Public Key gt Browse to the stored RSA or DSA Private Key and upload it to SSH RSA DSA Private Key gt Click Apply 49 POWER PROTECTION System Administration Serial amp Network Serial Port System Name TLG Users amp Groups Authentication Network Hosts System Description Rack3F Trusted Networks Cascaded Ports UPS Connections System Password eccccece RPC Connections Environmental An ID for this device The physical location of this device The secret used to gain administration access to this device Confirm System caine Alerts amp Logging Password Re enter the above password for confirmation Apply SSH RSA Public Key Upload a replacement RSA public key file SSH RSA Private Key Browse Upload a replacement RSA private key file SSH DSA Public Key i o EE Upload a replacement DSA public key file SSH DSA Private ok Browse _ Upload a replacement DSA private key file Port Access i dec Users ee Browse _ Statistics Upload a replacement authorized keys file Sy f ro 9 automatically Generate SSH keys locally UPS Status RPC Status es oe Apply Environmental Status Next you must register the Public Key as
28. set up a Network Host designate it as RPC or UPS then go to RPC Connections or UPS Connections to configure the relevant connection Again the corresponding new M anaged Device with the same Name Description as the RPC UPS Host is not created until this connection step is completed refer Chapters Power and Environment The outlet names on this newly created PDU will by default be Outlet 1 Outlet 2 When you connect a particular Managed Device that draws power from the outlet the outlet will then take up the name of the powered Managed Device To add a new serially connected M anaged Device gt VV v Y Y Note Configure the serial port using the Serial amp Network Serial Port menu refer Section 4 1 Configure Serial Port Select Serial amp Network Managed Devices and click Add Device Enter a Device Name and Description for the M anaged Device Click Add Connection and select Serial and the Port that connects to the M anaged Device To add a UPS RPC power connection or network connection or another serial connection click Add Connection Click Apply To set up a new Serially connected RPC UPS or EMD device configure the serial port designate itas a Device then enter a Name and Description for that device in the Serial amp Network RPC Connections or UPS Connections or Environmental When applied this will automatically create a corresponding new Managed Device with the same Name Descripti
29. specifications are all defined in RFCs LDAP is a protocol used to access information stored in an LDAP server Further information on configuring remote RADIUS servers can be found at the following sites http www ldapman org articles intro_to_ldap html http www ldapman org servers html http www linuxplanet com linuxplanet tutorials 5050 1 http www linuxplanet com linuxplanet tutorials 5074 4 9 1 5 RADIUS TACACS User Configuration Users may be added to the local Console Server appliance If they are not added and they log in via remote AAA a user will be added for them This user will not show up in the configurators unless they are specifically added at which point they are transformed into a completely local user The newly added user must authenticate via the remote AAA server and will not have any access if it is down If a local user logs in they may be authenticated authorized from the remote AAA server depending on the chosen priority of the remote AAA A local user s authorization Is the union of local and remote privileges Example 1 User A is locally added and has access to ports 1 and 2 He is also defined on a remote TACACS server which says he has access to ports 3 and 4 The user may log in with either his local or TACACS password and will have access to ports 1 through 4 If TACACS is down he will need to use his local password and will only be able to access ports 1 and 2 Example 2 User B is
30. 01 TRIPP LITE Firmware Rev 2 6 1u1 Current User admir Up time 0 days 19 hours 31 mins 17 secs POWER PROTECTION Serial amp Network Users amp Groups Serial amp Network Serial Port Add a New user Users amp Groups Username Authentication Network Hosts A unique name for the user Trusted Networks Description Cascaded Ports UPS Connections A brief description of the users role RPC Connections Environmental Groups C admin Provides users with unlimited configuration and management privileges C users Provides users with basic management privileges Alerts amp Logging Port Log A group with predefined privileges the user will belong to Alerts SMTP amp SMS SNMP The users authentication secret Vote A password may not be required if remote authentication amp being used Password Administration Ah Firmware Re enter the users password for confirmation IP z Date amp Time ee No hosts currently configured Dal s Explicitly allow connections to hosts Services Accessible ee Port s C Select Unselect all Ports Nagios C Port CO Port C Port C Port C Port C Port C Port C Port 1 2 3 4 5 6 7 8 Port Access Active Users C Port Port C Port Cl Port C Port C Port Cl Port Cl Port Statistics 9 10 11 12 13 14 15 16 Support Report Syslog UPS Status 4
31. Authentication and Accounting Server Address network host devices The Console Server can be configured to the default Local or an alternate authentication method TACACS RADIUS or LDAP with the option of a selected order in which local and remote authentication is to be used Authorisation Server Serial amp Network Authentication Local LocalTACACS TACACS TACACSLocal TACACSDownLocal LocalRADIUS O RADIUS RADIUSLocal RADIUSDownLocal LocalLDAP LDAP LDAPLocal LDAPDownLocal Comma separated list of remote authentiction and authorization servers Comma separated list of remote accounting servers If unset Authentication and Authorization Server Address will be used 126 Local TACACS RADIUS LDAP Tries local authentication first falling back to remote if local fails TACACS RADIUS LDAP Local Tries remote authentication first falling back to local if remote fails TACACS RADIUS LDAP Down Local Tries remote authentication first falling back to local if the remote authentication returns an error condition e g the remote authentication server is down or inaccessible 9 1 1 Local Authentication gt Select Serial and Network Authentication and check Local gt Click Apply 9 1 2 TACACS Authentication Perform the following procedure to configure the TACACS authentication method to be used whenever the Console Server or any of its serial ports or hos
32. Change Clock Settings and Network Time Protocol Time Zone Network Configuration Static and DHCP IP Configuration Dial in Configuration and Services Configuration Serial Port Configuration Serial Port Settings Supported Protocol Configuration Users and Trusted Networks Event Logging Configuration Remote Serial Port Log Storage and Alert Configuration The config documentation in this chapter walks through the basic configuration similar to what can be done with the Management Console For advanced and custom configurations using other standard commands refer to the next chapter Advanced Configuration Since the Console Server runs a standard Linux kernel it is also possible to configure it using other standard Linux and Busybox commands and applications as described in the last section of this chapter However doing this will not always guarantee these changes are permanent a certain level of understanding before you execute Linux kernel level i This chapter is not intended to teach you Linux We assume you already have commands 167 14 1 The Linux Command Line gt Power up the Console Server and connect the terminal device o If you are connecting using the serial line plug a serial cable between the Console Server local DB 9 port and terminal device Configure the serial connection of the terminal device program you are using to 115200bps 8 data bits no parity and one stop bit If you are usi
33. Console Server is less than 30W Two IEC AC power sockets are located at the rear of the metal case and these IEC power inlets use conventional IEC AC power cords A North American power cord is provided by default Power cords for other regions are available separately from Tripp Lite 2 2 2 Power Console Server with PowerAlert The standard B092 016 Console Server has a built in universal auto switching AC power supply This power supply accepts AC input voltage between 100 and 240 VAC with a frequency of 50 or 60 Hz and the power consumption Is less than 40W AC Serial console ports USB VGA USB power Modem Keyboard 10 00 port Mouse Ethernet 16 The AC power socket is located at the rear of the B092 016 This power inlet uses a conventional AC power cord A North American power cord is provided by default Power cords for other regions are available separately from Tripp Lite 2 2 3 Power Console Server Management Switch The B095 004 003 Console Server has an external wall mount power supply This power supply accepts AC input voltage between 100 and 240 VAC with a frequency of 50 or 60 Hz and the total power consumption per console server is less than 20W The DC power sockets on the B095 004 003 Console Server are located on the side of the metal case marked PXR 2 3 Network Connection The RJ45 10 100 LAN port is located on the rear of the B092 016 Console Server on the front of the B096 048 016 Console Server M anagement S
34. Keys Linux To generate new SSH key pairs use the Linux ssh keygen command This will produce an RSA or DSA public private key pair and you will be prompted for a path to store the two key files e g id_dsa pub the public key and id_dsa the private key For example ssh keygen t rsa dsa Generating public private rsa dsa key pair Enter file in which to save the key home user ssh id_ rsa dsa Enter passphrase empty for no passphrase Enter same passphrase again Your identification has been saved in home user ssh id_ rsa dsa Your public key has been saved in home user ssh id_ rsa dsa pub The key fingerprint is 28 aa 29 38 ba 40 f4 11 5e 3f d4 fa e5 36 14 d6 user server It is advisable to create a new directory to store your generated keys It is also possible to name the files after the device they will be used for For example mkdir keys ssh keygen t rsa Generating public private rsa key pair 195 Enter file in which to save the key home user ssh id_ rsa home user keys control_ room Enter passphrase empty for no passphrase Enter same passphrase again Your identification has been saved in home user keys control_ room Your public key has been saved in home user keys control_room pub The key fingerprint is 28 aa 29 38 ba 40 f4 11 5e 3f d4 fa e5 36 14 d6 user server You must ensure there is no password associated with the keys If there is a password then the dev
35. Management Console at 192 168 0 1 or if the default Username Password were not accepted then reset your Console Server refer to Chapter 10 21 3 1 3 Initial BO92 016 Connection For the initial configuration of the B092 016 Console Server you will need to connect a console keyboard mouse and display or a KVM switch directly to its mouse keyboard and VGA ports When you Initially power on the B092 016 you will be prompted on your directly connected video console to log in gt Enter the default administration username and password Username root Password default The B092 016 control panel will be displayed gt Click the Configure button on the control panel This will load the Firefox browser and open the B092 016 Management Console ck ay hs rs Configure ay a oy stern Movilla Firefox File Edit View History Bookmarks Tools Help Omi o o Ge Ss Authentication Required 9 Enter username and password for 127 0 0 1 5161 at http 127 0 0 1 6161 User Mame penne Password ss CI Use Password Manager to remember this password Cancel OK Weiting or 127 0 00 0 ES gt AttheManagement Console menu select System Administration 3 2 Administrator Password For security reasons only the administration user named root can initially log into your Console Server Only those people who know the root password can access and reconfigure the Console Server itself However anyone who correctly gue
36. Management Switch 17 2 5 USB Port Connection The B096 048 016 Console Server Management Switch has one USB port on the front panel External USB devices can be plugged into this USB port The B096 048 016 Console Server M anagement Switch ships with a USB memory stick so that it will be installed in this port for extended log file storage There are four USB 2 0 ports on the rear panel of the B092 016 Console Server and one USB 2 0 port located under the RJ45 10 100 LAN connector on the B095 004 003 Console Server These ports are used to connect to USB consoles of managed UPS hardware and to other external devices such as a USB memory stick or keyboard External USB devices including USB hubs can be plugged into any Console Server USB port 2 6 Rackmount Console KVM Connection B092 016 only B092 016 Console Server with PowerAlert can be connected directly to a rackmount console such as B021 000 17 or BO21 019 by Tripp Lite to provide direct local management right at the rack Connect the rackmount console s PS 2 Keyboard Mouse and VGA connectors directly to the PS 2 and VGA connectors on the B092 016 The default video resolution is 1024 x768 The B092 016 Console Server also supports the use of a USB keyboard mouse Alternately the BO92 016 Console Server can also be connected locally to a KVM or KVM olP switch at the rack The BO92 016 Console Server with PowerAlert will enable you then to use this KVM infrastructure t
37. Power Management Administrator and Users can access and manage the connected power devices gt Select Manage Power i e o ahem Hane i hicie M Eai UPP LN a Manage Power Target Port 1 Switched COU Suter Outlet 4 Select p power dence W menje Action O Tandon Dl tenon CP cyte HB Stans Perio in action on the power deve Outlets He existing statue fhe Last actien may aot be completed 13 4 Serial Port Terminal Connection Administrator and Users can communicate directly with the Console Server command line and with devices attached to the Console Server serial ports using SDT Connector and their local Telnet client or using a java terminal in their browser gt Select Manage Terminal 163 System Name T Model Number TRIPP LITE ene he B POWER PROTECTION Up time Manage Terminal Serial amp Network Serial Port SDTConnector dearie Note To access the TrippLite unit s command line shell or serial ports via SDTConnector SDTConnector 1 5 0 or later must be ie installed on the computer you are browsing from with this unit added as a gateway as per the Quick Install Guide Network Hosts Trusted Networks Cascaded Ports UPS Connections RPC Connections Environmental Connect via SDT Connector Java Terminal edi al Select File gt Open SHELL Session from the menu below to access the TrippLite unit s command line using SSH
38. Select Serial amp Network Users amp Groups to display the configured Groups and Users gt Click Add Group to add a new Group System Name 6 Model Number P S gt B096 016 TRIPP LITE Firmware Rev 6 1u1 Current User admir Up time 0 days 19 hours 29 mins 29 secs POWER PROTECTION Serial amp Network Users amp Groups Serial amp Network Serial Port Add a New group Users amp Groups Groups Authentication Network Hosts A group with predefined privileges the user will belong to Trusted Networks Description Cascaded Ports KPE Giai A brief description of the groups role RPC Connections A ible No hosts currently configured Environmental Host s Explicitly allow connections to hosts Alerts amp Logging Accessible Port Log Port s C Select Unselect all Ports Alerts SMTP amp SMS Cl Port C Port C Port C Port C Port SNMP 1 2 3 4 5 C Port C Port C Port C Port C Port Administration 9 10 11 12 13 14 g 16 Firmware IP Date amp Time Apply gt Add a Group name and Description for each new Group then nominate Accessible Hosts and Accessible Ports to specify the serial ports and hosts you wish any users in this new Group to be able to access gt Click Apply gt Select Serial amp Network Users to display the configured users gt Click Add User to add a new user System Name Model Number MT C L6 3096
39. Server mode Users and Administrators can use SDT Connector to set up secure Telnet connections that are SSH tunneled from their client computers to the serial port on the Console Server with a simple point and click To use SDT Connector to access consoles on the Console Server serial ports configure the SDT Connector with the Console Server as a gateway then as a host Now enable Telnet service on Port 2000 serial port i e 2001 2048 Refer to Chapter 6 for more details on using SDT Connector for Telnet and SSH access to devices attached to the Console Server serial ports You can also use standard communications packages like PuTTY to set a direct Telnet or SSH connection to the serial ports refer to the Note below Note PuTTY also supports Telnet and SSH The procedure to set up a Telnet session is simple Enter the Console Servers IP address as the Host Name or IP address Select Telnet as the protocol and set the TCP port to 2000 plus the physical serial port number e 2001 to 2048 Click the Open button You may then receive a Security Alert that the host s key is not cached Choose yes to continue You will then be presented with the login prompt of the remote system connected to the serial port chosen on the Console Server You can login as normal and use the host serial console screen 37 SSH 3X PuTTY Configuration Session Logging H Terminal Keyboard Bell Fe
40. Slave Management Console to change the settings on any Slave serial port such as to alter the baud rates However these changes will be overwritten next time the M aster sends out a configuration file update Also while the Master is in control of all Slave serial port related functions it is not master over the Slave network host connections or over the Slave Console Server system itself So Slave functions such as IP SMTP amp SNMP Settings Date amp Time DHCP server must be managed by accessing each Slave directly and these functions are not overwritten when configuration changes are propagated from the Master Similarly the Slave s Network Host and IPM I settings have to be configured at each Slave Also the M aster s Management Console provides a consolidated view of the settings for its own and all the Slave s serial ports However the M aster does not provide a fully consolidated view For example if you want to find out who Is logged in to cascaded serial ports from the M aster you ll see that Status Active Users only displays those users active on the Master s ports so you may need to write custom scripts to provide this view This is covered in Chapter 11 4 7 Serial Port Redirection Tripp Lite s VirtualPort software delivers the virtual serial port technology your Windows applications need to open remote serial ports and read the data from serial devices that are connected to your Console Server Virt
41. Statically Reserved IP address for the DHCP client and click Apply 32 Once DHCP has initially allocated hosts addresses it is recommended to copy these into the pre assigned list so the same IP address will be reallocated in the event of a reboot 3 6 2 Configure Management Switch for Failover or Broadband OoB The Management Switch in the B096 048 016 Console Server can be configured to provide a failover option In the event of a problem using the main LAN connection for accessing the Console Server an alternate access path Is used NETWORK i Serially connected consoles Marag eart network gt By default the failover is not enabled To enable select the Network page on the System IP menu gt Now select the Failover Interface to be used in the event of an outage on the main network This can be o an alternate broadband Ethernet connection or o the B096 048 016 internal modem or o an external serial modem ISDN device connected to the B096 048 016 console port for out dialing to an ISP or the remote management office Management LAN lan 4 A device to fail to in case of outage Devices must be configured and enabled for failover to work Primary Probe 192 168 254 254 Address The address of the first peer to probe for connectivity detection Secondary Probe Address The address of the second peer to probe for connectivity detection gt Click Apply You h
42. Syslog O UPS Status The dialed connection is to become a default route for the system Default Route RPC Status Custom Modem Environmental Status Initialization An optional AT command sequence to initialize non standard modems apere Authentication Type None Port Logs O PAP Host Logs O CHAP Power MSCHAPv2 Terminal The method to use when checking the dial in users credentials Enable Dial Back O Allow an out going connection to be triggered by logging into this port Dial Back Phone Number The Phone Number to call back when user logs in Select the System Dial menu option and the port to be configured Serial DB9 Port or Internal Modem Port The Console Server s console modem serial port is set by default to 115200 baud No parity 8 data bits and 1 stop bit with software Xon Xoff flow control enabled You can modify the baud rate and flow control using the Management Console You can further configure the console modem port settings by editing etc mgetty config files as described in Chapter 14 Select the Baud Rate and Flow Control that will communicate with the modem Check the Enable Dial In Access box Enter the User name and Password to be used for the dial in PPP link In the Remote Address field enter the IP address to be assigned to the dial in client You can select any address for the Remote IP Address However it and the Local IP Address must both be in the sa
43. TACACS allows for a single access control server the TACACS daemon to provide authentication authorization and accounting services independently Each service can be tied into its own database to take advantage of other services available on that server or on the network depending on the capabilities of the daemon There is a draft RFC detailing this protocol Further information on configuring remote TACACS servers can be found at the following sites http www cisco com en US tech tk59 technologies tech note09186a0080094e99 shtml http www cisco com en US products sw secursw ps4911 products user guide chapter09186a0 O800eb6d6 html htto cio cisco com univercd cc td doc product software ios113ed 113ed cr secur c scport2 sctplu s htm 9 1 3 RADIUS Authentication Perform the following procedure to configure the RADIUS authentication method to be used whenever the Console Server or any of its serial ports or hosts is accessed gt Select Serial and Network Authentication and check RADIUS or LocalRADIUS or RADIUSLocal or RADIUSDownLocal RADIUS Authentication and Authorisation Server Address Comma seperated list of remote authentiction and authorisation servers Accounting server Address Comma seperated list of remote accounting servers If unset Authentication and Authorisation Server Address will be used Server Password The shared secret allowing access to the authentication server Confirm Password R
44. and delete users and to define the access permissions for each of these users 42 TRIPP LITE a POWER PROTECTION Serial amp Network Users amp Groups Serial amp Network Serial Port Groups Users amp Groups Name Description Authentication Network Hosts admin Provides users with unlimited configuration and management Trusted Networks privileges Cascaded Ports paga ag users Provides users with basic management privileges UPS Connections RPC Connections Add Group Environmental Alerts amp Logging Users Port Log ea Alerts Username Group Description SA SMS w ek pinata admin admin Master sysadmin user Edit Delete SNMP Add User System Users can be authorized to access specified Console Server serial ports and specified network attached hosts These users can also be given full Administrator status with full configuration and management and access privileges To simplify user setup they can be configured as members of Groups There are two Groups set up by default admin and user L Note Membership of the admin group provides the user with full Administrator privileges The admin user referred to in this manual as Administrator can access the Console Server using any of the services which have been enabled in System Services e g if only HTTPS has been enabled then the Administrator can only access the Console Server using HTTPS However once logged in t
45. at my workplace Connect to a business network using dial up or VPN so you can work from home afield office or another location O Set up a home or small office network Connect to an existing home or small office network or set up a new one Set up an advanced connection Connect directly to another computer using your seral parallel or infrared port or set up this computer so that other computers can connect to it gt Select Set up an advanced connection and click Next gt On the Advanced Connection Options screen select Accept Incoming Connections and click Next gt Select the Connection Device i e the serial COM port on the Windows computer that you cabled through to the Console Server By default select COM1 The COM port on the Windows computer should be configured to its maximum baud rate Click Next gt On the Incoming VPN Connection Options screen select Do not allow virtual private connections and click Next 97 New Connection Wizard You can specify the users who can connect to this computer Select the check box next to each user who should be allowed a connection to this computer Note that other factors such as a disabled user account may affect a user s ability to connect Users allowed to connect O E i Guest O Wj HelpAssistant Remote Desktop Help Assistant Account L Remote Bob Remote Bob We SUPPORT _388545a0 CN Microsoft Comoration L Redmond S Washingt O E gi SUPPORT _3
46. available devices types to configure The outlets describe targets that the scripts can control For example a power control board may control several different outlets The port id is the native name for identifying the outlet 211 This value will be passed to the scripts in the environment variable outlet allowing the script to address the correct outlet There are four possible scripts on off cycle and status When a script is run its standard input and output is redirected to the appropriate serial port The script receives the outlet and port in the outlet and port environment variables respectively The script can be anything that can be executed within the shell All of the existing scripts in etc powerstrips xml use the pmchat utility omchat works just like the standard unix chat program only it ensures interoperation with the port manager The final options speed charsize stop and parity define the recommended or default settings for the attached device 15 10 IPM Itool The Console Server includes the ipmitool utility for managing and configuring devices that support the Intelligent Platform M anagement Interface IPM I version 1 5 and version 2 0 specifications IPM I is an open standard for monitoring logging recovery inventory and control of hardware that is implemented independent of the main CPU BIOS and OS The service processor or Baseboard M anagement Controller BM C is the brain behind pla
47. be used at the request of customer support gt Click Apply and the Console Server appliance will undertake a soft reboot and commence upgrading the firmware This process will take several minutes gt After the firmware upgrade has completed click here to return to the Management Console Your Console Server will have retained all its pre upgrade configuration information 11 3 Configure Date and Time It is recommended that you set the local Date and Time in the Console Server as soon as it is configured Features like Syslog and NFS logging use the system time for time stamping log entries while certificate generation depends on a correct Timestamp to check the validity period of the certificate System Name TLE Model Number _ gt _ gt a PP LITE Firmware Rev 2 6 1u1 Current User M Up time 1 days 5 Go back to the main page System Date amp Time Serial amp Network Serial Port System Time 10 23 12 Feb 12 2009 Users amp Groups e Authentication Network Hosts Trusted Networks Time Zone Cascaded Ports UPS Connections Time Zone USA Eastern v RPC Connections Select your timezone Environmental Apply Alerts amp Logging pey Port Log Alerts Manual Settings SMTP amp SMS Time v v SNMP a Hour Minute Date v 2005 01 01 Month Da Year j Date amp Time Dial Apply Services DHCP Server Network Time Protocol Nagios
48. bin config set config portaccess rule2 port5 on 177 bin config set config portaccess total 2 Please note that this rule becomes live straight away 14 6 Event Logging Configuration 14 6 1 Remote Serial Port Log Storage To setup remote storage of serial port 5 log to a remote Windows share with the following properties IP Address 192 168 0 254 Directory C tripplite logs Username cifs_ user Password secret Logging level 2 input output logging as well as user connections amp disconnections The following commands must be issued bin contig set config eventlog server type cifs bin config set config eventlog server address 192 168 0 254 bin config set config eventlog server path tripplite logs bin config set config eventlog server username cifs_ user bin config set config eventlog server password secret bin config set config ports port5 loglevel 2 The following command will synchronize the live system with the new configuration bin config run eventlog Note that supported remote storage server types are None cifs nfs and syslog Supported port logging levels are 0 1 and 2 14 6 2 Alert Configuration You can add an email alert to the system from the command line by following these instructions Determine the total number of existing alerts if you have no existing alerts you can assume this is 0 178 bin config get config alerts total This
49. character used for sending escape characters The default is Single Connection This setting limits the port to a single connection so if multiple users have access privileges for a particular port only one user at a time can be accessing that port i e port snooping is not permitted 39 4 1 3 SDTMode This setting allows port forwarding of LAN protocols such as RDP VNC HTPP HTTPS SSH and Telnet through to computers which are connected locally to the Console Server by their serial COM port However such port forwarding requires a PPP link to be set up over this serial port SDT Settings SDT Mode O Enable access over SSH to a host connected to this serial port Username The login name for PPP The default is portol User Password The login secret for PPP The default i portdl Confirm Password Re type the password for confirmation Refer to Chapter 6 6 Using SDT Connector to Telnet or SSH connect to devices that are serially attached to the Console Server for configuration details 4 1 4 Device RPC UPS EMD Mode This mode configures the selected serial port to communicate with a serial controlled Uninterruptible Power Supply UPS serial Remote Power Controller Power Distribution Unit RPC or Environmental Monitoring Device EM D Device Settings Device Type RPC ae iv Specify the device type Apply this setting then use the APC Connections page to configure the attached power controller
50. command should display output similar to config alerts total 1 Note that if you see config alerts total This means you have 0 alerts configured Your new alert will be the existing total plus 1 So if the previous command gave you 0 then you start with user number 1 If you already have 1 alert your new alert will be number 2 etc To configure an email alert to be sent to alertl1 domain org when the regular expression Cou 0 0 id matches logging on serial port 5 you would need to issue the following commands Assuming you have 1 previous alert in place bin config set config alerts alert2 email alert1 domain com bin config set config alerts alert2 pattern 0 0 id bin config set config alerts alert2 port5 on bin config del config alerts total 2 The following command will synchronize the live system with the new configuration bin config run alerts 14 7 SDT Host Configuration 14 7 1 SDT Host TCP Ports To setup the list of TCP ports for a host you use the config command config s config sdt hosts host3 tcpports tcportl 23 config s config sdt hosts host3 tcpports tcport2 5900 config s config sdt hosts host3 tcpports tcport3 3389 The above assumes the config below vi etc config contfig xml lt users gt 179 lt host1 gt lt total gt 3 lt total gt lt host2 gt lt address gt accounts intranet myco com lt address gt lt description gt Accounts server 4 d
51. custom If the standard system firewall configuration is not adequate for your needs it can be bypassed safely by creating a file at etc config filter custom containing commands to build a specialized firewall This firewall script will be run whenever the LAN interface is brought up including initially and will override any automated system firewall settings Below is a simple example of a custom script which creates a firewall using the iptables command Only incoming connections from computers on a C class network 192 168 10 0 will be accepted when this script is installed at etc config filter custom Note that when this script is called any preexisting chains and rules have been flushed from iptables bin sh Set default policies to drop any incoming or routable traffic and blindly accept anything from the 192 168 10 0 network iptables policy FORWARD DROP iptables policy INPUT DROP iptables policy OUTPUT ACCEPT Allow responses to outbound connections back in iptables append INPUT match state state ESTABLISHED RELATED jump ACCEPT Explicitly accept any connections from computers on 192 168 10 0 24 iptables append INPUT source 192 168 10 0 24 jump ACCEPT Good documentation about using the iptables command can be found at the linux netfilter website http netfilter org documentation index html 191 Resources There are many high quality tutorials and HOWTOs available via the netfilter webs
52. customers should contact Tripp Lite support at intlservice tripplite com THIS WARRANTY DOES NOT APPLY TO NORMAL WEAR OR TO DAMAGE RESULTING FROM ACCIDENT MISUSE ABUSE OR NEGLECT SELLER M AKES NO EXPRESS WARRANTIES OTHER THAN THE WARRANTY EXPRESSLY SET FORTH HEREIN EXCEPT TO THE EXTENT PROHIBITED BY APPLICABLE LAW ALL IM PLIED WARRANTIES INCLUDING ALL WARRANTIES OF MERCHANTABILITY OR FITNESS ARE LIMITED IN DURATION TO THE WARRANTY PERIOD SET FORTH ABOVE AND THIS WARRANTY EXPRESSLY EXCLUDES ALL INCIDENTAL AND CONSEQUENTIAL DAM AGES 239 Some states do not allow limitations on how long an implied warranty lasts and some states do not allow the exclusion or limitation of incidental or consequential damages so the above limitations or exclusions may not apply to you This Warranty gives you specific legal rights and you may have other rights which vary from jurisdiction to jurisdiction Tripp Lite 1111 W 35th Street Chicago IL 60609 USA WARNING The individual user should take care to determine prior to use whether this device is suitable adequate or safe for the use intended Since A N individual applications are subject to great variation the manufacturer makes no representation or warranty as to the suitability or fitness of these devices for any specific application Warranty Registration Visit www tripplite com warranty today to register the warranty for your new Tripp Lite product You ll be automatically entered into
53. descriptive name for this host A brief description of the host Permitted Services 22 tcp ssh 0 23 tcp telnet 0 80 tcp http 0 443 tcp https 0 1494 tcp ica 0 3389 tcp rdp 0 5900 tcp vnc 0 Alerts amp Logging Tcp Oupp pot level 0 Disabled M The TCP services available from this host Device Settings Device Type None Specify the device type Support Report Syslog gt Enter the IP Address or DNS Name of the new network connected Host and optionally enter a Description gt Add or edit the Permitted Services or TCP UDP port numbers that are authorized to be used in controlling this host Only these permitted services will be port forwarded through to the Host All other services TCP UDP ports will be blocked gt Ifthe Console Server has been configured with distributed Nagios monitoring enabled then you will also be presented with Nagios Settings options to enable nominated services on the Host to be monitored refer to Chapter 10 Nagios Integration gt The Logging Level specifies the level of information to be logged and monitored for each Host access refer to Chapter 7 Alerts and Logging gt If the Host is a networked server with IPMI power control then the Administrator can enable users Users and Administrators to remotely cycle power and reboot refer to Chapter 8 2 Configuring IPM I Power Management gt Click Apply 46 4
54. gt Select Alerts amp Logging Alerts which will display all the alerts currently configured Click Add Alert 7 2 1 Add a New Alert The first step is to specify the alert service that will be used to send notification for this event who to notify and what port host device is to be monitored TRIPP LITE POWER PROTECTION System Name TL6 Model Number B096 016 Firmware Rev 2 6 1u1 Current User Up time 0 days 4 hours 49 Alerts amp Logging Alerts Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks Cascaded Ports UPS Connections RPC Connections Environmental Alerts amp Logging Port Log Alerts SMTP amp SMS SNMP Administration Firmware IP Date amp Time Dial Services DHCP Server Nagios Port Access Active Users Statistics Support Report Syslog UPS Status RPC Status Environmental Stat Manage Devices Port Logs Host Logs Power Terminal Add a New Alert Description Email Recipient SMTP SMS Email Recipient SNMP Nagios NSCA Applicable Port s Applicable Host s Applicable UPS es Applicable RPC s Applicable Environmental Sensor s Applicable Alarm Sensor s A brief description of this alert s purpose The email address to send this alert to 1 The SMTP SMS email address to sen
55. gt The VNC Viewer client in your B092 016 will be started and a VNC connection window to the selected server will be opened 221 Ps Configure Es Connect teas Logs fa a Status Ez 3 Custom Custom I System Serial Browser Web Server SSH Ace NT412 IPMI gt Account Mgt 32R RDP Add Delete Edit YNC Viewer Connection Details VNC server About Options OK _ cancel I gt Ifthe HostName was left blank when the VNC server connection was configured then the VNC Viewer will start with a request for the VNC server gt Selecting Options at this stage enables you to configure the VNC Viewer gt Alternately you can select Options by right clicking Y YNC Viewer Connection Options on the VNC Viewer task Bar icon SIE OIG anaie algur Cereal l Auto select C Full fall available colours i RLE C Medium 256 colours C Hestile i Low 64 colours Restore C Raw C Very low 8 colours Inputs View only ignore mouse amp keyboard O Maximize IY Accept clipboard from server lv Send clipboard to server x Close Alt F4 IY Send primary selection amp cut buffer as clipboard Full screen Misc Ctrl Alt Shared don t disconnect other viewers Send Ctrl alt Del Full screen mode Refresh Screen iY Render cursor locally Mew Connection IY Show dot when no cursor Mptions Connection Info About OE Cancel You can find more details on conf
56. host Host Mame Mame of host in Nagios Generated using host description if unspecified Nadi z agios 1 Check NRPE a le check host aive oes Doo Override Default Args Add to default args o ROOM NO os Hew Check Clear check host alive 10 3 6 Configure the Upstream Nagios Monitoring Host Refer to the Nagios documentation http www nagios org docs for configuring the upstream server gt The section entitled Distributed Monitoring steps through what is needed to configure NSCA on the upstream server under Central Server Configuration gt NRPE Documentation which has been recently added steps through configuring NRPE on the upstream server http nagios sourceforge net docs nrpe NRPE pdf At this stage Nagios at the upstream monitoring server is configured and individual serial port and network host connections on the Console Server are configured for Nagios monitoring If NSCA is enabled each selected check will be executed once over the period of the check interval If NRPE is enabled then the upstream server will be able to request status updates under its own scheduling 143 10 4 Advanced Distributed Monitoring Configuration 10 4 1 Sample Nagios Configuration An example configuration for Nagios Is listed below It shows how to set up a remote Console Server to monitor a single host with both network and serial connections Each check has two configurations one for NRPE and one for NSCA In practice these w
57. identifier 8 he number of data bits to use None amp The serial ports parity i The number of stop bits to use None The flow control method RS232 The electrical signaling on this serial port Consult your manual to determine which protocol are supported for this port Select Console Server Mode to enable remote management access to the serial console that is attached to the serial port Console Server Settings Port Access rn Server Active Users Enable remote network access to the console at this serial port Statistics E L Level _ ly Support Report ae level 0 Disabled Syslog Specify the detail of data to log one Tenet D tatu Environmental Status Enable Telnet access SSH O anage Dainis Enable SSH access Port Logs Raw TCP C Host Logs Enable raw TCP access Power Terminal RFC 2217 C Enable RFC 2217 access Unauthenticated O Telnet Enable Telnet access without requiring the user to provide credentials Accumulation OO Period Collect serial data for a period of time in milliseconds then transmit any data received during that time over the network at once Escape Character Customize the character used for sending out of band shell commands The default i Single F Connection Logging Level Alerts and Logging Limit the port to a single concurrent connection This specifies the level of information to be logged and monitored refer to Chapter 7
58. line as described in Chapter 15 Advanced Configuration The Console Servers set up default TFTP server on the USB flash card This server can be used to store config files maintain access and transaction logs etc Allows the Console Server to respond to incoming ICMP echo requests Ping is enabled by default however for security reasons this service should generally be disabled post initial configuration gt And there are some serial port access parameters that can be configured on this menu Base The Console Server uses specific default ranges for the TCP IP ports for the various access services that Users and Administrators can use to access devices attached to serial ports as covered in Chapter 4 Configuring Serial Ports The Administrator can also set alternate ranges for these services and these secondary ports will then be used in addition to the defaults The default TCP IP base port address for Telnet access is 2000 and the range for Telnet is IP Address Port 2000 serial port i e 2001 2048 So if the Administrator were to set 8000 as a secondary base for Telnet then serial port 2 on the Console Server can be Telnet accessed at IP Address 2002 and at IP Address 8002 The default base for SSH is 3000 for Raw TCP is 4000 for RFC2217 it is 5000 and for Unauthenticated Telnet it is 6000 gt The B092 016 Console Server with PowerAlert also presents some additional service and configuration options VNC
59. lt address of unit gt etc config or using PSCP pscp scp ss _key pem root lt address of unit gt etc config pscp scp ssI_cert pem root lt address of unit gt etc config PuTTY and the PSCP utility can be downloaded from http www chiark greenend org uk sgtatham putty download html M ore detailed documentation on the PSCP can be found http the earth li sgtatham putty 0 58 htmidoc Chapter5 html pscp 4 Launching the HTTPS Server Note that the easiest way to enable the HTTPS server is from the Management Console Simply click the appropriate checkbox in Network gt Services gt HTTPS Server and the HTTPS server will be activated assuming the ssl_key pem amp ssl_cert pem files exist in the etc config directory Alternatively inetd can be configured to launch the secure fnord server from the command line of the unit as follows Edit the inetd configuration file From the unit command line vi etc config inetd conf Append a line 207 443 stream tcp nowait root sslwrap cert etc config ssl_cert pem key etc config ssl_ key pem exec bin httpd home httpd Save the file and signal inetd of the configuration change kill HUP cat var run inetd pid The HTTPS server should be accessible from a web client at a URL similar to this https lt common name of unit gt M ore detailed documentation about the openssl utility can be found at the website http www openssl org 15 9 Power St
60. networks like the Internet can have catastrophic consequences It leaves the door open for eavesdropping connection hijacking and other network level attacks Secure Shell SSH is a program to log into another computer over a network to execute commands in a remote machine and to move files from one machine to another It provides strong authentication and secure communications over unsecure channels 194 OpenSSH the de facto open source SSH application encrypts all traffic including passwords to effectively eliminate these risks Additionally OpenSSH provides a myriad of secure tunneling capabilities as well as a variety of authentication methods OpenSSH is the port of OpenBSD s excellent OpenSSH 0 to Linux and other versions of Unix OpenSSH is based on the last free version of Tatu Ylonen s sample implementation with all patent encumbered algorithms removed to external libraries all Known security bugs fixed new features reintroduced and many other clean ups htto www openssh com The only changes in the SSH implementation are PAM support EGD 1 PRNGD 2 support and replacements for OpenBSD library functions that are absent from other versions of UNIX The config files are now in etc config e g o etc config sshd_config instead of etc sshd_config o etc config ssh_config instead of etc ssh_ config o etc config users lt username gt ssh instead of home lt username gt ssh 15 6 2 Generating Public
61. other hosts Remote ports do the same SSH v2 only Forwarded ports OOO Add new forwarded port Sowcepot 234 Desinston por045500 Local Remote Dynamic Note How secure is VNC VNC access generally allows access to your whole computer so security is very important VNC uses a random challenge response system to provide the basic authentication that allows you to connect to a VNC server This is reasonably secure and the password is not sent over the network However once connected all subsequent VNC traffic is unencrypted So a malicious user could snoop your VNC session Also there are VNC scanning programs available which will scan a subnet looking for computers which are listening on one of the ports which VNC uses Tunneling VNC over a SSH connection ensures all traffic is strongly encrypted Also no VNC port is ever open to the internet so anyone scanning for open VNC ports will not be able to find your computers When tunneling VNC over a SSH connection the only port which you re opening on your Console Server is the SDT port 22 So sometimes it may be prudent to tunnel VNC through SSH even when the Viewer computer and the Console Server are both on the same local network To set up the secure SSH tunnel for an HTTP browser connection from the client computer follow the steps above However when configuring the port redirection specify port 80 rather than port 3389 as was used for RDP e g if using
62. owned by fred so login to the Management Console as root and type chown fred etc config users fred ssh authorized_keys Master Slave Slave authorized_key authorized_key ssh rsa AAAABSNzaC 1yc2Efg4 t GHIAAA name client1 ssh rsa AAAAB3NzaC 1yc2Efg4 t GHIAAA name client1 BEGIN RSA PRIVATE KEY MIIEogIBAAKCAQEA ylIPGsNf5 a0LnPUMc nujXXPGiQGyD3b79 KZg3UZ4MjZI525sCy opv4 TJTvTK6e8QlyYt GYTByUdl id_rsa pub ssh rsa AAAAB3NzaC 1yc2Efg4 tGHIAAA name client1 If the Console Server device selected to be the server will only have one client device then the authorized_keys file is simply a copy of the public key for that device If one or more devices will be clients of the server then the authorized_keys file will contain a copy of all of the public keys RSA and DSA keys may be freely mixed in the authorized_keys file For example assume we already have one server called bridge_server and two sets of keys for the control room and the plant_ entrance Is home user keys control room control _room pub plant_entrance plant_entrance pub cat home user keys control_room pub home user kKeys plant_entrance pub gt home user keys authorized_keys bridge server 197 Master Goose e Master a authorized_keys ssh rsa AAAAB3NzaC1yc2Efg4 tGHl AAA name client1 ssh dss AAAAB3NzaZr OV01C8gdgz BEGIN DSA XDg name client2 PRIVATE KEY MIlIBugIBAAKBgQC
63. parses the port logs if you want to find out who s logged In to cascaded serial ports from the master You will probably also want to enable remote or USB logging as local logs only buffer 8K of data and don t persist between reboots This script would parse each port log file line by line Each time it sees LOGIN username it adds the username to the list of connected users for that port each time it sees LOGOUT username it removes it from the list The list can then be nicely formatted and displayed It is also possible to run this as a CGI script on the B092 016 In this case the remote USB logged port logs files are in var run portmanager logdir or they are in var log Otherwise you can run the script on the remote log server To enable log storage and connection logging Select Alerts amp Logging Port Log Configure log storage Select Serial amp Network Serial Port Edit the serial port s Under Console Server select Logging Level 1 and click Apply To run the CGI script on the Console Server Login to the B092 016 Run mount o remount rw dev hdal Copy the script to home httpd cgi bin Run mount o remount ro dev hdal Browse to http 192 168 0 1 cgi bin yourscript cgi where 192 168 0 1 is the IP address of the Console Server and yourscript cgi is the name of the script There is a useful tutorial on creating a bash script CGI at http www yolinux com TUTORIALS LinuxTutori
64. programs login ftpd etc to be rewritten to support it PAM provides a way to develop programs that are independent of authentication schemes These programs need authentication modules to be attached to them at run time in order to work Which authentication module is to be attached is dependent upon the local system setup and is at the discretion of the local Administrator The Console Server family supports PAM to which we have added the following modules for remote authentication RADIUS pam_radius auth http www freeradius org pam_radius_ auth TACACS pam_tacplus http echelon pl pubs pam_tacplus html LDAP pam_Idap http www padli com OSS pam_Idap html Further modules can be added as required Changes may be made to files in etc config pam d which will persist even if the authentication configurator is run gt Users added on demand When a user attempts to login but does not already have an account on the Console Server a new user account will be created This account will not have any rights and no password set They will not appear in the configuration tools Automatically added accounts will not be able to log in if the remote servers are unavailable RADIUS users are currently assumed to have access to all resources so will only be authorized to log in to the Console Server RADIUS users will be authorized each time they access a new resource gt Admin rights granted over AAA Users may be gran
65. scripts portxxX init which gets run whenever portmanager opens the port Otherwise any setup you do with stty will get lost when the portmanager opens the port The reason that portmanager sets things back to its config rather than using whatever is on the port is so the port is in a Known good state and will work no matter what things are done to the serial port outside of portmanager Accessing the Console Port The console dial in is handled by mgetty with automatic PPP login extensions mgetty is a smart getty replacement designed to be used with hayes compatible data and data fax modems mgetty knows about modem initialization manual modem answering so your modem doesn t answer if the machine isn t ready UUCP locking so you can use the same device for dial in and dial out mgetty provides very extensive logging facilities All standard mgetty options are supported Modem initialization strings 189 To override the standard modem initialization string either use the Management Console refer to Chapter 5 or the command line config tool refer to Dial In Configuration Chapter 14 Enabling Boot M essages on the Console If you are not using a modem on the DB9 console port and instead wish to connect to it directly via a Null Modem cable you may want to enable verbose mode allowing you to see the standard linux start up messages This can be achieved with the following commands bin config set config conso
66. security and interoperability and there are no acceptable industry standards or solutions Console Servers with Revision 3 0 1 firmware or later use an embedded OpenSSL cryptographic module that has been validated to meet the FIPS 140 2 standards and has received Certificate 1051 This firmware is only currently available on BO95 004 1E BO95 003 1E M Console Servers When configured in FIPS mode all SSH HTTPS and SDTConnector access to all services on the Console Servers will use the embedded FIPS compliant cryptographic module To connect you must also be using cryptographic algorithms that are FIPs approved in your browser or client or the connection will fail 154 gt Select the System Administration menu option gt Check FIPS Mode to enable FIPS mode on boot and check Reboot to safely reboot the console server Devices FIPS Mode F Port Logs Enable FIPS mode on boot changing requires safe reboot Host Logs Power Reboot F Terminal Safely reboot the device gt Click Apply and the Console Server will now reboot It will take several minutes to reconnect as secure communications with your browser are validated When reconnected it will display FIPs mode Enabled in the banner Note To enable FIPS mode from the command line login and run these commands config s config system fips on touch etc contig FIPS chmod 444 etc contig FIPS flatfsd b The final command saves
67. serially attached consoles and control power to connected devices The Console Server runs an embedded Linux operating system Experienced Linux and UNIX users may prefer to undertake configuration at the command line As an Administrator you can get command line access by connecting through a terminal emulator or communications program to the console serial port or by SSH or Telnet connecting to the Console Server over the LAN or by connecting to the Console Server through an SSH tunnel using the SDTConnector The B092 016 Console Server also has PowerAlert software and a selection of thin clients embedded RDP Firefox etc You will be able to use these consoles as well as the standard Management Console for access and control B PANMS Console 12 04 Ax Management nx Exes ADE e S Configure Logs Help TRI Fee 3 Devices Status IP Address MAC Address Hostname Model Name Location Type Ver Ref a poma isc ioa NUULIESL2O1D IIL s DMAK EDUKU PSUPS jid j inisel ines Y Normal 192 268 1 28 0011 43 23 b 192 168 1 28 UPS paups 12 _ n 1 4 of Normal 192 168 137 00 16 46 02 4 192 168 1 37 SMARTISOORM2U paus CEAR Serial amp Net B le i in rs of Moema 167 173 5945 67 173 59 TRIPP LITE SMA term 12 a Users amp G EDI i i 7 i Normal 192 168 1 125 00 06 67 20d 192 168 1 TRIPP L
68. smtp sender og mydomain com The following command will synchronize the live system with the new configuration bin config run systemsettings The Console Server does not store user passwords in plain text so when manually setting the passwords using config set you need to hash the secret and enter the hashed password Secret One easy way to generate a hashed password Is to run perl e print crypt ona Perl enabled box 14 2 2 Authentication Configuration You can configure the system remote authentication with the following settings Remote Authentication M ethod LDAP Server IP Address 192 168 0 32 Server Password Secret LDAP Base Node Some base node By issuing the following commands bin config set config auth type _DAP 170 bin config set config auth server 192 168 0 32 bin config set config auth password Secret bin config set config auth dap basenode some base node The following command will synchronize the live system with the new configuration bin config run auth 14 3 Date and Time Configuration Manually Change Clock Settings To change the running system time you need to issue the following commands date 092216452005 05 Format is MM DDhhmm CCIYY I ss Then the following command will save this new system time to the hardware clock bin hwclock systohc Alternately to change the hardware clock time you need to issue the following commands bin
69. software are licensed under the GNU General Public License version 2 You may obtain a copy of the GNU General Public License at http www fsf org copyleft gpl Atm and source code will provided for any of the components of the Software licensed under the GNU General Public License upon request The Console Servers are built on the 2 4 uClinux kernel as developed by the uClinux project This is where GPL code and source can be found http cvs uclinux org Supported commands that have config files that can be altered include portmanager inetd init ssh sshd scp sshkeygen ucd snmpd http www ece ucdavis edu ucd snmp samba fnord web server sslwrap Commands you can run from the command line on the Console Server include loopback bash shell busybox http www busybox net downloads BusyBox html has lots of unix shell commands and tools chat dhcpcd ftp hd hwclock iproute iptables netcat ifconfig mii tool netstat route openntpd ping portmap pppd routed setserial 182 smtpclient stty stunel tcodump tftp tip traceroute M ore details on the above Linux commands can found online at http en tldp org HOW TO HOW TO INDEX howtos html http www fags org docs Linux HOWTO Remote Serial Console HOWTO html http www stokely com unix serial port resources serial switch html 183 15 ADVANCED CONFIGURATION Introduction This chapter documents the embedded portmanager application which manage
70. support for more devices This is covered in Chapter 14 Advanced Configurations IPMI service processors and BMCs can be configured so all authorized users can use the Management Console to remotely cycle power and reboot computers even when their operating 113 system is unresponsive To set up IPMI power control the Administrator first enters the IP address domain name of the BMC or service processor e g a Dell DRAC in Serial amp Network Network Hosts Then in Serial amp Network RPC Connections the Administrator specifies the RPC Type to be IPMI1 5 or 2 0 8 1 2 RPC Alerts You can now set PDU and IPM alerts using Alerts amp Logging Alerts refer to Chapter 7 8 1 3 RPC Status You can monitor the current status of your network and serially connected PDU s and IPM I RPC s gt Select the Status RPC Status menu A table with the summary status of all connected RPC hardware will be displayed T System tame 7O U LN TRIPP LITE ae sg eg o Up time 1 dz T POWER PROTECTION Status RPC Status Serial amp Network Serial Port Users amp Groups RPC Status RPC Logs Authentication Network Hosts RPC Status Trusted Networks F Name Description RPC Type Connected Via Outlet Status Cascaded Ports UPS Connections TrippLite PDU Switched CDU Serial Port 1 Unknown Manage RPC Connections Environmental gt Click on View Log or select the RPC Logs menu You
71. temperature and one humidity sensor and one general purpose status sensor which can be connected to a smoke detector water detector vibration or open door sensor The B095 004 003 Console Server models have an internal temperature sensor Using the Management Console Administrators can view the ambient temperature and humidity and set the EM D to automatically send alarms progressively from warning levels to critical alerts Wibretion olism Aitina Sensor Seaba i 122 8 3 1 Connecting the EMD The Environmental M onitoring Sensor EM D connects to any serial port on the Console Server via a special EM D Adapter and standard CAT5 cable The EM D is powered over this serial connection and communicates using a custom handshake protocol It is not an RS232 device and should not be connected without the adapter gt Plug the RJ plug on the EMD Adapter model B090 EM D ADP into RJ45 Port on the EMD model B090 EM D Then connect the Console Server serial port to the RJ45 port of the EMD Adapter using the provided UTP cable If the 6 foot 2 meter UTP cable provided with the EMD is not long enough it can be replaced with a standard Cat5 UTP cable up to 33 feet 10meters in length Tripp Lite N002 series cables KN gt Screw the bare wires on any smoke detector water detector vibration sensor open door sensor or general purpose open close status sensors into the terminals on P
72. the UPS should be setup to monitor the UPS status as a Slave This is done by installing the NUT package on each server and setting up upsmon to connect to the Console Server Refer to the NUT documentation for details on how this is done specifically sections 13 5 to 13 10 http eul networkupstools org doc 2 2 0 INSTALL Atml An example upsmon conf entry might look like MONITOR managedups 192 168 0 1 1 username password Slave managedups is the UPS Name of the M anaged UPS 192 168 0 1 is the IP address of the Console Server 1 indicates the server has a single power supply attached to this UPS username is the Username of the Managed UPS 119 password is the Password of the M anager UPS 8 2 4 UPS Alerts You can now set UPS alerts using Alerts amp Logging Alerts refer to Chapter 7 8 2 5 UPS Status You can monitor the current status of all your M anaged or M onitored UPSs whether they are on the network or connected serially or via USB gt Select the Status UPS Status menu and a table with the summary status of all connected UPS hardware will be displayed gt Click on any particular UPS system name in the table and you will be presented with a more detailed graphical information on the select UPS system Dev UPS UPS 500VA on devups locallhost Sun Jul 02 18 15 14 EDT 2000 Battery Input Output Load UPS UPS Model SOOVA Status ONLINE Battery 13 7 V Input 244 Vv 50 1 Hz Output 244 v gt Cl
73. the principal network connection in System IP specify Internal Modem or the Dial Serial DB9 if using an external modem on the Console port as the Failover Interface to be used when a fault has been detected with Network1 eth0 gt Specify the Probe Addresses of two sites the Primary and Secondary that the Console Server is to ping to determine If Network1 is still operational gt Select the System Dial menu option and the port to be configured Serial DB9 Port or Internal Modem Port gt Select the Baud Rate and Flow Control that will communicate with the modem Note You can further configure the console modem port e g to include modem init strings by editing etc mgetty contig files as described in Chapter 13 gt Check the Enable Dial Out Access box and enter the access details for the remote PPP server to be called 66 TRIPP LITE POWER PROTECTION Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks Cascaded Ports UPS Connections RPC Connections Environmental Alerts amp Logging Port Log Alerts SMTP amp SMS SNMP Administration Firmware IP Date amp Time Dial Services DHCP Server Nagios Port Access Active Users Statistics Support Report Syslog UPS Status RPC Status Environmental Stetus Manage Devices Port Logs Host Log
74. to another computer before proceeding to Set up an advanced connection For Windows 98 you double click My Computer on the Desktop then open Dial Up Networking and double click 6 10 2 Set Up SDT Serial Ports on Console Server To set up RDP and VNC forwarding on the Console Server s Serial Port that is connected to the Windows computer COM port gt gt Note Note Select the Serial amp Network Serial Port menu option and click Edit for the particular Serial Port that is connected to the Windows computer COM port On the SDT Settings menu select SDT Mode which will enable port forwarding and SSH tunneling and enter a Username and User Password SDT Settings SDT Mode Enable access over SSH to a host connected to this serial port Username 4 om login name for PPP The default amp port0s User Password The login secret for PPP The default i port04 Confirm Password Re type the password for confirmation When you enable SDT this will override all other Configuration protocols on that port If you leave the Username and User Password fields blank they default to portXxX and portxx where XX is the serial port number So the default username and password for Secure RDP over Port 2 is port02 Ensure the Console Server Common Settings Baud Rate Flow Control are the same as were set up on the Windows computer COM port and click Apply RDP and VNC forwarding over serial ports is enabled on
75. user on the gateway that has been enabled to connect via SSH and or create SSH port redirections 71 Gateway Address Gateway Username Gateway Password Descriptive Name Description Notes ep ok LSe Cance gt Optionally you can enter a Descriptive Name to display instead of the IP or DNS address and any Notes or a Description of this gateway such as its firmware version site location or anything special about its network configuration gt Click OK and an icon for the new gateway will now appear in the SDT Connector home page Note Foran SDT Connector user to access a Console Server and then access specific hosts or serial devices connected to that Console Server that user must first be set up on the Console Server and must be authorized to access the specific ports hosts refer to Chapter 5 Only these permitted services will be forwarded through by SDT to the Host All other services TCP UDP ports will be blocked 6 2 3 Auto Configure SDT Connector Client with the User s Access Privileges Each user on the Console Server has an access profile This has been configured with the specific connected hosts and serial port devices the user has authority to access and a specific set of the enabled services for each of them This configuration can be auto uploaded into the SDT Connector client E Tripp Lite SDTConnector File Edt Help wa zS Gateway A
76. 4 gt gt Add a Username and a confirmed Password for each new User You may also include information related to the user e g contact details in the Description field Nominate Accessible Hosts and Accessible Ports to specify which serial ports and which LAN connected hosts you wish the user to have access to Specify which Group or Groups you wish the user to be a member of Click Apply Your new user will now be able to access the nominated network devices and the devices attached to the nominated serial ports Note There are no specific limits on the number of users you can set up nor on the number of users per serial port or host Multiple users Users and Administrators can control monitor one port or host Similarly there are no specific limits on the number of Groups and each user can be a member of a number of Groups in which case they take on the cumulative access privileges of each of those Groups A user does not have to be a member of any Groups but if the User is not even a member of the default user group then they will not be able to use the Management Console to manage ports Note that while there are no specific limits the time to re configure does increase as the number and complexity increases so we recommend the aggregate number if users and groups be kept under 250 or 1000 for BO92 016 The Administrator can also edit the access settings for any existing users gt 4 3 Select Serial amp
77. 426E 96C2 O8AA2ZBD23A498displaylang en and click the Download button This software package will install the client portion of Remote Desktop on Windows 95 Windows 98 and 98 Second Edition Windows Me Windows NT 4 0 Windows 2000 and Windows 2003 When run this software allows these older Windows platforms to remotely connect to a computer running Windows XP Professional or Windows 2003 Server B Ona Linux or UNIX client computer gt Launch the open source rdesktop client rdesktop u windows user id p windows password g 1200x950 ms windows terminal server host name option description a Color depth 8 16 24 Device redirection i e Redirect sound on remote machine to local device i e 0 r sound MS Windows 2003 9 Geometry widthxheight or 70 screen percentage P Use p to receive password prompt gt You can use GUI front end tools like the GNOME Terminal Services Client tsclient to configure and launch the rdesktop client Using tsclient also enables you to store multiple configurations of rdesktop for connection to many servers 91 Terminal Server Client Terminal Server Client Logon Settings Type the name of the computer or choose a computer from the drop down list Computer Protocol User Name Password Domain Client Hostname Protocol File Note The rdesktop client is supplied with Red Hat 9 0 rpm ivh rdesktop 1 2 0 1 1386 rom For Red
78. 5 Trusted Networks The Trusted Networks facility gives you the option to nominate specific IP addresses that users Administrators and Users must be located at in order to have access to Console Server serial ports odel Up time 0 days 19 hours 58 POWER PROTECTION Serial amp Network Trusted Networks Serial amp Network Serial Port Network Address Network Mask Description Users amp Groups Authentication Network Hosts Trusted Networks Cascaded Ports No rules currently configured gt Select Serial amp Network Trusted Networks gt To add a new trusted network select Add Rule System Name TLE Model Number Firmware Rev 2 6 1u1 Current User e ia POWER PROTECTION Up time Serial amp Network Trusted Networks Serial amp Network Serial Port Add a New Rule Users amp Groups Accessible Authentication Port s Cselect unselect all Ports Network Hosts Trusted Networks COPort Port CI Port Cl Port Cl Port Cl Port CI Port Cl Port Cascaded Ports 1 2 3 4 5 6 7 8 UPS Connections RPC Connections C Port C Port C Port C Port C Port C Port C Port CO Port Environmental 9 10 11 12 13 14 15 16 Alerts amp Logging acai Port Log Address i j Alerts The IP Address of the subnet to permit SMTP amp SMS Network SNMP Mask The subnet mask for the permitted IP range Administration deai Firmware A brief exp
79. 6 Console Servers can be configured to provide a management LAN gateway With this configuration the B096 048 016 provides firewall router and DHCP server features and you can connect managed hosts to this management LAN NETWORK 1 Operations r neiwork Serially connected consoles NETWORK 2 Management network These features are all disabled by default To configure the Management LAN gateway gt Select the Management LAN page on the System IP menu and uncheck Disable gt Configure the IP Address and Subnet M ask for the Management LAN leaving the Gateway and DNS fields blank then click Apply gt The management LAN gateway function is now enabled with default firewall and router rules These rules can be reconfigured at the command line 30 TRIPP LITE POWER PROTECTION System Name 5 Model Number Firmware Rev 2 6 1u1 Current User Up time 0 days 2 hours 13 mins 32 secs Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks Cascaded Ports UPS Connections RPC Connections Environmental Alerts amp Logging Port Log Alerts SMTP amp SMS Administration Firmware IP Date amp Time Dial Services DHCP Server Nagios Network Interface Management LAN Interface General Settings Disable Fl Deactivate this network interface IP Settings Management LAN
80. AM INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES END OF TERMS AND CONDITIONS SUN Java License B092 016 Console Server with PowerAlert product only 1 Java Technology Restrictions Licensee shall not create modify change the behavior of or authorize licensees of Licensee to create modify or change the behavior of classes interfaces or subpackages that are in any way identified as java javax sun or similar convention as specified by Sun in any naming convention designation In the event that Licensee creates an additional API s which a extends the functionality of a Java Environment and b is exposed to third party software developers for the purpose of developing additional software which invokes such additional API Licensee must promptly publish broadly an accurate specification for such API for free use by all developers 2 Trademarks and Logos This License does not authorize an end user licensee to use any Sun Microsystems Inc name trademark service mark logo or icon The end user licensee acknowledges that Sun owns the Java trademark and all Java related trademarks logos and icons including the Coffee Cup and Duke Java Marks and agrees to a comply with the Java Trademark Guidelines a
81. Configure Management Switch for Failover or Broadband OoB SERIAL PORT AND NETWORK HOST Configuring Serial Ports 14 14 14 15 15 16 16 16 17 17 17 18 18 19 19 19 20 22 22 23 24 25 28 28 28 29 30 30 33 34 34 4 1 1 4 1 2 4 1 3 4 1 4 4 1 5 4 1 6 4 1 7 4 2 4 3 4 4 4 5 4 6 4 6 1 4 6 2 4 6 3 4 6 4 4 7 4 7 1 4 7 2 4 7 3 4 7 4 4 8 5 1 5 1 1 5 1 2 5 1 3 5 1 4 5 1 5 5 2 5 3 5 4 6 1 Common Settings Console Server M ode SDT M ode Device RPC UPS EM D M ode Terminal Server M ode Serial Bridging M ode Syslog Add Edit Users Authentication Network Hosts Trusted Networks Serial Port Cascading Automatically Generate and Upload SSH Keys M anually Generate and Upload SSH Keys Configure the Slaves and their Serial Ports M anaging the Slaves Serial Port Redirection Install VirtualPort Client Configure the VirtualPort Client Remove a Configured Port Configure the Remote Serial Device Connection M anaged Devices B095 004 003 only FAILOVER AND OUT OF BAND ACCESS OoB Dial In Access Configure Dial In PPP Using SDT Connector Client for Dial In Set Up Windows XP 2003 Vista 7 Client for Dial In Set Up Earlier Windows Clients for Dial In Set Up Linux Clients for Dial In OoB Broadband Access B096 048 016 only Broadband Ethernet Failover B096 048 016 only Dial Out Failover SECURE TUNNELING AND SDT CONNECTOR Configuring for SDT Tunneling to Hosts 35 36
82. Connector on your computer Select Edit gt Preferences and click the Services tab Click Add gt Enter Serial Port 2 in Service Name and click Add gt Select Telnet client as the Client Enter 2002 in TCP Port Click OK then Close and Close again gt gt C Tripp Lite SDTConnector Client Telnet client TCP Port 7 OK 3 Cancel Assuming you have already set up the target Console Server as a gateway in your SDT Connector client with username password etc select this gateway and click the Host icon to create a host Alternatively select File gt New Host Enter 127 0 0 1 as the Host Address and select Serial Port 2 for Service In Descriptive Name enter something along the lines of Loopback ports or Local serial ports Click OK Click Serial Port 2 icon for Telnet access to the serial console on the device attached to serial port 2 on the gateway To enable SDT Connector to access to devices connected to the gateway s serial ports you must also configure the Console Server itself to allow port forwarded network access to itself and enable access to the nominated serial port gt gt Browse to the Console Server and select Serial Port from Serial amp Network Click Edit to selected Port e g Port 2 if the target device is attached to the second serial port Ensure the port s serial configuration is appropriate for the attached device S
83. Console Server is a dedicated Linux computer and it embodies popular and proven Linux software modules for secure network access OpenSSH and communications OpenSSL and sophisticated user authentication PAM RADIUS TACACS and LDAP 9 1 Authentication can be performed locally or remotely using an LDAP Radius or TACACS authentication This chapter details how the Administrator can use the Management Console to establish remote AAA authentication for all connections to the Console Server and attached serial and network host devices This chapter also covers establishing a secure link to the M anagement Console using HTTPS and using OpenSSL and OpenSSH to establish a secure Administration connection to the Console Server Authentication Configuration server The default authentication method for the Console Server is Local Any authentication method that is configured will be used for authentication of any user attempting to log in through Telnet SSH or the Web M anager to the Console Server and any connected serial port or TRIPP LITE POWER PROTECTION Serial amp Network Serial Port Authentication Users amp Groups Method Authentication Network Hosts Trusted Networks Cascaded Ports UPS Connections RPC Connections Environmental Alerts amp Logging Administration Firmware TACACS IP Date amp Time Dial Address Services DHCP Server Nagios
84. Console via HTTP Trusted Networks Allow access to the Management Console via HTTPS Cascaded Ports gt Activate your preferred browser and enter https IP address For example if the Console Server has been set up with an IP address of 200 122 0 12 you need to type https 200 122 0 12 in your address bar gt Your browser may respond with a message that verifies the security certificate is valid but notes that it is not necessarily verified by a certifying authority To proceed you need to click yes if you are using Internet Explorer or select accept this certificate permanently or temporarily if you are using M ozilla Firefox gt You will then be prompted for the Administrator account and password as normal When you have a secure HTTPS connection in place the SSL secured icon will appear at the bottom of the browser screen You can verify the level of encryption in place by clicking on this icon 132 When you first enable and connect via HTTPS it is normal that you may receive a certificate warning The default SSL certificate in your Console Server is embedded during testing and is not signed by a recognized third party certificate authority Rather it is signed by our own signing authority These warnings do not affect the encryption protection you have against eavesdroppers Note More detailed information on issuing certificates and configuring HTTPS can be found in Chapter 13 Advanced 133 10 NAGIOS INT
85. ECTOR Introduction Each Console Server has an embedded SSH server and uses SSH tunneling This enables one Console Server to securely manage all the systems and network devices in the data center using text based console tools such as SSH Telnet SoL or graphical desktop tools VNC RDP HTTPS HTTP X11 VM ware DRAC iLO etc To set up Secure Tunnel access the computer being accessed can be located on the same local network as the Console Server or attached to the Console Server via its serial COM port The remote User Administrator then connects to the Console Server through an SSH tunnel via dial up wireless or ISDN modem a broadband Internet connection an enterprise VPN network or a local network Secure Remote Management Secure Local i Management Secure OoB Dial In or Broradband T j oe do m oe Network Serial connected connected To set up the secure SSH tunnel from the Client computer to the Console Server you must install and launch SSH client software on the User Administrator s computer It is recommended that you use the SDT Connector client software supplied with the Console Server to do this SDT Connector is simple to install and it auto configures It provides all your users with point and click access to all the systems and devices in the secure network With one click SDT Connector sets up a secure SSH tunnel from the client to the selected Console Server and then establishes a port forwar
86. EGRATION Introduction Nagios is a powerful highly extensible open source tool for monitoring network hosts and services The core Nagios software package will typically be installed on a server or virtual server the central Nagios server Tripp Lite Console Servers can operate in conjunction with a central upstream Nagios server to provide distributing monitoring of attached network hosts and serial devices The Console Servers can embed the NSCA Nagios Service Checks Acceptor and NRPE Nagios Remote Plug in Executor add ons This allows them to communicate with the central Nagios server eliminating the need for a dedicated Slave Nagios server at remote sites The Console Servers embed a basic set of distributed monitoring add ons and can be uploaded with additional customizable distributed monitoring Note Ifyou have an existing Nagios deployment you may wish to use the Console Server in a distributed monitoring server capacity only In this case and if you are already familiar with Nagios skip ahead to section 10 3 10 1 Nagios Overview Nagios provides central monitoring of the hosts and services in your distributed network Nagios is freely downloadable open source software This section offers a quick background of Nagios and Its capabilities A complete overview FAQ and comprehensive documentation are available at http www nagios org Nagios forms the core of many leading commercial system management solutions such as Gro
87. Hat 8 0 or other distributions of Linux download source untar configure make make then install rdesktop currently runs on most UNIX based platforms with the X Window System and can be downloaded from http Awww rdesktop org C Ona Macintosh client gt Download Microsoft s free Remote Desktop Connection client for Mac OS X http www microsoft com mac otherproducts otherproducts aspx pid remotedesktopclient 92 6 9 SDT SHH Tunnel for VNC Alternately with SDT and Virtual Network Computing VNC Users and Administrators can securely access and control Windows 98 NT 2000 XP 2003 Linux Macintosh Solaris and UNIX computers There s a range of popular VNC software available UltraVNC RealVNC TightVNC freely and commercially To set up a secure VNC connection Install and configure the VNC Server software on the computer to be accessed Then install and configure the VNC Viewer software on the Viewer computer 6 9 1 Install and Configure the VNC Server on the Computer to be Accessed Virtual Network Computing VNC software enables users to remotely access computers running Linux Macintosh Solaris UNIX all versions of Windows and most other operating systems A For Microsoft Windows servers and clients Windows does not include VNC software so you will need to download install and activate a third party VNC Server software package REAL RealVNC http www realvnc com is fully cross platform so a desktop running o
88. IP Address 192 168 1 100 Network M ask 255 255 255 0 Default Gateway 192 168 1 1 172 IP Address 192 168 1 100 Primary DNS 192 168 1 254 Secondary DNS 10 1 0 254 You would need to issue the following commands from the command line bin config set config interfaces wan mode static bin config set config interfaces wan address 192 168 1 100 bin config set config interfaces wan netmask 255 255 255 0 bin config set config interfaces wan gateway 192 168 1 1 bin config set config interfaces wan dns1 192 168 1 254 bin config set config interfaces wan dns2 10 1 0 254 The following command will synchronize the live system with the new configuration bin config runspcontig 14 4 2 Dial In Configuration To enable dial in access on the DB9 serial port from the command line with the following attributes Local IP Address 172 24 1 1 Remote IP Address 172 24 1 2 Authentication Type M SCHAPv2 Serial Port Baud Rate 115200 Serial Port Flow Control Hardware Custom M odem Initialization ATQOV1HO You would need to issue the following commands from the command line to set system configuration bin config set config console ppp localip 172 24 1 1 bin config set config console ppp remoteip 172 24 1 2 bin config set config console ppp auth v SCHAPv2 bin config set config console ppp enabled on bin config set config console soeed 115200 173 bin config set config console flow Hardwa
89. ITE SMA ver BZeses i Authentic Li Pleat DOELORAATS ROORGT A DURS FRPP LIES Pans Fre RE I Network Alarms 192 168 1 21 Trusted RR AAS OU E y E Cascaded ia Darran Fuse 2 Vane Mid M anual Conventions This manual uses different fonts and typefaces to show specific actions Note Text presented like this indicates issues which need to be noted 12 Text presented like this highlights important issues and it is essential you read and take heed of these warnings gt Text presented with an arrowhead indent indicates an action you should take as part of the procedure Bold text indicates text that you type or the name of a screen object e g a menu or button on the Management Console Italic text is also used to indicate a text command to be entered at the command line level Publishing History Date Revision Update details January 2009 0 9 Initial draft February 2009 0 91 Pre release January 2010 1 01 Add B095 004 003 Console Server and Firmware 3 0 1 features 13 2 INSTALLATION Introduction This chapter describes the physical installation of the Console Server hardware and connection to controlled devices 2 1 Models There are anumber of Console Server models each with a different number of network USB and serial ports and power supplies Serial Network Console USB Modem Power Ports Ports Port Port B096 048 48 2 1 1 Internal Dual AC Univers
90. Is home user keys control room control room pub plant_ entrance plant_entrance pub cat home user keys control_room pub home user keys plant_entrance pub gt home user keys authorized_keys bridge server Uploading Keys The keys for the server can be uploaded through the web interface on the System Administration page as detailed earlier If only one client will be connecting then simply upload the appropriate public key as the authorized keys file Otherwise upload the authorized keys file constructed in the previous step Each client will then need its own set of keys uploaded through the same page Take care to ensure that the correct type of keys DSA or RSA go in the correct spots and that the public and private keys are in the correct spot 15 6 8 SDT Connector Public Key Authentication SDT Connector can authenticate against a Console Server using your SSH key pair rather than requiring your to enter your password i e public key authentication 204 gt To use public key authentication with SDT Connector first you must first create an RSA or DSA key pair using ssh keygen PuTTYgen or a similar tool and add the public part of your SSH Key pair to the Console Server as described in the earlier section gt Next add the private part of your SSH key pair this file is typically named id_rsa or id_dsa to SDT Connector client Click Edit gt Preferences gt Private Keys gt Add locate the private key file
91. M I and it is included in standard distributions On Solaris this driver is called BM C and is included in Solaris 10 Management of a remote station requires the IPM l over LAN interface to be enabled and configured Depending on the particular requirements of each system it may be possible to enable the LAN interface using ipmitool over the system interface Options a Prompt for the remote server password A lt authtype gt Specify an authentication type to use during IPM Iv1 5 lan session activation Supported types are NONE PASSWORD M D5 or OEM C Present output in CSV comma separated variable format This is not available with all commands C lt ciphersuite gt The remote server authentication integrity and encryption algorithms to use for IPM Iv2 lanplus connections See table 22 19 in the IPM Iv2 specification The default is 3 which specifies RAKP HM AC SHA1 authentication HM AC SHA1 96 integrity and AES CBC 128 encryption algorithms The remote server password is specified by the environment variable IPM I PASSWORD 213 f lt password file gt Specifies a file containing the remote server password If this option is absent or if password file is empty the password will default to NULL h Get basic usage help from the command line H lt address gt Remote server address can be an IP address or hostname This option is required for lan and lanplus interfaces lt interface gt Selects IPM I inter
92. MITATION OF LIABILITY IS INCORPORATED INTO THIS EULA BY REFERENCE THE SOFTWARE IS NOT FAULT TOLERANT YOU HAVE INDEPENDENTLY DETERMINED HOW TO USE THE SOFTWARE IN THE DEVICE AND TRIPPLITE HAS RELIED UPON YOU TO CONDUCT SUFFICIENT TESTING TO DETERMINE THAT THE SOFTWARE IS SUITABLE FOR SUCH USE LIMITED WARRANTY Tripp Lite warrants the media containing the Software for a period of ninety 90 days from the date of original purchase from Tripp Lite or its authorized retailer Proof of date of purchase will be required Any updates to the Software provided by Tripp Lite which may be provided by Tripp Lite at its sole discretion shall be governed by the terms of this EULA In the event the product fails to perform as warranted Tripp Lite s sole obligation shall be at Tripp Lite s discretion to refund the purchase price paid by you for the Software on the defective media or to replace the Software on new media Tripp Lite makes no warranty or representation that its Software will meet your requirements will work in combination with any hardware or application software products provided by third parties that the operation of the software products will be uninterrupted or error free or that all defects in the Software will be corrected TRIPP LITE DISCLAIMS ANY AND ALL OTHER WARRANTIES WHETHER EXPRESS OR IMPLIED INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OTHER THAN AS STATED HEREIN
93. N the EM D Q LA o B090 WLS Console Server Water Leak Sensor gma j o B090 DCS Console Server Door Contact Sensor lt oe DONS o B090 VS Console Server Vibration Sensor o B090 SD 110 Console Server Smoke Detector 110V o B090 SD 220 Console Server Smoke Detector 220V The EMD can be used only with a Console Server and cannot be connected to standard RS232 serial ports on other appliances gt Select Environmental as the Device Type in the Serial amp Network Serial Port menu for the port to which the EMD is to be attached No particular Common Settings are required gt Click Apply Device Settings Device Type Environmental Specify the device type Apply this setting then use the lt nvurenmenta page to configure the attached environmental monitor gt Select the Serial amp Network Environmental menu This will display all the EM D connections that have already been configured 123 TRIPP LITE POWER PROTECTION System Name Model Number Firmware Rev lul Current User Up time 1 days 4 hours 19 m Serial amp Network Environmental Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks Cascaded Ports UPS Connections gt Click Add Environmental Monitors Name Description Alarm 1 Alarm 2 Connected Via Log Label Label Status No environmental monitors have been configured Add Serial amp Network
94. NSCA must be enabled under System Nagios and Nagios must be enabled for each applicable host or port under Serial amp Network Network Hosts or Serial amp Network Serial Ports refer to Chapter 10 7 2 Activate Alert Events and Notifications The Alert facility monitors the status of the Console Server and connected devices When an alert event is triggered a notification is emailed to a nominated email address or SM S gateway or the configured SNMP or Nagios server is notified A wide selection of events can be used as the trigger for an alert These events include gt gt A user establishing a remote Telnet connecting to a serial port or Host Reaching a nominated low battery level on a particular UPS or current load levels on a PDU power outlet Exceeding a specified temperature or humidity level on an environmental sensor Sensing a particular data pattern on a serial port e g the data stream on a particular serial console may be monitored for nominated messages coming from the device such as warning or IO error and send out an alarm when they occur 105 TRIPP LITE POWER PROTECTION Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks Description Model Number Current User Up time 0 days 4 hours System Name Firmware Rev Alerts amp Logging Alerts Email SNMP Nagios Type Data No alerts are currently configured
95. Network Users amp Groups and click Edit for the User to be modified Authentication Refer to Chapter 9 1 Remote Authentication Configuration for authentication configuration details 4 4 Network Hosts To access a locally networked computer or appliances referred to as a Host you must identify the network connected Host and then specify the TCP or UDP ports services that are permitted to be used for communicating to that Host POWER PROTECTION Serial amp Network Network Hosts Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks No hosts currently configured Cascaded Ports UPS Connections RPC Connections Environmental IP Host Description Notes Permitted Services Device Address DNS Name Type ame 45 gt Selecting Serial amp Network Network Hosts presents all the network connected Hosts that have been enabled for access and the related access TCP ports services gt Click Add Host to enable access to a new Host or select Edit to update the settings for existing Host B POWER PROTECTION Serial amp Network Network Hosts Serial amp Network Serial Port IP Address DNS Users amp Groups Name Authentication Network Hosts Host Name Trusted Networks 03 UPS Connections Description Notes RPC Connections Environmental The host s IP Address or DNS name A
96. OWER PROTECTION System Configuration Backup Serial amp Network Serial Port Remote Backup Local Backup Users amp Groups Remote Backup Last Remote Never up RPC Connections Environmental Save Backup Managed Devices Backup Fie Saved configuration backup file To activate the Back Up feature EJ gt Select the System Configuration Backup menu option or click the icon You can save the backup file remotely on your PC and you can restore configurations from remote locations gt Click Save Backup in the Remote Configuration Backup menu gt The config backup file System Name_date_config opg will be downloaded to your PC and saved in the location you nominate 152 System Name b095 003 1e Model Number 8095 003 hd Q A TRIPP LITE ruaro aE ias l Aet POWER PROTECTION Opening b095 003 1e m_20000117_config o esa w z You have chosen to open _ b095 003 1e m_20000117_config opg which is a OPG file from https 192 168 254 23 Serial amp Network Serial Port Rema Users amp Groups Authentication E Network Hosts Remote Backup Trusted Networks Last Remote Ney Cascaded Ports Backup Ee ht DN Aomen anann aeoe UPS Connections RPC Connections _ A Environmental Save Backup Managed Devices What should Firefox do with this file Alerts amp Logging Backup File
97. Owner s Manual Console Server Management Switch Models B096 016 B096 048 Console Server with PowerAlert Model B092 016 Console Server Models B095 004 1E B095 003 1E M COMPLIANT TRIPPLITE Tripp Lite World Headquarters 1111 W 35th Street Chicago IL 60609 USA www tripplite com support Copyright 2010 Tripp Lite All rights reserved All trademarks are the property of their respective owners 2 1 2 1 1 2 1 2 2 1 3 2 2 2 2 1 2 2 2 2 2 3 2 3 2 4 2 5 2 6 3 1 ola 3 1 2 3 1 3 3 2 3 3 3 3 1 3 4 3 5 35 1 3 5 2 3 003 3 6 3 6 1 3 6 2 4 1 INDEX INTRODUCTION INSTALLATION Models Kit Components B096 048 and B096 016 Console Server Management Switch Kit Components B092 016 Console Server with PowerAlert Kit Components B095 004 1E and B095 003 1E M Console Server Power Connection Power Console Server Management Switch Power Console Server with PowerAlert Power Console Server Management Switch Network Connection Serial Port Connection USB Port Connection Rackmount Console KVM Connection B092 016 only INITIAL SYSTEM CONFIGURATION Management Console Connection Connected Computer Set Up Browser Connection Initial BO92 016 Connection Administrator Password Network IP Address IPv6 Configuration System Services Communications Software SDT Connector PuTTY SSHTerm Management Network Configuration B096 048 016 only Configure Management Switch as a Management LAN Gateway
98. P version 1 and 2c only config set config system snmp community2 yourcommunityname replacing yourcommunityname with the community name 193 To set the Engine ID field SNMP version 3 only config set config system snmp engineid2 800000020109840301 replacing 800000020109840301 with the engine ID To set the Username field SNMP version 3 only config set config system snmp username2 yourusername replacing yourusername with the username config system snmp usernamez2 3 only To set the Engine ID field SNMP version 3 only config set config system snmp password2 yourpassword replacing yourpassword with the password Once the fields are set apply the configuration with the following command config run snmp You can add a third or more SNMP servers by incrementing the 2 in the above commands e g config system snmp protocol3 config system snmp address3 etc 15 6 Secure Shell SSH Public Key Authentication This section covers the generation of public and private keys in a Linux and Windows environment and configuring SSH for public key authentication The steps to use in a Clustering environment are Generate a new public and private key pair Upload the keys to the M aster and to each Slave Console Server Fingerprint each connection to validate 15 6 1 SSH Overview Popular TCP IP applications such as Telnet rlogin ftp and others transmit their passwords unencrypted Doing this across public
99. PANYING SOFTWARE YOU SHOULD CAREFULLY READ THE FOLLOWING TERMS AND CONDITIONS BEFORE USING THE ACCOMPANYING SOFTWARE THE USE OF WHICH IS LICENSED FOR USE ONLY AS SET FORTH BELOW IF YOU DO NOT AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT DO NOT USE THE SOFTWARE IF YOU USE ANY PART OF THE SOFTWARE SUCH USE WILL INDICATE THAT YOU ACCEPT THESE TERMS You have acquired a product that includes Tripp Lite Tripp Lite proprietary software and or proprietary software licensed to Tripp Lite This Tripp Lite End User License Agreement EULA is a legal agreement between you either an individual or a single entity and Tripp Lite for the installed software product of Tripp Lite origin as well as associated media printed materials and online or electronic documentation Software By installing copying downloading accessing or otherwise using the Software you agree to be bound by the terms of this EULA If you do not agree to the terms of this EULA Tripp Lite is not willing to license the Software to you In such event do not use or install the Software If you have purchased the Software promptly return the Software and all accompanying materials with proof of purchase for a refund Products with separate end user license agreements that may be provided along with the Software are licensed to you under the terms of those separate end user license agreements LICENSE GRANT Subject to the terms and conditions of thi
100. PS RPC and environmental status and a custom script screen The admin user can configure which of these widget is to be displayed where Go to the Dashboard layout panel and select which widget is to be displayed in each of the six display locations widget 6 Click Apply a ___ System Name b Model Numbet LE M hal Oo TRIPP LITE PE E LANTER USET Backup Log Out POWER PROTECTION Up Ume 59 se System Configure Dashboard Serial amp Network Serial Port Dashboard Layout Configure Widgets Users amp Groups Authentication Network Hosts Configuring Dashboard for group admin Trusted Networks Select Alerts X Select Managed Devices v Cascaded Ports Widget 1 Widget 2 UPS Connections Select which widget to display in this Select which widget to display in this RPC Connections position position Environmental Managed Devices Active Users UPS v Select which widget to display in this Widget 4 Select which widget to display in this Alerts amp Logging position position Port Log Alerts al m RPC sr 2 Environmental A amp SMS Select which widget to display in this Select which widget to display in this position position Administration Refresh Timer SSL Certificates Minutes between each dashboard page refresh Default is 5 Configuration Backup Firmware IP Date amp Time Dial Services l Note The Alerts widget is a new screen
101. Port 3389 and log level 1 and click Add It is important to remove and re add the service to enable logging Nagios Settings Enable L Nagios Switch Nagios on for this host Host Mame Magias Checks Mame of host in Nagios Generated using host description if unspecitied Use Default 4rgs Ww Command check host aive Check NRPE Check Ping Check Permitted TCP Check Permitted UDP New Check TCP Check UDP Default Aros H AROS TA C COMMAND 5 gt gt gt gt gt V Scroll down to Nagios Settings and check Enable Nagios Click New Check and select Check Ping Click check host alive Click New Check and select Check Permitted TCP Select Port 3389 Click New Check and select Check TCP Select Port 80 Click New Check and select Check TCP Select Port 443 Click Apply Similarly configure the serial port to the router to be monitored by Nagios gt gt gt gt M Yv WV Select Serial Port from the Serial amp Network menu Locate the serial port that has the router console port attached and click Edit Ensure the serial port settings under Common Settings are correct and match the attached router s console port Click Console Server Mode and select Logging Level 1 Check Telnet SSH access is not required as SDT Connector Is used to secure the otherwise unsecured Telnet connection Scroll down to Nagios Settings and check Enable Nagios Check Port Log and Serial Status
102. PuTTY 82 6 3 SDT Connector to Management Console SDT Connector can also be configured for browser access to the gateway s Management Console and for Telnet or SSH access to the gateway command line For these connections to the gateway Itself you must configure SDT Connector to access the gateway itself by setting the Console Server up as a host and then configuring the appropriate services gt Launch SDT Connector on your computer Assuming you have already set up the Console Server as a Gateway in your SDT Connector client with username password etc select this newly added Gateway and click the Host icon to create a host Alternatively select File gt New Host gt Enter 127 0 0 1 as the Host Address and give some details in Descriptive Name Notes Click OK R Edit SDT Host Host Address 127 0 0 1 Services 7 HTTP z Telnet lt d A A Dell RAC C Dell Server Administrator E Dell IT Assistant E SOL IBM RSA JI IBM Director IBM AMM HP iLO 2 VMWare Server TCP Port 1494 Serial 2 SSH Serial 2 Telnet Serial 3 SSH Serial 3 Telnet Serial 4 SSH Serial 4 Telnet TCP Port 903 O o 0 0 000o oO Descriptive Name Local Host Description Notes Manual entry connections Ito the console server itself 2 ok 6 Cance gt Click the HTTP or HTTPS Services icon to access the gateway s Manage
103. R kixjJOSKuiIREXTM xOPFp9HqBvEg7Ww9 oynY4QNiXj1YU7T 87ITLQiAhn38yp7ZWy 7Z5C3sLF8046Go nujXXPGiQGyD3b79 KZg3UZ4MjZI525sCy opv4 TJTvTK6e8QlYt GYTByUdl ssh dss ssh rsa AAAAB3NzaZr OV01 C8gdgz AAAAB3NzaC1 yc2Efg4 tG XDg name client2 HIAAA name client1 id_dsa pub id_rsa pub M ore documentation on OpenSSH can be found at http openssh org portable html http www openbsd org cgi bin man cgi query ssh amp sektion 1 http www openbsd org cgi bin man cgi query sshd 15 6 5 Generating Public Private Keys for SSH Windows This section describes how to generate and configure SSH keys using Windows First create a new user from the Management Console on the Console Server the following example users a user called testuser making sure it is a member of the users group If you do not already have a public private key pair you can generate them now using ssh keygen PulTYgen or a similar tool PulTYgen http www chiark greenend org uk sgtatham putty download html 198 OpenSSH http www openssh org OpenSSH Windows http sshwindows sourceforge net download For example using PulTYgen make sure you have a recent version of the puttygen exe available from http www chiark greenend org uk sgtatham putty download html M ake sure you have a recent version of WinSCP available from http winscp net eng download php To generate a SSH key using PuTTY http s
104. S TACACS User Configuration PAM Pluggable Authentication M odules Secure Management Console Access NAGIOS INTEGRATION Nagios Overview Central Management Set Up Central Nagios Server Set Up Distributed Console Servers 109 110 111 112 112 112 114 114 114 115 115 118 119 120 120 120 122 123 124 124 126 126 127 127 128 129 130 131 132 134 134 135 135 136 10 3 10 3 1 10 3 2 10 3 3 10 3 4 10 3 5 10 3 6 10 4 10 4 1 10 4 2 10 4 3 11 11 1 11 2 11 3 11 4 11 5 12 12 1 12 2 12 3 12 4 12 5 12 5 1 12 5 2 13 13 1 13 2 13 3 13 4 13 5 14 14 1 14 2 Configuring Nagios Distributed M onitoring Enable Nagios on the Console Server Enable NRPE M onitoring Enable NSCA M onitoring Configure Selected Serial Ports for Nagios M onitoring Configure Selected Network Hosts for Nagios M onitoring Configure the Upstream Nagios M onitoring Host Advanced Distributed M onitoring Configuration Sample Nagios Configuration Basic Nagios Plug Ins Additional Plug Ins SYSTEM M ANAGEM ENT System Administration and Reset Upgrade Firmware Configure Date and Time Configuration Backup B095 004 003 only FIPS M ode B095 004 003 only STATUS REPORTS Port Access and Active Users Statistics Support Reports Syslog Dashboard Configuring the Dashboard Creating Custom Widgets for the Dashboard MANAGEM ENT Device M anagement Port amp Host M anagement Power Management Serial Port Termi
105. T 1 USER 2 echo Welcome to port PORT USER lt etc config pmshell start sh gt The return value from the script controls whether the user is accepted or not If 0 is returned or nothing is done on exit as in the above script then the user is permitted otherwise the user Is denied access Here is a more complex script which reads from configuration to display the port label if available and denies access to the root user lt etc config pmshell start sh gt bin sh PORT 1 USER 2 LABEL config g config ports port PORT label cut f2 d if S USER root then echo Permission denied for Super User exit 1 188 fi if z LABEL then echo Welcome USER you are connected to Port PORT else echo Welcome USER you are connected to Port PORT LABEL fi lt etc config pmshell start sh gt 15 3 Raw Access to Serial Ports Access to Serial Ports You can tip and stty to completely bypass the portmanager and have raw access to the serial ports When you run tip on a portmanager controlled port portmanager closes that port and stops monitoring it until tip releases control of it With stty the changes made to the port only stick until that port is closed and opened again so it is doubtful that people will want to use stty for more than initial debugging of the serial connection If you want to use stty to configure the port you can put stty commands in etc contig
106. To access the i pore 0g TrippLite unit s serial ports append sera to the username e g root seral 192 168 0 1 L SMTP amp SMS Administration Firmware S IP Date amp Time File Proxy PortForwarding Etc Help DHCP Server Nagios Click Connect to SDT Connector to access the Console Server command line shell or the serial ports via SDT Connector This will activate the SDT Connector client on the computer you are browsing and load your local Telnet client to connect to the command line or serial port using SSH TRIPPLITE 1PPLITE ee Sei AETA Up time POWER PROTECTION Manage Terminal Serial amp Network Serial Port SDTConnector Users amp Groups Note To access the TrippLite unit s command line shell or serial ports via SDTConnector SDTConnector 1 5 0 or later must be Authentication installed on the computer you are browsing from with this unit added as a gateway as per the Quick Install Guide Network Hosts Trusted Networks Cascaded Ports UPS Connections RPC Connections Environmental Connect via SDT Connector Era Tripp Lite SDTConnector File Edit Help Java Terminal Alerts amp Logging Select File gt Open TrippLite unit s serial SS ee a TRIPP LITE POWER PROTECTION ee Note Tripp Lite SDT Connector must be installed on the computer from which you are browsing and the Console Serve
107. Y can be also used to connect to the Console Server command line and to connect to serially attached devices as covered in Chapter 4 PuTTY is a freeware implementation of Telnet and SSH for Win32 and UNIX platforms It runs as an executable application without needing to be installed onto your system PuTTY the Telnet and SSH client itself can be downloaded at http www tucows com preview 195286 html 28 Pull Configuration Cah cay E Semon Ligaen Temra Fepboad Bel Feahnas E da e amnia Behara riihi Salato Pano opio hw wou Pul Tieso Sgach pou cannae bp host naa ot E addes Hasi Home bores Pol 2b oh ob Th oe Protocat O Ren Cilene C Rlbgn SSH Load seve dete g coed secon Taraj Sect scone Colo Tinie a E 7 E bere eral prie Lozi ETJ Deia Abe Hevea a Dnk on clear esl Come Cera 3 5 3 SSHTerm To use PuTTY for an SSH terminal session from a Windows client enter the Console Server s IP address as the Host Name or IP address To access the Console Server command line select SSH as the protocol and use the default IP Port 22 Click Open and the Console Server login prompt will appear You may also receive a Security Alert that the host s key is not cached Choose yes to continue Using the Telnet protocol is similarly simple but you need to use the default port 23 Another common communications package that may be useful is SSHT
108. a Port basis You can add Users who can have access to these ports or reconfigure User profiles by selecting Serial amp Network User amp Groups menu tag as described earlier in Chapter 4 Configuring Serial Ports 6 10 3 Set Up SDT Connector to SSH Port Forward Over the Console Server Serial Port In the SDT Connector software running on your remote computer specify the gateway IP address of your Console Server and a username password for a user you have setup on the Console Server that has access to the desired port 100 Next add a New SDT Host In the Host address you need to put portxx where xx the port to which you are connecting Example for port 3 you would have a Host Address of port03 and then select the RDP Service check box 101 7 ALERTS AND LOGGING Introduction This chapter describes the alert generation and logging features of the Console Server The alert facility monitors the serial ports all logins the power status and environmental monitors and probes It sends emails SMS Nagios or SNMP alerts when specified trigger events occurs First enable and configure the service that will be used to carry the alert Section 7 1 Then specify the alert trigger condition and the actual destination to which that particular alert is to be sent Section 7 2 The Console Servers can also be configured selectively to maintain log records of all access and communications with the Console Server and with the at
109. a W U C Port Log define command command name check_port_log command line USER1 check_nrpe H 192 168 254 147 p 5666 c port_log_ HOSTNAM E define service service_description host_name use check_command define service service_description host_name use check_command Port Log server generic service check_port_log port log server server generic service check_port_log active checks enabled 0 passive checks enabled define servicedependency name 1 tripplite_nrpe daemon dep 145 host_name tripplite dependent_host_ name server dependent_service description Port Log service_description NRPE Daemon execution failure criteria W U C Ping define command command name check_ping_via_tripplite command line USER1 check_nrpe H 192 168 254 147 p 5666 c host_ping_ HOSTNAM E define service service_description Host Ping host_name server use generic service check_command check_ping_via_tripplite define service service_description host ping server host_name server use generic service check_command check_ping_via_tripplite active checks enabled 0 passive checks enabled 1 define servicedependency name tripplite_nrpe daemon dep host_name tripplite dependent_host name server dependent_service description Host Ping service_description NRPE Daemon execution failure criteria W U C SSH Port define command command name check_conn_via _tripplite command line USER1 c
110. a drawing for a chance to win a FREE Tripp Lite product No purchase necessary Void where prohibited Some restrictions apply See website for details WARNING Use of this equipment in life support applications where failure of this equipment can reasonably be expected to cause the failure of the life support equipment or to significantly affect its safety or effectiveness is not recommended Do not use this equipment in the presence of a flammable anesthetic mixture with air oxygen or nitrous oxide Regulatory Compliance Identification Numbers For the purpose of regulatory compliance certifications and identification your Tripp Lite product has been assigned a unique series number The series number can be found on the product nameplate label along with all required approval markings and information When requesting compliance information for this product always refer to the series number The series number should not be confused with the marking name or model number of the product WEEE Compliance Information for Tripp Lite Customers and Recyclers European Union Under the Waste Electrical and Electronic Equipment WEEE Directive and implementing regulations when customers buy new electrical and electronic equipment from Tripp Lite they are entitled to 240 e Send old equipment for recycling on a one for one like for like basis this varies depending on the country e Send the new equipment back for recycling when this ultim
111. ace bin config set config users user2 username userl bin contig set config users user2 password secret bin contig set config users user2 description lhe Second User bin config set config users user2 port5 on bin config set config users total 2 The following command will synchronize the live system with the new configuration bin config run users 14 5 4 Trusted Networks You can further restrict remote access to serial ports based on the source IP address To configure this via the command line you need to do the following Determine the total number of existing trusted network rules If you have no existing rules you can assume this is 0 bin config get config portaccess total This command should display contig portaccess total 1 Note that if you see contig portaccess total This means you have 0 rules configured Your new rule will be the existing total plus 1 So if the previous command gave you 0 then you start with rule number 1 If you already have 1 rule your new rule will be number 2 etc If you want to restrict access to serial port 5 to computers from a single C class network 192 168 5 0 you need to issue the following commands assuming you have a previous rule in place bin config set config portaccess rule2 address 192 168 5 0 bin config set config portaccess rule2 netmask 255 255 255 0 bin config set config portaccess rule2 description foo bar
112. advance connection to access the Windows computer The Console Server default Username is portXX where XX is the serial port number on the Console Server The default Password is portXx So to use the defaults for an RDP connection to the serial port 2 on the Console Server you would have set up a Windows user named port02 gt When the PPP connection has been set up a network Icon will appear in the Windows task bar Note The above notes describe setting up an incoming connection for Windows XP The steps are the same for Windows 2003 except that the setup screens present slightly differently ep Incoming Connections Properties 4 Fiske that ethos aE such as a disabled user account may affect a user s abiy to connect e se a cra palate Put a check in the box for Always allow directly connected devices such as palmtop Also the option to Set up an advanced connection is not available in Windows 2003 if RRAS is configured If RRAS has been configured it is a simple task to enable the null modem connection for the dial in configuration 99 C For earlier version Windows computers follow the steps in Section B above To get to the Make New Connection button For Windows 2000 click Start and select Settings At the Dial Up Networking Folder click Network and Dial up Connections and click Make New Connection Note you first may need to set up a connection over the COM port using Connect directly
113. ager for that serial port so data is no longer logged for alerts etc 4 1 6 Serial Bridging Mode With serial bridging the serial data on a nominated serial port on one Console Server is encapsulated into network packets and then transported over a network to a second Console Server where it is then represented as serial data So the two Console Servers effectively act as a virtual serial cable over an IP network One Console Server is configured to be the Server The Server serial port to be bridged is set in Console Server mode with either RFC2217 or RAW enabled as described in Chapter 4 1 2 Console Server M ode For the Client Console Server the serial port to be bridged must be set in Bridging M ode Serial Bridge Settings Serial Bridging O Mode Create a network connection to a remote serial port via RFC 2217 Server Address The network address of an RFC 2217 server to connect to Server TCP Port The TCP port the RFC 2217 server is serving on RFC 2217 o Enable RFC 2217 access SSH Tunnel A Redirect the serial bridge over an SSH tunnel to the server gt Select Serial Bridging M ode and specify the IP address of the Server Console Server and the TCP port address of the remote serial port for RFC2217 bridging this will be 5001 5048 gt By default the bridging client will use RAW TCP so you must select RFC2217 if this is the Console Server mode you have specified on the server Console Server 4 E
114. al Input B096 016 16 2 1 1 Internal Dual AC Universal Input B092 016 16 1 1 KVM 4 Single AC Universal Input B095 004 1E 4 1 1 1 External DC Supply B095 003 1E M 3 1 1 1 Internal External DC Supply 2 1 1 Kit Components B096 048 and B096 016 Console Server M anagement Switch B096 048 or B096 016 Console Server M anagement Switch 2 x Cable UTP Cat5 blue Connectors DB9F RJ 45S straight and cross over Dual IEC AC power cords Quick Start Guide and CD ROM 14 gt Unpack your Console Server Management Switch kit and verify you have all the parts shown above and that they all appear in good working order gt If you are installing your Console Server Management Switch in a rack you will need to attach the rack mounting brackets supplied with the unit and install the unit in the rack Take care to head the Safety Precautions gt Connect your Console Server Management Switch to the network to the serial ports of the controlled devices and to power as outlined below 2 1 2 Kit Components B092 016 Console Server with PowerAlert B092 016 Console Server with PowerAlert 2 x Cable UTP Cat5 blue Connector DB9F RJ45S straight and DB9F i Z RJ45S cross over Se AC power cable A Quick Start Guide and CD ROM gt Unpack your Console Server and verify you have all the parts shown above and that they all appear in good working order gt If you are installing your Console Server in a rack you will need to attac
115. alCgiShellScript html Similarly the M aster maintains a view of the status of the Slaves 216 Select Status Support Report Scroll down to Processes Look for bin ssh M N o ControlPath var run cascade h Slavename These are the Slaves that are connected Note The end of the Slaves names will be truncated so the first 5 characters must be unique Alternatively you can write a custom CGI script as described above The currently connected Slaves can be determined by running Is var run cascade and the configured Slaves can be displayed by running config g config cascade Slaves 217 16 THIN CLIENT BO92 016 Introduction The B092 016 has a selection of management clients Firefox browser SSH Telnet VNC viewer ICA RDP embedded as well as the Tripp Lite PowerAlert software With these the B092 016 provides rack side control of computers networking telecom power and other managed devices via serial USB or IP over the LAN This chapter provides instructions on configuring the thin clients and using them locally and remotely The thin clients can be controlled from the rack side using a direct monitor keyboard mouse connected to the B092 016 or remotely using a VNC connection from the remote user to the B092 016 16 1 Local Client Service Connections These client connections first need to be configured gt Select Connect Add Delete Edit on the control panel cy Favorit
116. amp Environment Management of USB serial and network attached Power Distribution Units and UPS units including Network UPS Tool NUT operation and IPM I power control and EM D environmental sensor configuration 9 Authentication All access to the Console Server requires usernames and passwords which are locally or externally authenticated 10 10 Nagios Integration Setting Nagios central management with SDT extensions and configuring the Console Server as a distributed Nagios server 11 System M anagement Covers access to and configuration of services to be run on the Console Server 12 Status Reports View the status and logs of serial and network connected devices ports hosts power and environment 13 Management Includes port controls and reports that can accessed by Users 14 Basic Configuration Command line installation and configuration using the config command 15 Advanced Config More advanced command line configuration activities where you will need to use Linux commands 16 Thin Client Configuration and use of the thin client and other applications including Power Alert embedded in the Console Server with PowerAlert B092 016 product Types of Users The Console Server supports two classes of users Administrative users Those who will be authorized to configure and control the Console Server and to access and control all the connected devices These administrative users will be set up as Members of the admin
117. an Authorized Key on the Slave In the simple case with only one Master with multiple Slaves you need only upload the one RSA or DSA public key for each Slave Note The use of key pairs can be confusing because in many cases one file Public Key fulfills two roles Public Key and Authorized Key For a more detailed explanation refer to the Authorized Keys section of Chapter 15 Also refer to this chapter if you need to use more than one set of Authorized Keys in the Slave gt Select System Administration on the Slave s Management Console gt Browse again to the stored RSA or DSA Public Key and upload it to Slave s SSH Authorized Key gt Click Apply The next step Is to Fingerprint each new Slave M aster connection This once off step will validate that you are establishing an SSH session with the correct target On the first connection the Slave will receive a fingerprint from the M aster which will be used on all future connections gt To establish the fingerprint first log in the M aster server as root and establish an SSH connection to the Slave remote host ssh remhost Once the SSH connection has been established you will be asked to accept the key Answer yes and the fingerprint will be added to the list of known hosts For more details on Fingerprinting refer to Chapter 15 6 gt If you are asked to supply a password then there has been a problem with uploading keys The keys should remove any need to supply a pa
118. and give any other recipients of the Program a copy of this License along with the Program You may charge a fee for the physical act of transferring a copy and you may at your option offer warranty protection in exchange for a fee 2 You may modify your copy or copies of the Program or any portion of it thus forming a work based on the Program and copy and distribute such modifications or work under the terms of Section 1 above provided that you also meet all of these conditions a You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change b You must cause any work that you distribute or publish that in whole or in part contains or is derived from the Program or any part thereof to be licensed as a whole at no charge to all third parties under the terms of this License c If the modified program normally reads commands interactively when run you must cause it when started running for such interactive use in the most ordinary way to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty or else saying that you provide a warranty and that users may redistribute the program under these conditions and telling the user how to view a copy of this License Exception if the Program itself is interactive but does not normally print such an announcement your work based on the Program is not required to print an annou
119. and click OK You do not have to add the public part of your SSH key pair it is calculated using the private key SDT Connector will now use public key authentication when SSH connecting through the Console Server You may have to restart SDT Connector to shut down any existing tunnels that were established using password authentication If you have a host behind the Console Server that you connect to by clicking the SSH button in SDT Connector you can also configure it for public key authentication Essentially what you are using is SSH over SSH and the two SSH connections are entirely separate and the host configuration is entirely independent of SDT Connector and the Console Server You must configure the SSH client that SDT Connector launches e g Putty OpenSSH and the host s SSH server for public key authentication 15 7 Secure Sockets Layer SSL Support Secure Sockets Layer SSL is a protocol developed by Netscape for transmitting private documents via the Internet SSL works by using a private key to encrypt data that s transferred over the SSL connection The Console Server includes OpenSSL The OpenSSL Project is a collaborative effort to develop a robust commercial grade full featured and Open Source toolkit implementing the Secure Sockets Layer SSL v2 v3 and Transport Layer Security TLS v1 protocols as well as a full strength general purpose cryptography library The project is managed by a worldwide community of volun
120. are pre allocated to the M aster So the first Slave added will be assigned port number 17 and onwards Once you have added all the Slave Console Servers the Slave serial ports and the connected devices are configurable and accessible from the M aster s M anagement Console menu and accessible through the M aster s IP address gt Select the appropriate Serial amp Network Serial Port and Edit to configure the serial ports on the Slave gt Select the appropriate Serial amp Network Users amp Groups to add new users with access privileges to the Slave serial ports or to extend existing users access privileges gt Select the appropriate Serial amp Network Trusted Networks to specify network addresses that can access nominated Slave serial ports gt Select the appropriate Alerts amp Logging Alerts to configure Slave port Connection State Change or Pattern M atch alerts gt The configuration changes made on the Master are propagated out to all the Slaves when you click Apply 5I 4 6 4 Managing the Slaves The Master is in control of the Slave serial ports So for example if you change a User s access privileges or edit any serial port setting on the Master the updated configuration files will be sent out to each Slave in parallel Each Slave will then automatically make changes to their local configurations and only make those changes that relate to its particular serial ports You can still use the local
121. are transmitted for remote USB flash storage To view the local cache of logged serial port data select Manage Port Logs 110 7 5 Network TCP or UDP Port Logging The Console Servers can also log any access to and communications with network attached Hosts gt For each Host when you set up the Permitted Services which are authorized to be used you also must set up the level of logging that is to be maintained for each service Es _ ode TRIPP LITE Firmware Rev 2 6 1u1 Current User r lt Up time 0 days 4 POWER PROTECTION Serial amp Network Network Hosts Serial amp Network Serial Port IP Address DNS Users amp Groups Name Authentication Network Hosts Host Name Trusted Networks Cascaded Ports UPS Connections Description Notes sA A brief description of the host Permitted Services 22 tcp ssh 0 Alerts amp Logging telne 23 tcp telnet 0 80 tcp http 0 443 tcp https 0 1494 tcp ica 0 3389 tcp rdp 0 5900 tcp vnc 0 The host s IP Address or DNS name A descriptive name for this host Administration fo TCP Firmware P Oupp Port 7 Date amp Time level 2 Input Output logging on services level 1 iv Dial level 0 Disabled Services level 1 User connects disconnects to the service DHCP Server level 2 Input Output logging on services level 1 g
122. ately becomes waste Tripp Lite follows a policy of continuous improvement Product specifications are subject to change without notice 241 TRIPP LITE Tripp Lite World Headquarters 1111 W 35th Street Chicago IL 60609 USA www tripplite com support 201001079 93 2879 EN
123. atures El Window Appearance Behaviour Translation Selection Colours El Connection Proxy Telnet Rlogin El SSH Auth Tunnels c balan ale Bugs C Aways Never Only onclean exit ma oren conca PuTTY can be downloaded at http www tucows com preview 195286 html It is recommended that the User or Administrator uses SSH as the protocol for connecting to serial consoles attached to the Console Server when communicating over the Internet or any other public network This will provide an authenticated encrypted connection between the SSH client program on the remote user s computer and the Console Server The user s communication with the serial device attached to the Console Server is therefore secure It is recommended for Users and Administrators to use SDT Connector when making an SSH connection to the consoles on devices attached to the Console Server s serial ports Configure the SDT Connector with the Console Server as a gateway then as a host and enable SSH service on Port 3000 serial port i e 3001 3048 refer to Chapter 6 You can also use common communications packages like PuTTY or SSHTerm to SSH connect directly to port address IP Address _ Port 3000 serial port i e 3001 3048 Alternately SSH connections can be configured using the standard SSH port 22 The serial port being accessed Is then identified by appending a descriptor to the username This syntax supports any of lt use
124. ault as RJ serial Console Server ports However Port 1 can be configured to be the Local Console M odem port to enable the attachment of an external modem 60 5 1 1 Configure Dial In PPP To enable dial in PPP access on the Console Server modem port internal modem Note VV V Y System Name TL6 Model Number p S aa TRIPP LITE Firmware Rev 2 6 1u1 Current User e x Up time 0 days 1 5 51 POWER PROTECTION Serial amp Network Serial Port Serial DBS Port Internal Modem Port Users amp Groups Serial Settings Serial DB9 Port Authentication Network Hosts Baud Rate 115200 Trusted Networks The port speed in characters per second Cascaded Ports a UPS Connections Flow Control None iv RPC Connections The method of flow control to use Environmental Alerts amp Logging Port Log Dial In Settings Alerts Enable Dial In O SMTP amp SMS SNMP Allow incoming modem communication on this port Username Administration The user to dial as Firmware Password 7 IP Date amp Time The secret to use when authenticating the user Dial Confirm Services DHCP Server Re enter the users password for confirmation Nagios Remote Address The IP address to assign a dial in client Port Access Local Address Active Users Statistics The IP address for the Dial In server Support Report
125. ave selected the failover method However it is not active until you have specified the external sites to be probed to trigger failover and set up the failover ports themselves This is covered in Chapter 5 Note The second Ethernet port on the BO96 048 016 can be configured as either a Management LAN gateway port or it can be configured as an OoB Failover port but not both So ensure you did not configure this port as the Management LAN on the System IP menu 33 SERIAL PORT AND NETWORK HOST Introduction The Console Server enables access and control of serially attached devices and network attached devices hosts The Administrator must configure access privileges for each of these devices and specify the services that can be used to control the devices The Administrator can also set up new users and specify each user s individual access and control privileges This chapter covers each of the steps in configuring hosts and serially attached devices Configure Serial Ports setting up the protocols to be used in accessing serially connected devices Users amp Groups setting up users and defining the access permissions for each of these users Authentication covered in Chapter 9 Network Hosts configuring access to local network connected computers or appliances referred to as hosts Configuring Trusted Networks Cascading and Redirection of Serial Console Ports Connecting to Power UPS PDU and IPM1 and Environmetal M
126. aved in home user ssh id_ rsa dsa pub The key fingerprint is 28 aa 29 38 ba 40 f4 11 5e 3f d4 fa e5 36 14 d6 user server It is advisable to create a new directory to store your generated keys It is also possible to name the files after the device they will be used for For example mkdir keys ssh keygen t rsa Generating public private rsa key pair Enter file in which to save the key home user ssh id_ rsa home user keys control_ room Enter passphrase empty for no passphrase Enter same passphrase again 203 Your identification has been saved in home user keys control_ room Your public key has been saved in home user keys control_room pub The key fingerprint is 28 aa 29 38 ba 40 f4 11 5e 3f d4 fa e5 36 14 d6 user server You should ensure there is no password associated with the keys If there is a password then the Console Server devices will have no way to supply it as runtime Authorized Keys If the Console Server device selected to be the server will only have one client device then the authorized_keys file is simply a copy of the public key for that device If one or more devices will be clients of the server then the authorized_keys file will contain a copy of all of the public keys RSA and DSA keys may be freely mixed in the authorized_keys file For example assume we already have one server called bridge server and two sets of keys for the control room and the plant_ entrance
127. ay service providers use SM TP servers which require authentication Similarly you can specify the Subject Line that will be sent with the email Generally the email subject will contain a truncated version of the alert notification message which is contained in full in the body of the email However some SM S gateway service providers require blank subjects or require specific authentication headers to be included in the subject line Click Apply to activate SM TP SNMP Alerts The Administrator can configure the Simple Network M anagement Protocol SNM P agent that resides on the Console Server to send Alerts to an SNM P management application gt gt Y Y V Y V Select Alerts amp Logging SNMP Enter the SNMP transport protocol SNMP is generally a UDP based protocol though it infrequently uses TCP instead Enter the IP address of the SNMP Manager and the Port to be used for connecting Select the version being used The Console Server SNMP agent supports SNMP v1 v2 and v3 Enter the Community name for SNMP v1 or 2c To configure for SNMP v3 you will need to enter an ID and authentication password and contact information for the local Administrator in the Security Name Click Apply to activate SNM P 104 TRIPP LITE prev 280s POWER PROTECTION Alerts amp Logging SNMP Serial amp Network Serial Port Manager Protocol UDP g Users amp Groups The transport protocol to use to conne
128. ble or by the network to the Console Server The Console Server becomes the M aster of this UPS and runs a upsd server to allow other computers that are drawing power through the UPS Slaves to monitor its status and take appropriate action such as shutdown in event of low battery Serial or USB control poris Managed UPSes The Console Server may or may not be drawing power through the M anaged UPS see the Configure UPS powering the Console Server section below When the UPS s battery power reaches critical the Console Server signals and waits for Slaves to shutdown then powers off the UPS Serial and network connected UPS s must first be configured on the Console Server with the relevant serial control ports reserved for UPS usage or with the UPS allocated as a connected Host 115 gt Select UPS as the Device Type in the Serial amp Network Serial Port menu for each port which has M aster control over a UPS and in the Serial amp Network Network Hosts menu for each network connected UPS refer to Chapter 4 Device Settings Device Type UPS Specify the device type Apply this setting then use the PS Connections page to configure the attached UPS No such configuration Is required for USB connected UPS hardware System Name TLE Model Number a B096 016 TRIPP LITE Firmware Rev 2 6 1u1 Current User oot Up time 1 days 4 hours 5 mins 26 secs POWER PROTECTION Serial amp Network UPS Connect
129. blished by the Free Software Foundation 10 If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different write to the author to ask for permission For software which is copyrighted by the Free Software Foundation write to the Free Software Foundation we sometimes make exceptions for this Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally NO WARRANTY 11 BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE THERE IS NO WARRANTY FOR THE PROGRAM TO THE EXTENT PERMITTED BY APPLICABLE LAW EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND OR OTHER PARTIES PROVIDE THE PROGRAM AS IS WITHOUT WARRANTY OF ANY KIND EITHER EXPRESSED OR IMPLIED INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU SHOULD THE PROGRAM PROVE DEFECTIVE YOU ASSUME THE COST OF ALL NECESSARY SERVICING REPAIR OR CORRECTION 12 INNO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER OR ANY OTHER PARTY WHO MAY MODIFY AND OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE BE LIABLE TO YOU FOR DAMAGES INCLUDING ANY GENERAL SPECIAL INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGR
130. by clicking Restore If for some reason your alternate default configuration causes the Console Server to become unbootable recover your unit to factory settings using the following steps If the configuration is stored on an external USB storage device unplug the storage device and reset to factory defaults as per section 11 1 of the owner s manual Ifthe configuration is stored on an internal USB storage device reset to factory defaults using a specially prepared USB storage device o The USB storage device must be formatted with a Windows FAT32 VFAT file system on the first partition or the entire disk most USB thumb drives are already formatted this way o The file system must have the volume label OPG_DEFAULT o Insert this USB storage device into an external USB port on the Console Server and reset to factory defaults as per section 11 1 After recovering your Console Server ensure the problematic configuration is no longer selected for Load On Erase 11 5 FIPS Mode B095 004 003 only Note The US National Institute of Standards and Technology NIST publishes the FIPS Federal Information Processing Standard series of standards FIPS 140 1 and FIPS 140 2 are both technical standards and worldwide de facto standards for the implementation of cryptographic modules These standards and guidelines are issued by NIST for use government wide NIST develops FIPS when there are compelling Federal Government requirements such as for
131. cedure is the same as above except you get to the Dial Up Networking Folder by clicking the Start button and selecting Settings Then click Network and Dial up Connections and click Make New Connection Similarly for Windows 98 you double click My Computer on the Desktop then open Dial Up Networking and double click Make New Connection and proceed as above 63 5 1 5 Set Up Linux Clients for Dial In The online tutorial http www yolinux com TUTORIALS LinuxTutorialPPP htm presents a selection of methods for establishing a dial up PPP connection Command line PPP and manual configuration which works with any Linux distribution Using the Linuxconf configuration tool for Red Hat compatible distributions This configures the scripts ifup ifdown to start and stop a PPP connection Using the Gnome control panel configuration tool WVDIAL and the Redhat Dialup configuration tool GUI dial program X isp Download Installation Configuration Note For all PPP clients Set the PPP link up with TCP IP as the only protocol enabled Specify that the Server will assign IP address and do DNS Do not set up the Console Server PPP link as the default for Internet connection 5 2 OoB Broadband Access B096 048 016 only The B096 048 016 Console Server Management Switch has a second Ethernet network port that can be configured for alternate and OoB out of band broadband access With two active broadband access paths to the Consol
132. chapter gt Click Apply gt You will need to reconnect the browser on the Computer that is connected to the Console Server by entering http new IP address 3 3 1 IPv6 Configuration By default the Console Server Ethernet interfaces support IPv4 however they can also be configured for IPv6 operation gt On the System IP menu select General Settings page and check Enable IPv6 24 System Name 6 Model Number TRIPP LITE mae Rev 26A corner oo Up time 0 days 0 hours 49 mins 36 secs lt S gt POWER PROTECTION Serial amp Network Serial Px Network Interface Management LAN Interface General Settings Network Hosts ae Trusted Networks Enable IPv6 O Cascaded Ports Enable IPv6 for all interfaces UPS Connections RPC Connections Apply gt You will then need to configure the IPv6 parameters on each interface page Port Logs Host Logs Power Configuration Stateless only Terminal Method Static The mechanism to acquire IP settings IPv6 Settings Network IPv6 Address A statically assigned IPv6 address IPv6 Subnet Mask A statically assigned IPv6 network mask Apply 3 4 System Services The Administrator has a selection of access protocols that can be used to access the Console Server The factory default enables HTTPS and SSH access to the Console Server and disables HTTP and Telnet The User can also use the nominated services for limi
133. croll down to Console Server Setting and select Console Server Mode Check Telnet or SSH and scroll to the bottom and click Apply Select Network Hosts from Serial amp Network and click Add Host In the IP Address DNS Name field enter 127 0 0 1 this is the Console Server s network loopback address and enter Loopback in Description Remove all entries under Permitted Services and select TCP and enter 200n in Port This configures the Telnet port enabled in the previous step so for Port 2 you would enter 2002 84 gt Click Add then scroll to the bottom and click Apply gt Administrators by default have gateway and serial port access privileges however for Users to access the gateway and the serial port you will need to give those Users the required access privileges Select Users amp Groups from Serial amp Network Click Add User Enter a Username Description and Password Confirm Select 127 0 0 1 from Accessible Host s and select Port 2 from Accessible Port s Click Apply 6 5 Using SDT Connector for Out of Band Connection to the Gateway SDT Connector can also be set up to connect to the Console Server gateway via out of band OoB OoB access uses an alternate path for connecting to the gateway i e not the one used for regular data traffic OOB access is useful when the primary link into the gateway is unavailable or unreliable Typically a gateway s primary link is a broadband Internet connection or Internet co
134. ct to the SNMP Manager Authentication Network Hosts Manager Address Trusted Networks Cascaded Ports UPS Connections Manager Trap Port 162 RPC Connections Environmental The address of the SNMP Manager to receive traps The TCP UDP port number to send SNMP traps to Version 1 g Alerts amp Loggin o gong The SNMP protocol to use for traps Port Log Alerts Community SMTP amp SMS SNMP The SNMP Community to use for traps Version 1 and 2c only Engine ID Administration The SNMPv3 Engine ID of the trap manager Version 3 only Firmware Security Name IP Date amp Time The SNMPv3 user to send traps as Version 3 oniy Dial Password Services DHCP Server The SNMPv3 users password Version 3 only Nagios Confirm Password Confirm the SNMPv3 users password Version 3 only Port Access Active Users Note The Console Servers have an snmptrap daemon to send traps notifications to remote SNMP 7 1 4 servers on defined trigger events as detailed above The Console Servers also embed the net snmpd daemon which accept SNMP requests from remote SNMP management servers and provides information on network interface running processes disk usage etc refer to Chapter 15 5 Modifying SNMP Configuration for more details Nagios Alerts To notify the central Nagios server of Alerts
135. ctions E EE Bgateway Jf Band Retrieve Hosts gt Click on the new gateway icon and select Retrieve Hosts This will 12 Configure access to network connected Hosts that the user is authorized to access and set up for each of these Hosts the services e g HTTPS IPM12 0 and the related IP ports being redirected Configure access to the Console Server itself this is shown as a Local Services host Configure access with the enabled services for the serial port devices connected to the Console Server GS Tripp Lite SDTConnector File Edit Help fe f F E E E 208 64 91 182 HP iLO 2 ESXi Ip Power Web Management Dell Server 2003 DRAC4 HP 2003 Server iLO 2 J m Nw S LJ E S Dell 2003 Server BMC E HP 2003 Server Local Services Services pawn Note The Retrieve Hosts function will auto configure all classes of user i e they can be members of user or admin or some other group or no group SDT Connector will however not auto configure the root and it is recommended that this account is only used for initial config and for adding an initial admin account to the Console Server 6 2 4 Make an SDT Connection Through the Gateway to a Host gt Simply point at the host to be accessed and click on the service to be used in accessing that host The SSH tunnel to the gateway is then automatically establishe
136. d the appropriate ports redirected through to the host and the appropriate local client application is launched pointing at the local endpoint of the redirection G Tripp Lite SDTConnector Fite Edit p Helg 26 z 208 64 91 182 m HP iLO 2 IBM RSAII m Ee Ip Power Web Management E Dell Server 2003 DRAC4 E HP 2003 Server iLO 2 Dell 2003 Server Bl Dell 2003 Server BMC HP 2003 Server gt Local Services Logging in to gateway 208 64 91 182 73 Note The SDT Connector client can be configured with an unlimited number of Gateways Each Gateway can be configured to port forward to an unlimited number of locally networked Hosts Similarly there is no limit on the number of SDT Connector clients who can be configured to access the one Gateway There are also no limits on the number of Host connections that an SDT Connector client can concurrently have open through the one Gateway tunnel However there is a limit on the number of SDT Connector SSH tunnels that can be open at one time on a particular Gateway The B096 016 B096 048 Console Server Management Switch and B092 016 Console Server with PowerAlert each support at least 50 such concurrent connections So for a site with a BO96 016 gateway you can have at any time up to 50 users securely controlling an unlimited number of network attached computers power devices and other applia
137. d B092 016 username and as a remote Administrator you can then connect to the VNC server in the B092 016 and gain remote access to and monitor and take control of the B092 016 local display You can find more details on configuration options for the B092 016 realvnc server in http www realvnc com products free 4 1 man vncserver html Note You can also run a VNC client application such as RealVNC TightVNC or UltraVNC directly on a remote computer and configure it with the BO92 016 s IP address to connect to the B092 016 VNC server VNC Viewer i Connection Details Cy Sener 192 168 252 29 VC Encryption 228 Appendix A Hardware Specification FEATURE VALUE Dimensions B096 016 B096 048 17 x 12 x 1 75 in 43 2 x 31 3 x 4 5 cm B092 016 17 x 6 7 x 1 75 in 44 x 17 x 4 5 cm B095 004 B095 003 4 1x3 4x1 1 in 10 3 x 8 7 x 2 8 cm B096 016 B096 048 11 8 Ibs 5 4 kg B092 016 8 5 Ib 3 9 kg B095 004 B095 003 2 2 Ibs 1 0 kg Ambient operating temperature 41 F to 122 F 5 C to 50 C Non operating storage 20 F to 140 F 30 C to 60 C temperature Humidity 5 to 90 229 Appendix B Serial Port Connectivit Pinout standards exist for both DB9 and DB25 connectors however there are not pinout standards for serial connectivity using RJ45 connectors M any Console Servers and serially managed servers router switches PSUs have adopted their own unique pinout so custom connecto
138. d check NRPE Enabled gt Enter the details for the user connection to the upstream Nagios monitoring server Again refer to the sample Nagios configuration example below for details of configuring specific NRPE checks By default the Console Server will accept a connection between the upstream Nagios monitoring server and the NRPE server with SSL encryption without SSL or tunneled through SSH The security for the connection is configured at the Nagios server 140 10 3 3 Enable NSCA Monitoring i E EE Nagios Remote Monitoring Host Gateway Remote Servers NSCA is the mechanism that allows you to send passive check results from the remote Console Server to the Nagios daemon running on the monitoring server To enable NSCA NSCA NSCA Enabled Schedule check ins with the NSCA server NSCA Encryption None v Type of encryption NSCA Secret Password for NSCA NSCA Confirm Re enter password for NSCA NSCA Interval 4354 Check in frequency in minutes NSCA Port Port to connect to Defaults to 5667 NSCA User User to run as Defaults to nsca NSCA Group Group to run as Defaults to nobody gt Select System Nagios and check NSCA Enabled gt Select the Encryption to be used from the drop down menu then enter a Secret password and specify a check Interval gt Refer the sample Nagios configuration section below for some examples of conf
139. d connection to the target network connected host or serial connected device It will then execute the client application that will be used in communicating with the host This chapter details the basic SDT Connector operations Configuring the Console Server for SSH tunneled access to network attached hosts and setting up permitted Services and Users access Section 6 1 Setting up the SDT Connector client with gateway host service and client application details and making connections between the Client computer and hosts connected to the Console Server Section 6 2 Using SDT Connector to browser access the Management Console Section 6 3 68 Using SDT Connector to Telnet or SSH connect to devices that are serially attached to the Console Server Section 6 4 The chapter then covers more advanced SDT Connector and SDT tunneling topics 6 1 Using SDT Connector for out of band access Section 6 5 Automatic importing and exporting of configurations Section 6 6 Configuring Public Key Authentication Section 6 7 Setting up a SDT Secure Tunnel for Remote Desktop Section 6 8 Setting up a SDT Secure Tunnel for VNC Section 6 9 Using SDT to IP connect to hosts that are serially attached to the Console Server Section 6 10 Configuring for SDT Tunneling to Hosts To set up the Console Server to SDT access a network attached host the host and the permitted services that are to be used In accessing that host need to be conf
140. d in a command line or terminal window The Telnet client is an example of this c Tripp Lite SDTConnector Fite Edit Help el q G Edit Client Client name Telnet client Path to client executable file telnet Command line format for client executable cmd c start path host port epok 3 cance Close gt Click OK 6 2 8 Dial In Configuration If the client computer is dialing into Local Console port on the Console Server you will need to set up a dial in PPP link gt Configure the Console Server for dial in access following the steps in the Configuring for Dial In PPP Access section in Chapter 5 Configuring Dial In Access gt Set up the PPP client software at the remote User computer following the Set up the remote Client section in Chapter 5 Once you have a dial in PPP connection established you can then set up the secure SSH tunnel from the remote Client computer to the Console Server 6 2 9 Choosing an Alternate SSH Client e g PuTTY To set up the secure SSH tunnel from the Client computer to the Console Server you must install and launch SSH client software on the Client computer As described above it is recommended you use the 78 SDT Connector client software that is supplied with the gateway However there is also a wide selection of commercial and free SSH client programs that are supported PuTTY is a complete
141. d on bin config del config services snmp enabled 174 bin config del config services pingreply enabled The following command will synchronize the live system with the new configuration bin config run services Note bin config commands can be combined into one command for convenience 14 5 Serial Port Configuration 14 5 1 Serial Port Settings Setup serial port 5 to use the following properties Baud Rate 115200 Parity None Data Bits 8 Stop Bits 1 Flow Control Software You would need to issue the following commands from the command line to set the port configuration bin contig set config ports port5 speed 115200 bin config set config ports port5 parity Nione bin config set config ports port5 charsize 8 bin config set config ports port5 stop 1 bin config set config ports port5 flow Software The following command will synchronize the live system with the new configuration bin config run serialcontig Note that supported serial port baud rates are 50 75 110 134 150 200 300 600 1200 1800 2400 4800 9600 19200 38400 57600 115200 and 230400 Supported parity values are None Odd Even M ark and Space Supported data bits values are 8 7 6 and 5 Supported stop bits values are 1 1 5 and 2 Supported flow control values are Hardware
142. d on remote machine to local device i e 0 r sound MS Windows 2003 9 Geometry widthxheight or 70 screen percentage P Use p to receive password prompt Further information on rdesktop can be found at http www rdesktop org 16 1 7 Connect Citrix ICA gt Select Connect Citrix ICA on the control panel and click on the Citrix server to be accessed 229 Disconnect Options Clipboard Send Ctr AltDel Refresh CHICA Citrix Presentation Server Client for Unuy PowerSlert Console Connections View Tools B a Description Destination Serial Browser WBC SoH IP l ROP Adcd Delete Edit 16 1 8 Connect PowerAlert gt FA PANMS Console 12 04 Management EEE ppp E SE _T Devices Status IPAddress y poma i 2 i05 1 19 gt MAC Address Hostname Model Name ace N02 8 5 200 EFL LOG Bovey Prax SUT t t Lo Normal 192 168 1 28 00 11 43 23 b 192 168 21 28 UPS 7 i i T V Normal 192 168 1 37 00 16 65 02 4 192 168 1 37 SMARTISOORM2U Serial amp Net Serial Po Users amp G Authentic of Normal 67 173 59 145 y Normal is2 168 1 125 67 173 59 TRIPP LITE SMA 00 06 67 20 d 192 168 1 TRIPP LITE SMA Network Alarms Trusted Status Descrpton gt Cascaded mM linfa tan Pisa 2 Yame ANA 16 2 Advanced Control Panel 16 2 1 System Terminal pam 12 som 82 40
143. d print response lan Configure LAN Channels chassis Get chassis status and set power state event Send pre defined events to MC mc Management Controller status and global enables sdr Print Sensor Data Repository entries and readings sensor Print detailed sensor information fru Print built in FRU and scan SDR for FRU locators sel Print System Event Log SEL pef Configure Platform Event Filtering PEF Sol Configure IPM Iv2 0 Serial over LAN isol Configure IPM Iv1 5 Serial over LAN user Configure M anagement Controller users channel Configure Management Controller channels session Print session information exec Run list of commands from file set Set runtime variable for shell and exec 215 iomitool chassis help Chassis Commands status power identify policy restart_ cause poh bootdev iomitool chassis power help chassis power Commands status on off cycle reset diag soft You will find more details on ipmitools at http ipmitool sourceforge net manpage html 15 11 Scripts for Managing Slaves When the Console Servers are cascaded the M aster is in control of the serial ports on the Slaves and the Master s Management Console provides a consolidated view of the settings for its own and all the Slave s serial ports However the M aster does not provide a fully consolidated view e g Status Active Users It only displays those users active on the M aster s ports You will need to write a custom bash script that
144. d this alert to O Use SNMP to notify of this alert O Use Nagios to notify of this alert MSCA must be enabled under System Nagios Nagios must be enabled for each applicable host or port under Network Hosts or Serial Ports C Select Unselect all Ports C Port C Port C Port C Port C Port C Port C Port C Port 1 2 3 4 5 6 7 8 C Port C Port C Port C Port C Port C Port C Port C Port 9 10 11 12 13 14 15 16 The serial ports to apply this alert to No hosts are currently configured The hosts to apply this alert to No UPSes are currently configured The UPSes to apply this alert to No RPCs are currently configured The RPCs to apply this alert to No environmental monitors are currently configured The environmental monitor sensors to apply this alert to No environmental monitors are currently configured The alarm sensors to apply this alert to gt At Add a New Alert enter a Description for this new alert gt Nominate the email address for the Email Recipient and or the SMS Recipient to be notified of the alert gt Activate SNMP notification if it is to used for this event 106 gt Activate Nagios notification if it is to be used for this event In an SDT Nagios centrally managed environment you can check the Nagios alert option On the trigger condition for matched patterns logins power events and signal changes an NSCA check warning result will be sent to the central Nagios server This condition i
145. d transparently 2 The NUT network server program upsd is responsible for passing status data from the drivers to the client programs via the network upsd can cache the status from multiple UPS s and can then serve this status data to many clients upsd also contains access control features to limit the abilities of the clients So only authorized hosts may monitor or control the UPS hardware 3 There are anumber of NUT clients that connect to upsd to check on the status of the UPS hardware and do things based on the status These clients can run on the same host as the NUT server or they can communicate with the NUT server over the network enabling them to monitor any UPS anywhere The upsmon client enables servers that draw power through the UPS i e Slaves of the UPS to shutdown gracefully when the battery power reaches critical Additionally one server is designated the M aster of the UPS and is responsible for shutting down the UPS itself when all Slaves have shut down Typically the M aster of the UPS is the one connected to the UPS via serial or USB cable upsmon can monitor multiple UPS s so high end servers which receive power from multiple UPS s simultaneously won t initiate a shutdown until the total power situation across all source UPS s becomes critical There also the two status logging clients upsc and upslog The upsc client provides a quick way to poll the status of a UPS It can be used inside shell scripts and other
146. ddress Administration Firmware Prefer NRPE IP Date amp Time Use NRPE instead of NSCA whenever possible Defauits to prefer NSCA gt Browse the Console Server and select System Nagios on the Console Server Management Console Check Nagios service Enabled gt Enter the Host Name and the Nagios Host Address i e IP address that the central Nagios server will use to contact the distributed Console Server gt Enter the IP address that the distributed Console Server will use to contact the central Nagios server in Nagios Server Address gt Enter the IP address that the clients running SDT Connector will use to connect through the distributed Console Servers in SDT Gateway address gt Check Prefer NRPE NRPE Enabled and NRPE Command Arguments 136 gt gt Check NSCA Enabled choose an NSCA Encryption Method and enter and confirm an NSCA Secret Remember these details as you will need them later on For NSCA Interval enter 5 Click Apply Next configure the attached Window network host and specify the services you will be checking with Nagios HTTP and HTTPS gt gt gt Select Network Hosts from the Serial amp Network menu and click Add Host Enter the IP Address DNS Name of the network server e g 192 168 1 10 and enter a Description e g Windows 2003 IIS Server Remove all Permitted Services This server will be accessible using Terminal Services so check TCP
147. documentation and specifications contained in this manual are subject to change without prior notification by the manufacturer The manufacturer makes no representations or warranties either expressed or implied with respect to the contents hereof and specifically disclaims any warranties as to merchantability or fitness for any particular purpose Any of the manufacturer s software described in this manual is sold or licensed as is Should the programs prove defective following their purchase the buyer and not the manufacturer its distributor or its dealer assumes the entire cost of all necessary servicing repair and any incidental or consequential damages resulting from any defect in the software The manufacturer of this system is not responsible for any radio and or TV interference caused by unauthorized modifications to this device It is the responsibility of the user to correct such interference The manufacturer is not responsible for any damage incurred in the operation of this system if the correct operational voltage setting was not selected prior to operation Please take care to follow the safety precautions below when installing and operating the Console Server A N Do not remove the metal covers There are no operator serviceable components inside Opening or removing the cover may expose you to dangerous voltage which may cause fire or electric shock Refer all service to Tripp Lite qualified personnel To avoid elect
148. e NRPE server embedded in the Console Server must be configured the NRPE server is the Nagios daemon for executing plug ins on remote hosts Each of the Serial Ports and each of the Hosts connected to the Console Server which are to be monitored must have Nagios enabled and any specific Nagios checks configured Lastly the central upstream Nagios monitoring host must be configured 10 3 1 Enable Nagios on the Console Server gt Select System Nagios on the Console Server Management Console and tick the Nagios service Enabled 138 Enabled Switch on the Nagios service Nagios Host Name Mame of this system in Nagios Generated fram System Name if unspecified Nagios Host Address Address for Nagios to find this device at Defaults to Network I IF if set Nagios Server Address Address of the upstream server Disable SOT Nagios C Extensions Don t show sdti links in service status SDT Gateway Address External address of this system shown in sdti links Defaults te Naglos Host Address Prefer NRPE Use NARFE instead of NSCA whenever possible Defaults to prefer WSCA Enter the Nagios Host Name that the Console Server will be referred to in the Nagios central server this will be generated from local System Name entered in System Administration if unspecified In Nagios Host Address enter the IP address or DNS name that the upstream Nagios server will use to reach the Console Server if unspecified this wil
149. e SE j Local Address localhost Local TCP Port 5900 UDP Port Note SDT Connector can also tunnel UDP services SDT Connector tunnels the UDP traffic through the TCP SSH redirection so in effect it is a tunnel within a tunnel Enter the UDP port on which the service is running on the host This will also be the local UDP port that SDT Connector binds as the local endpoint of the tunnel Note that for UDP services you still need to specify a TCP port under General This will be an arbitrary TCP port that is not in use on the gateway An example of this is the SOL Proxy service It redirects local UDP port 623 to remote UDP port 623 over the arbitrary TCP port 6667 76 6 2 7 Adding a Client Program to be Started for the New Service Clients are local applications that may be launched when a related service is clicked To add to the pool of client programs gt Select Edit Preferences and click the Client tab Click Add gt gt cE Tripp Lite SDTConnector da E fit H etr EL S Sa S 9 SDTConnector Preferences G GS Add Client Client name Path to client executable file Command line format for client executable OK 3 Cancel Close Enter a Name for the client Enter the Path to the executable file for the client or click Browse to locate the executable Enter a Command Line associated wi
150. e Server in the event you are unable to access through the primary management network you may still have access through the alternate broadband path e g a T1 link gt On the System IP menu select Management LAN Interface and configure the IP Address Subnet Mask Gateway and DNS with the access settings that relate to the alternate link gt Ensure that when configuring the principal Network Interface connection you set the Failover Interface to None 5 3 Broadband Ethernet Failover B096 048 016 only The second Ethernet port on the B096 048 016 Console Server Management Switch can also be configured for failover to ensure transparent high availability 64 TRIPP LITE POWER PROTECTION System Name Model Number B096 016 Current User Firmware Rev Up time 0 days 3 hours 38 mins Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Network Interface Management LAN Interface General Settings IP Settings Network Trusted Networks prin a DHCP Cascaded Ports O Static UPS Connections The mechanism to acquire IP settings RPC Connections Environmental IP Address A statically assigned IP address Alerts amp Logging Port Log Subnet Mask Alerts A statically assigned network mask SMTP amp SMS SNMP Gateway A Statically assigned gateway Adminis
151. e enter the above password for confirmation gt Enter the Server Address IP or host name of the remote Authentication Authorization server M ultiple remote servers may be specified in a comma separated list Each server is tried in succession gt In addition to multiple remote servers you can also enter for separate lists of Authentication Authorization servers and Accounting servers If no Accounting servers are specified the Authentication Authorization servers are used instead gt Enter the Server Password gt Click Apply RADIUS remote authentication will now be used for all user access to Console Server and serially or network attached devices RADIUS The Remote Authentication Dial In User Service RADIUS protocol was developed by Livingston Enterprises as an access server authentication and accounting protocol The RADIUS server can support a variety of methods to authenticate a user When it is provided with the username and original password given by the user it can support PPP PAP or CHAP UNIX 128 9 1 4 login and other authentication mechanisms Further information on configuring remote RADIUS servers can be found at the following sites http www microsoft com technet prodtechnol windowsserver2003 library Depkit d4fe8248 eecd 49e4 88f6 9e304f9 7fefc mspx http www cisco com en US tech tk59 technologies tech note09186a00800945cc shtml http Awww freeradius org LDAP Authentication Perform the follo
152. ectual property rights in including copyright the Software components and all copies thereof provided however that 1 certain components of the Software including SDT Connector are components licensed under the GNU General Public License Version 2 which Tripp Lite supports and 2 the SDT Connector includes code from JSch a pure Java implementation of SSH2 which is licensed under BSD style license Copies of these licenses are detailed below and Tripp Lite will provide source code for any of the components of the Software licensed under the GNU General Public License upon request 232 EXPORT RESTRICTIONS You agree that you will not export or re export the Software any part thereof or any process or service that is the direct product of the Software in violation of any applicable laws or regulations of the United States or the country in which you obtained them U S GOVERNMENT RESTRICTED RIGHTS The Software and related documentation are provided with Restricted Rights Use duplication or disclosure by the Government is subject to restrictions set forth in subparagraph c 1 ii of the Rights in Technical Data and Computer Software clause at DFARS 252 227 7013 or subparagraphs c 1 and 2 of the Commercial Computer Software Restricted Rights at 48 C F R 52 227 19 as applicable or any successor regulations TERM AND TERMINATION This EULA is effective until terminated The EULA terminates immediately if you fail to comp
153. ed through that system in reliance on consistent application of that system it is up to the author donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License 8 If the distribution and or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces the original copyright holder who places the Program under this License may add an explicit geographical 236 distribution limitation excluding those countries so that distribution is permitted only in or among countries not thus excluded In such case this License incorporates the limitation as if written in the body of this License 9 The Free Software Foundation may publish revised and or new versions of the General Public License from time to time Such new versions will be similar in spirit to the present version but may differ in detail to address new problems or concerns Each version is given a distinguishing version number If the Program specifies a version number of this License which applies to it and any later version you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation If the Program does not specify a version number of this License you may choose any version ever pu
154. ed to the host key of the remote server Fingerprints are stored in ssh known_ hosts To receive the fingerprint from the remote server log in to the client as the required user usually root and establish a connection to the remote host ssh remhost 200 The authenticity of host remhost 192 168 0 1 can t be established RSA key fingerprint is 8d 11 e0 7e 8a 6f ad f1 94 0f 93 fc 7c e6 ef 56 Are you sure you want to continue connecting yes no At this stage answer yes to accept the key You should get the following message Warning Permanently added remhost 192 168 0 1 RSA to the list of known hosts You may be prompted for a password but there is no need to log in you have received the fingerprint and can Ctrl C to cancel the connection If the host key changes you will receive the following warning and not be allowed to connect to the remote host CEP CECE ECEOECECOEEEEEECEEECEECEECECECEECEEECOEEO WARNING REM OTE HOST IDENTIFICATION HAS CHANGED IT IS POSSIBLE THAT SOM EONE IS DOING SOM ETHING NASTY CEOPCECECECEOEECEOEECEEECEECECEECEECECECEECEEECOEEO Someone could be eavesdropping on you right now man in the middle attack It is also possible that the RSA host key has just been changed The fingerprint for the RSA key sent by the remote host is ab 7e 33 0d 85 50 5a 43 0b e0 bd 43 3f 1c a5 f8 Please contact your system administrator Add correct host key in ssh known_ hosts to get rid of this
155. edistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 The names of the authors may not be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED AS IS AND ANY EXPRESSED OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL JCRAFT INC OR ANY CONTRIBUTORS TO THIS SOFTWARE BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE SDT Connector License GNU GENERAL PUBLIC LICENSE Version 2 June 1991 Copyright C 1989 1991 Free Software Foundation Inc 51 Franklin Street Fifth Floor Boston MA 02110 1301 USA 234 Everyone is permitted to copy and distribute verbatim copies of thi
156. efaults to 0 gt Select the Driver that will be used to communicate with the UPS The drop down menu presents a full selection of drivers from the latest Network UPS Tools NUT version 2 2 0 and additional information on compatible UPS hardware can be found at http www networkupstools org compat stable htm gt Click New Options in Driver Options if you need to set driver specific options for your selected NUT driver and hardware combination more details at http www networkupstools org doc Driver Options Option Argument 117 gt Check Log Status and specify the Log Rate i e minutes between samples if you wish the status from this UPS to be logged These logs can be views from the Status UPS Status screen gt Check Enable Nagios to enable this UPS to be monitored using Nagios central management gt Click Apply You can also customize the upsmon upsd and upsc settings for this UPS hardware directly from the command line 8 2 2 Configure UPS Powering the Console Server A Monitored UPS is a UPS that is providing the power to the Console Server The purpose of configuring a Monitored UPS is to provide an opportunity to perform any last gasp actions before power is lost during a power failure This is achieved by placing a script in etc config scripts ups shutdown You may use the etc scripts ups shutdown as a template This script is run when then UPS reaches critical battery status gt Ifthe Console Serve
157. erm This is an open source package that can be downloaded from http sourceforge net projects sshtools ssHTerm 0 2 2 eM Edt View Took Help T New Connection A Co Open Alt 4 Edt To use SSHTerm for an SSH terminal session from a Windows Client simply Select the File option and click on New Connection E Anew dialog box will appear for your Connection Profile Print Ay Port Previ Type in the host name or IP address for the Console Server unit and the TCP port that the SSH session will use port 22 Then type in your username and choose password authentication and click Connect Connection Profile TE HoH Protocol Proxy Commands Terminal j Hime mj 197 16601 Fiw HWI Llerena nook Shp gima mahia pis sveordl l pubinhey heya Garde aie A message may appear about the host key fingerprint You will need to select Yes or Always to continue The next step is password authentication You will be prompted for your username and password from the remote system You will then be logged on to the Console Server 3 6 Management Network Configuration B096 048 016 only The B096 048 016 Console Server Management Switches have a second Ethernet network port that can be configured as a management Console Server LAN port or as a failover OoB access port 3 6 1 Configure Management Switch as a Management LAN Gateway The Management Switch in the B096 048 01
158. es Remote Gant 3 m oyster Citrix ICA PowerSlert Console Serial Browser WYNE SSH IFAI ROP Add Delete E dit a ih gt Then select a Connect client such as RDP and click Add to configure the Host connection for that client service 218 f ip Favorites Remote Control k Add ROP Menu Entry OX IFMiSerial Over LAM Label ooo ROP Hostname Aga Cancel H TF F Add Delete Edit save Cancel gt For each new Host you add you will be asked to enter a Label enter a descriptive name and a Hostname enter the IP Address or DNS Name of the new network connected Host and possibly a Username enter the name you will use to log in to the Host Once a Host has been added you can select Edit and update the commands that will be executed in connecting the service to the existing Host Command rst e ssh l bob 192 16 l SAVE Cancel The sixteen serial ports are pre configured by default in Console Server mode for the B096 016 B096 048 Console Server Management Switch or in UPS PowerAlert mode for the B092 016 Console Server with PowerAlert product To change these settings select Configure which will load the local Firefox browser and run the Management Console You can then reconfigure the serial ports as detailed in Chapter 4 219 we Favorites E Rance Control Disconnect Options Clipboard Send Ctri Alt Del Refres
159. es via a modem using the TAP Protocol Almost all mobile phone carriers provide an SMS gateway service that forwards email to mobile phones on their networks There is also a wide selection of SMS gateway aggregators who provide email to SMS forwarding to phones on any carriers To use SM TP SMS the Administrator must configure a valid SM TP server for sending the email 103 7 1 3 SMTP SMS Server Server The outgoing SMTP SMS server address Secure Connection None O TLS O SSL If this server uses a secure connection specify its type Sender Power ow ef Terminal The from address which will appear on the sent email Username If this server requires authentication specify the username Password If this server requires authentication specify the password Confirm E Re enter the password Subject Line If this server requires a specific subject line specify it here In the SMTP SMS Server field in the Alerts amp Logging SM TP amp SM S menu enter the IP address of the outgoing mail Server You may enter a Sender email address which will appear as the from address in all email notifications sent from this Console Server Some SM S gateway service providers only forward email to SM S when the email has been received from authorized senders So you may need to assign a specific authorized email address for the Console Server You may also enter a Username and Password as some SM S gatew
160. escription gt lt users gt lt total gt 1 lt total gt lt user1 gt john lt userl1 gt lt users gt lt host2 gt lt host3 gt lt address gt 192 168 254 191 lt address gt lt description gt lonys Win2000 Box lt description gt lt users gt lt total gt 1 lt total gt lt user1 gt john lt user1 gt lt users gt lt tcpports gt lt tcpport1 gt 23 lt tcpport1 gt lt tcpports gt lt host3 gt lt hosts gt lt sdt gt lt config gt 14 8 Configuration Backup and Restore Before backing up the configuration you need to arrange a way to transfer the backup off box This could be via an NFS share a Samba Windows share to USB storage or copied off box via the network If backing up directly to off box storage make sure it is mounted 180 tmp is not a good location for the backup except as a temporary location before transferring it off box The tmp directory will not survive a reboot The etc config directory is not a good place either as it will not survive a restore Backup and restore should be done by the root user to ensure correct file permissions are set The config command is used to create a backup tarball config e lt Output File gt The tarball will be saved to the indicated location It will contain the contents of the etc config directory in an uncompressed and unencrypted form Example nfs storage mount t nfs 192 168 0 2 backups mnt config e mnt xxxxx config umount mnt Exam
161. esponsible for enforcing compliance by third parties to this License 7 lf as a consequence of a court judgment or allegation of patent infringement or for any other reason not limited to patent issues conditions are imposed on you whether by court order agreement or otherwise that contradict the conditions of this License they do not excuse you from the conditions of this License If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations then as a consequence you may not distribute the Program at all For example if a patent license would not permit royalty free redistribution of the Program by all those who receive copies directly or indirectly through you then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program If any portion of this section is held invalid or unenforceable under any particular circumstance the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices Many people have made generous contributions to the wide range of software distribut
162. etween the host and the gateway then set up Secure Tunneling Ports on the Console Server Section 6 7 2 then configure SDT Connector to use the appropriate network protocol to access IP consoles on the host devices that are attached to the Console Server serial ports Section 6 7 3 6 10 1 Establish a PPP Connection Between the Host COM Port and Console Server This step is only necessary for serially connected computers Firstly physically connect the COM port on the host computer that is to be accessed to the serial port on the Console Server Then A For non Windows computers Linux UNIX Solaris etc establish a PPP connection over the serial port The online tutorial http www yolinux com TUTORIALS LinuxTutorialPPP html presents a selection of methods for establishing a PPP connection for Linux 96 B For Windows XP and 2003 computers follow the steps below to set up an advanced network connection between the Windows computer through its COM port to the Console Server Both Windows 2003 and Windows XP Professional allow you to create a simple dial in service which can be used for the Remote Desktop VNC HTTP X connection to the Console Server gt Open Network Connections in Control Panel and click the New Connection Wizard New Connection Wizard K Network Connection Type What do you want to do O Connect to the Intemet Connect to the Intemet so you can browse the Web and read email Connect to the network
163. everal security issues to be considered before enabling the IPM I LAN interface A remote station has the ability to control a system s power state as well as being able to gather certain platform information To reduce vulnerability it is strongly advised that the IPM I LAN interface only be enabled in trusted 214 environments where system security is not an issue or where there is a dedicated secure management network or access has been provided through an Console Server Further it is strongly advised that you should not enable IPM I for remote access without setting a password and that the password should not be the same as any other password on that system When an IPM I password is changed on a remote machine with the IPM Iv1 5 lan interface the new password Is sent across the network as clear text This could be observed and then used to attack the remote system It is thus recommended that IPM I password management only be done over IPM lv2 0 lanplus interface or the system interface on the local station For IPM I v1 5 the maximum password length is 16 characters Passwords longer than 16 characters will be truncated For IPM I v2 0 the maximum password length is 20 characters longer passwords are truncated Commands help This can be used to get command line help on ipmitool commands It may also be placed at the end of commands to get option usage help iomitool help Commands raw Send a RAW IPM request an
164. eys to the Server and Client gateways Client Keys The first step in setting up SSH tunnels is to generate keys Ideally you will use a separate secure machine to generate and store all keys to be used on the devices However if this is not ideal to your situation keys may be generated on the Console Servers themselves It is possible to generate only one set of keys and reuse them for every SSH session While this is not recommended each organization will need to balance the security of separate keys against the additional administration they bring 202 Generated keys may be one of two types RSA or DSA and it is beyond the scope of this document to recommend one over the other RSA keys will go into the files id_rsa and id_rsa pub DSA keys will be stored in the files id_dsa and id_dsa pub For simplicity going forward the term private key will be used to refer to either id_rsa or id_dsa and public key to refer to either id_rsa pub or id_dsa pub Client 1 Server Client 2 ma lt gt an wi gt ee Client 1 Keys Client 2 Keys To generate the keys using OpenBSD s OpenSSH suite we use the ssh keygen program ssh keygen t rsa dsa Generating public private rsa dsa key pair Enter file in which to save the key home user ssh id_ rsa dsa Enter passphrase empty for no passphrase Enter same passphrase again Your identification has been saved in home user ssh id_ rsa dsa Your public key has been s
165. face to use Supported interfaces that are compiled in and visible in the usage help output L lt privivi gt Force session privilege level Can be CALLBACK USER OPERATOR ADMIN Default is ADMIN m lt local_ address gt Set the local IPM B address The default is 0x20 and there should be no need to change it for normal operation 0 lt oemtype gt Select OEM type to support This usually involves minor hacks in place in the code to work around quirks in various BM Cs from various manufacturers Use o list to see a list of current supported OEM types p lt port gt Remote server UDP port to connect to Default is 623 P lt password gt Remote server password is specified on the command line If supported it will be obscured in the process list Note Specifying the password as a command line option is not recommended t lt target_address gt Bridge IPM I requests to the remote target address U lt username gt Remote server username default is NULL user V Increase verbose output level This option may be specified multiple times to increase the level of debug output If given three times you will get hexdumps of all incoming and outgoing packets V Display version information If no password method is specified then ipmitool will prompt the user for a password If no password is entered at the prompt the remote server password will default to NULL Security The ipmitool documentation highlights that there are s
166. feature will be available mid 2010 56 4 8 Managed Devices B095 004 003 only Managed Devices presents a consolidated view of all the connections to a device that can be accessed and monitored through the Console Server Note The Managed Devices feature was introduced with Revision 3 0 1 firmware so is only currently available on BO95 004 1E BO95 003 1E M Console Servers To view the connections to the devices gt Select Serial amp Network Managed Devices a Renn Nene ie Ol TRIPP LITE z W Backup Log Out POWER PROTECTION Serial amp Network Managed Devices Serial amp Network Serial Port Add a New Device Users amp Groups Device Name Authentication Network Hosts A descriptive name for this device Trusted Networks Cascaded Ports Description Notes m wel eae A brief description of the device Environmental Managed Devices Alerts amp Logging Connections Add Connection Administration Apply This screen displays all the M anaged Device with their Description Notes and lists of all the configured Connections i e Serial Port if serially connected or USB if USB connected IP address if network connected Power PDU outlet details if applicable and any UPS connections M any Devices such as servers will commonly have more than one power connections e g dual power supplied and more than one network connection e g for BM C service proce
167. fer to Chapter 8 gt Select Connect IPMI on the control panel and select the Serial over LAN connection to be accessed iy Favorites G Remote Control Fi Disconnect Options Clipboard Send Ctrl Alt Del Refresh J Citrix ICA PaowerAlert Console Serial Over LAN k Add Delete Edit This will launch a Serial Over LAN session by running ipmitool I lanplus H hostname U username P password sol activate 223 The resulting serial character connection is presented in an rxvt ouR XVT window Also the Serial Over LAN feature is only applicable to IPM 12 0 devices gt Select Logs IPMI on the control panel and select the IPM I Event Log to be viewed P Configure E Connect E Logs H Status FS Custom T System syslog VNC Server aerial a r Log Files IPMI Event Log 4 AddiDelete Edit This will retrieve the selected IPM I event log by running ipmitool I lanplus H hostname U username P password sel info Bs Configure 35 Connect Logs IE Status Pee Custom B System Serial Power Status AddiDelete Edit 16 1 6 Connect Remote Desktop RDP gt Select Connect RDP on the control panel and click on the Windows computer to be accessed 2 Configure 35 Connect m Logs 5 Status lee Custom System Serial Erowser VNC SSH IPMIe TE I o Ace NI412 AddiDelete Edit XP Engineering FF6 MS Server 2007 4R gt The rdesktop p
168. ge message V verbose Log extra debug information d delsd Remove the given configuration element specified by a separated identifier g get d Display the value of a configuration element p path file Specify an alternate configuration file to use The default file is located at etc config config xml r run configurator Run the specified registered configurator Registered configurators are listed below S set id value Change the value of configuration element specified by a separated identifier e export file Save active configuration to file import file Load configuration from file t test import file Pretend to load configuration from file S separator char The pattern to separate fields with default is The registered configurators are alerts ipconfig auth nagios cascade power console serialconfig dhcp services dialin Slave eventlog systemsettings hosts time ipaccess ups users 169 14 2 Administration Configuration 14 2 1 System Settings To change system settings to the following values System Name og mydomain com System Password root account secret System SM TP Server 192 168 0 124 System SM TP Sender og mydomain com The following commands must be issued bin config set config system name og mydomain com bin config set config system password secret bin config set config system smtp server 192 168 0 124 bin config set config system
169. h the rack mounting brackets supplied with the unit and install the unit in the rack Take care to heed the Safety Precautions listed earlier gt Proceed to connect your B092 016 to the network to the serial and USB ports of the controlled devices to any rack side LCD console or KVM switch and to power as outlined below 2 1 3 Kit Components B095 004 1E and B095 003 1E M Console Server B095 004 1E 4 port Console Server with single NIC or B095 003 1E M 3 port Console Server with single NIC and modem O O 2 x Cable UTP Cat5 blue 15 Connectors DB9F R 45S straight and cross over External power supply Quick Start Guide and CD ROM gt Unpack your Console Server kit and verify you have all the parts shown above and that they all appear in good working order gt If you are installing your Console Server in a rack you will need to attach the rack mounting brackets supplied with the unit and Install the unit in the rack Take care to head the Safety Precautions gt Proceed to connect your Console Server to the network to the serial ports of the controlled devices and to power as outlined below 2 2 Power Connection 2 2 1 Power Console Server Management Switch The B096 048 16 Console Server Management Switch has dual universal AC power supplies with auto failover built in These power supplies each accept AC input voltage between 100 and 240 VAC with a frequency of 50 or 60 Hz and the total power consumption per
170. h y 7 TrippLite Management Console Mozilla Firefox OF x File Edit View History Bookmarks Tools Help zli IG Googie System Name 1092 016 Model Number 6092 0176 Firmware Rev 2 6 11 Current User roni Up time Udavs 7 tour AF amp AS sar Serial amp Network Serial Port Serial Port Users amp Groups Authentication Port 1 Network Hosts Trusted Networks Cascaded Ports s600 UPS Connections RPC Connections 8 v Environmental gt The serial ports unique identifier The serial ports speed The number of data bits to use I Riana N ngs 16 1 1 Connect Serial Terminal gt Select Connect Serial on the control panel and click on the desired serial port A window will be created with a connection to the device on the selected serial port Favorites RemoteControl M Disconnect Options Clipboard Send Ctri Alt Del Refresh F Citrix ICA Power lert Console n Add Delete Edit port04 The embedded terminal emulator uses rxvt a color vt102 terminal emulator You can find more details on configuration options in http www rxvt org manual html 16 1 2 Connect Browser gt Select Connect Browser on the control panel and click on the Host web site you have configured to be accessed using the browser Sites can be internal or external 220 Serial gt Citrix ICA Support Cisco Systems
171. hat you choose a complex password and keep It safe You may now wish to enter a System Name and System Description for the Console Server to give it a unique ID and make it simple to identify Click Apply As password has been changed you will be prompted to log in again This time use the new password If you are not confident your Console Server has been supplied with the current release of firmware you can upgrade Refer to Upgrade Firmware Chapter 10 Network IP Address It is time to enter an IP address for the principal 10 100 LAN port on the Console Server or enable its DHCP client so that it automatically obtains an IP address from a DHCP server on the network to which it is to be connected gt gt On the System IP menu select the Network Interface page then check DHCP or static for the Configuration Method If you select static you must manually enter the new IP Address Subnet Mask Gateway and DNS server details This selection automatically disables the DHCP client 23 System Name TLE Model Number _ _ gt gt 46 1 y TRIPP LITE Firmware Rev lul Current User i Up time 7 i 27 1 lt gt lt n POWER PROTECTION Serial amp Network Serial Port Network Interface Management LAN Interface General Settings Users amp Groups Authentication IP Settings Network Network Hosts 7 i Trusted Networks ee O DHCP Cascaded Ports Static UPS Connect
172. he Support Report with your email support request The Support Report should be generated when the issue is occurring and attached in plain text format System Name Model Number B096 016 aaa L6 B ITF Firmware Rev 2 6 1u1 Current User root 5 t days 2 10 c 52 mins 7 secs Go back to the main page Up time 1 ee sole aa Status Support Report Serial amp Network Serial Port Firmware Version Users amp Groups TrippLite BO96 Version 2 6 1u1 Wed Feb 11 11 01 34 EST 2009 Authentication Network Hosts Trusted Networks Cascaded Ports Uptime UPS Connections RPC Connections Environmental 1 days 2 hours 52 mins 17 secs Alerts amp Logging IP Configuration Port Log Alerts eth0 Link encap Ethernet HWaddr 00 13 C6 66 77 89 SMTP amp SMS inet addr 192 168 0 1 Bcast 192 168 0 255 Mask 255 255 255 0 SNMP inet6 addr fe80 213 c6ff fe66 7789 64 Scope Link Syste UP BROADCAST RUNNING MULTICAST MTU 1500 Metric 1 Adminictratinn gt Select the Status Support Report menu option and you will be presented with a snapshot of your Console Server s status gt Save the file as a text file and attach it to your support email 12 4 Syslog The Linux System Logger maintains a record of all system messages and errors gt Select Status Syslog 157 Remote System Logging The syslog record can be redirected to a remote Syslog Server gt Enter the
173. he snmpd conf is extremely powerful and too flexible to cover completely here The configuration file itself is commented extensively and good documentation is available at the net snmp website http www net snmp org specifically M an Page http www net snmp org docs man snmpd conf html FAQ http www net snmp org docs FAQ html Net SNM PD Tutorial http www net snmp org tutorial tutorial 5 demon snmpd html 15 5 1 Adding More than One SNMP Server To add more than one SNMP server for alert traps add the first SNMP server using the Management Console refer to Chapter 7 or the command line config tool Secondary and any further SNMP servers are added manually using config Log in to the Console Server s command line shell as root or an admin user Refer back to the Management Console UI or user documentation for descriptions of each field To set the M anager Protocol field config set config system snmp protocol2 UDP or config set config system snmp protocol2 1CP To set the M anager Address field config set config system snmp address2 w x y z replacing w x y z with the IP address or DNS name To set the M anager Trap Port field config set config system snmp trapport2 162 replacing 162 with the TCP UDP port number To set the Version field config set config system snmp version2 1 or config set config system snmp version2 2c or config set config system snmp version2 3 To set the Community field SNM
174. heck_nrpe H 192 168 254 147 p 5666 c host_ HOSTNAME ARG1 ARG2 define service service_description SSH Port host_name server 146 use generic service check_command check_conn_via_tripplite tcp 22 define service service_description host port tcp 22 server host port lt protocol gt lt port gt lt host gt host_name server use generic service check_command check_conn_via_tripplite tcp 22 active checks enabled 0 passive checks enabled 1 define servicedependency name tripplite_nrpe daemon dep host_name tripplite dependent_host_ name server dependent service description SSH Port service description NRPE Daemon execution failure criteria W U C 10 4 2 Basic Nagios Plug Ins Plug ins are compiled executables or scripts that can be scheduled to be run on the Console Server to check the status of a connected host or service This status is then communicated to the upstream Nagios server which uses the results to monitor the current status of the distributed network Each Console Server is preconfigured with a selection of the checks that are part of the Nagios plug ins package check_tcp and check_udp are used to check open ports on network hosts check_ping is used to check network host availability check_nrpe is used to execute arbitrary plug ins in other devices Each Console Server is also preconfigured with two checks that are specific to the Console Server check_serial_signals is used to monitor the handshaking line
175. hey can reconfigure the Console Server settings e g to enabled HTTP Telnet for future access They can also access any of the connected Hosts or serial port devices using any of the services that have been enabled for these connections However since the Administrator can reconfigure the access services for any Host or serial port only trusted users should have Administrator access For convenience the SDT Connector Retrieve Hosts function retrieves and auto configures checked serial ports and checked hosts only even for admin group users Membership of the user group provides the user with limited access to the Console Server and connected Hosts and serial devices These Users can access only the Management section of the Management Console menu and they have no command line access to the Console Server They also can only access those Hosts and serial devices that have been checked for them using services that have been enabled The Administrator can also set up additional Groups with specific serial port and host access permissions Same as Users However users in these additional groups don t have any access to the Management Console menu nor to any command line access to the Console Server itself Lastly the Administrator can also set up users who are not a member of any Groups and they will have the same access as users in the additional groups To set up new users and classify them as members of particular Groups 43 gt
176. his will set a Volume Label on the USB storage device This preparation step Is only necessary the first time and will not affect any other information you have saved onto the USB storage device However it is recommended that you back up any critical data from the USB storage device before using it with your Console Server If there are multiple USB devices installed you will be warned to remove them Local Configuration Backups Before saving configuration locally prepare the USB storage device for use Disconnect all USB devices then click here to proceed After the USB storage device has been prepared you may reconnect other USB devices 153 To backup to the USB enter a brief Description of the backup in the Local Configuration Backups menu and select Save Backup The Local Configuration Backup menu will display all the configuration backup files you have stored onto the USB flash To restore a backup from the USB simply select Restore on the particular backup you wish to restore and click Apply After saving a local configuration backup you may choose to use it as the alternate default configuration When the Console Server is reset to factory defaults it will then load your alternate default configuration instead of its factory settings To set an alternate default configuration check Load On Erase and click Apply Note Before selecting Load On Erase please ensure you have tested your alternate default configuration
177. hwclock set date 092216452005 05 Where the format is MM DDhhmm CC YY ss Then the following command will save this new hardware clock time as the system time bin hwclock hctosys Network Time Protocol To enable NTP using a server at pool ntp org issue the following commands bin config set config ntp enabled on bin config set config ntp server pool ntp org The following command will synchronize the live system with the new configuration bin config runstime 171 Time Zone To change the system time zone USA to Eastern Standard Time you need to Issue the following commands bin config set config system timezone US Eastern The following command will synchronize the live system with the new configuration bin config run time 14 4 Network Configuration 14 4 1 IP Configuration Please note that supported interface modes are dhcp and static DHCP To enable a DHCP client on the primary Network interface eth0 from the Console Server command line bin config set config interfaces wan mode dhcp The following command will then synchronize the live system with the new configuration bin config runspcontig Note bin config commands can be combined into one command for convenience Please note that supported interface modes are dhcp and static Static To set static configuration on the primary Network interface with the following attributes
178. ices will have no way to supply it as runtime Full documentation for the ssh keygen command can be found at http www openbsd org cgi bin man cgi query ssh keygen 15 6 3 Installing the SSH Public Private Keys Clustering For Console Servers the keys can be simply uploaded through the web interface on the System Administration page This enables you to upload stored RSA or DSA Public Key pairs to the M aster and apply the Authorized key to the Slave as is described in Chapter 4 6 Once complete proceed to Fingerprinting as described below SSH RSA Public Key Upload a replacement RSA public key file SSH RSA Private SSS di CR Key Upload a replacement RSA private key file SSH DSA Public Key Upload a replacement DSA public key file SSHDSAPrivate SSSR Key Upload a replacement DSA private key file Keys Upload a replacement authorized keys file 15 6 4 Installing SSH Public Key Authentication Linux Alternately the public key can be installed on the unit remotely from the Linux host with the scp utility as follows 196 Assuming the user on the M anagement Console is called fred the IP address of the Console Server is 192 168 0 1 default and the public key is on the linux unix computer in ssh id_dsa pub Execute the following command on the linux unix computer scp ssh id_dsa pub root 192 168 0 1 etc config users fred ssh authorized_keys The authorized_keys file on the Console Server needs to be
179. ick on any particular All Data for any UPS system in the table for more status and configuration information on the select UPS system gt Select UPS Logs and you will be presented with the log table of the load battery charge level temperature and other status information from all the Managed and Monitored UPS systems This information will be logged for all UPSs which were configured with Log Status checked The information is also presented graphically 8 2 6 Overview of Network UPS Tools NUT Network UPS Tools NUT is a group of open source programs that provide a common interface for monitoring and administering UPS hardware and ensuring safe shutdowns of the systems which are connected 120 NUT can be configured using the Management Console as described above or you can configure the tools and manage the UPS s directly from the command line This section provides an overview of NUT You can find full documentation at http www networkupstools org doc NUT is built on a networked model with a layered scheme of drivers server and clients 1 The driver programs talk directly to the UPS equipment and run on the same host as the NUT network server upsd Drivers are provided for a wide assortment of equipment from most of the popular UPS vendors and they understand the specific language of each UPS and map it back to a compatibility layer This means both an expensive smart protocol UPS and a simple power strip model can be handle
180. iguration options in http www realvnc com products free 4 1 man vncviewer html 16 1 4 Connect SSH SSH is typically used to log into a remote machine and execute commands gt Select Connect SSH on the control panel and click on the Host to be accessed gt An SSH connection window will be opened Enter the SSH login password and you will be securely connected to the selected Host Z22 b Serial Citrix ICA Browser gt YNE gt SSH i d Cisco 0485 IPMI 56560 RDP b gt Asterix Add Delete Edit ssh Password The B092 016 SSH connection uses OpenSSH http www openssh com and the terminal connection is presented using rxvt ouR XVT You can find more details on configuration options in http www rxvt org manual htm 16 1 5 Connect IPM The B092 016 control panel provides a number of IPM I tools for managing service processors or Baseboard M anagement Controllers BM Cs These IPM I controls are built on the ipmitools program Find more details on configuration options in http ipmitool sourceforge net manpage html The ipmitool program provides a simple command line interface to the BM Cs and features the ability to read the sensor data repository SDR display the contents of the System Event Log SEL read and set LAN configuration parameters and perform remote chassis power control The B092 016 M anagement Console also has additional tools for controlling power units with IPM I interfaces re
181. igured on the gateway and User access privileges need to be specified gt Add the new host and the permitted services using the Serial amp Network Network Hosts menu Note 6 2 as detailed in Network Hosts Chapter 4 4 Only these permitted services will be forwarded by SDT to the host All other services TCP UDP ports will be blocked Following are some of the TCP Ports used by SDT in the Console Server 22 SSH All SDT Tunneled connections 23 Telnet on local LAN forwarded inside tunnel 80 HTTP on local LAN forwarded inside tunnel 3389 RDP on local LAN forwarded inside tunnel 5900 VNC on local LAN forwarded inside tunnel 73XX RDP over serial from local LAN where XX is the serial port number i e 7301to 7348 79XX VNC over serial from local LAN where XX is the serial port number Add the new Users using Serial amp Network Users amp Groups menu as detailed in Network Hosts Chapter 4 4 Users can be authorized to access the Console Server ports and specified network attached hosts To simplify configuration the Administrator can first set up Groups with group access permissions then Users can be classified as members of particular Groups SDT Connector Configuration The SDT Connector client works with all Console Servers Each of these remote Console Servers has an embedded OpenSSH based server This server can be configured to port forward connections from the SDT Connector client to hosts on their
182. iguring specific NSCA checks 10 3 4 Configure Selected Serial Ports for Nagios Monitoring The individual Serial Ports connected to the Console Server to be monitored must be configured for Nagios checks Refer to Chapter 4 4 Network Host Configuration for details on enabling Nagios monitoring for Hosts that are network connected to the Console Server To enable Nagios to monitor a device connected to the Console Server serial port gt Select Serial amp Network Serial Port and click Edit on the serial Port to be monitored 14 gt Select Enable Nagios specify the name of the device on the upstream server and determine the check to be run on this port Serial Status monitors the handshaking lines on the serial port and Check Port monitors the data logged for the serial port Nagios Settings Enable Nagios F Switch Nagios on for this port Cd Name of host in Nagios Defauits te host name if unset Port Log Switch on Nagios port logging Serial Status F Switch on Nagios serial status 10 3 5 Configure Selected Network Hosts for Nagios Monitoring The individual Network Hosts connected to the Console Server that is to be monitored must also be configured for Nagios checks gt Select Serial amp Network Network Port and click Edit on the Network Host to be monitored Nagios Settings Enable Nagios Switch Nagios on for this host Name of host in Nagios Defaults te host name if unset Nagios Checks gt
183. ill have a working VirtualPort client installed on your machine and an icon on your desktop gt Click the VirtualPort icon on your desktop to start the client 4 7 2 Configure the VirtualPort Client Creating the VirtualPort client connection will initiate a virtual serial port data redirection to the remote Console Server using TCP IP protocol gt Click on Add Ports gt Specify aname to Identify this connection in the Server Description tab af VirtualPort Configuration E 192 167 28 27 6 192 251 22 3 wl Add Serial Ports 53 Enter the Console Server s IP address or network name Enter the Server TCP Port number that matches the port you have configured for the serial device on the remote Console Server Ensure this port isn t blocked by a firewall o Telnet RFC2217 mode is configured by default so the range of port numbers available on a 16 port console server would be 5001 5016 o Alternately check RAW mode 4001 4048 on a 48 port console server o Select Encrypted to enable SSL TLS encryption of the data going to the port You will need to enter a Password Select the starting COM port COM 1 to COM 4096 Specify the number of ports you want to add Sequential port numbers will be assigned automatically If a COM port is already being used by other applications that will be skipped Click OK to add the specified COM ports a VirtualPort Configuration E 192 167 28 27 ee COM13
184. install the sdtcon 1 n jar and the config file defaults xml Once the installer completes you will have a working SDT Connector client installed on your machine and an icon on your desktop Note SDT Connector is a Java application so it must have a Java Runtime Environment JRE installed This can be freely downloaded from http java sun com j2se It will install on Windows 2000 XP 2003 Vista computers and on most Linux platforms Solaris platforms are also supported however they must have Firefox installed SDT Connector can run on any system with Java 1 4 2 and above installed but it assumes the web browser is Firefox and that xterm e Telnet opens a Telnet window 70 To operate SDT Connector add the new gateways to the client software by entering the access details for each Console Server refer to Section 6 2 2 Then let the client auto configure with all host and serial port connections from each Console Server refer Section 6 2 3 Now point and click to connect to the Hosts and serial devices refer to Section 6 2 4 Alternately you can manually add network connected hosts refer Section 6 2 5 as well as manually configure new services to be used when accessing the Console Server and the hosts refer Section 6 2 6 M anually configure clients to run on the computer that will use the service to connect to the hosts and serial port devices refer to Section 6 2 7 and 6 2 9 SDT Connector can also be set up to make an out of
185. ion Between the Host COM Port and Console Server Set up SDT Serial Ports on Console Server Set up SDT Connector to SSH Port Forward Over the Console Server Serial Port ALERTS AND LOGGING Configure SM TP SM S SNM P Nagios Alert Service Email Alerts SM S Alerts SNM P Alerts Nagios Alerts Activate Alert Events and Notifications Add a New Alert Select General Alert Type Configuring Environment and Power Alert Type 69 70 71 72 73 74 75 77 78 78 83 84 85 87 87 88 88 89 93 93 94 96 96 100 100 102 102 102 103 104 105 105 106 107 108 7 3 7 4 7 9 8 1 8 1 1 8 1 2 8 1 3 8 1 4 8 2 8 2 1 8 2 2 8 2 3 8 2 4 8 2 5 8 2 6 8 3 8 3 1 8 3 2 8 3 3 9 1 9 1 1 9 1 2 9 1 3 9 1 4 9 1 5 9 2 9 3 10 10 1 10 2 10 2 1 10 2 2 Remote Log Storage Serial Port Logging Network TCP or UDP Port Logging POWER amp ENVIRONM ENTAL M ANAGEM ENT Remote Power Control RPC RPC Connection RPC Alerts RPC Status User Power M anagement Uninterruptible Power Supply Control UPS M anaged UPS Connections Configure UPS Powering the Console Server Configuring Powered Computers to M onitor a M anaged UPS UPS Alerts UPS Status Overview of Network UPS Tools NUT Environmental Monitoring Connecting the EM D Environmental Alerts Environmental Status AUTHENTICATION Authentication Configuration Local Authentication TACACS Authentication RADIUS Authentication LDAP Authentication RADIU
186. ion of this host such as its operating system release or anything special about its configuration gt Click OK 74 6 2 6 Manually Adding New Services to the New Hosts To extend the range of services that can be used when accessing hosts with SDT Connector gt Select Edit Preferences and click the Services tab Click Add gt Enter a Service Name and click Add gt Under the General tab enter the TCP Port that this service runs on e g 80 for HTTP Optionally select the client to be used to access the local endpoint of the redirection a Tripp Lite SDTConnector Sa SDTConnector Preferences Telnet client SOL Telnet client HTTP browser RSA II IBM Director console SSH client HyperTerminal VNC viewer VMWare Server console gt Select which Client application is associated with the new service A range of client application options are pre configured in the default SDT Connector RDP client VNC client HTTP browser HTTPS browser Telnet client etc However if you wish to add new client applications to this range then proceed to the next section Adding a new client and then return here 5 Tripp Lite SDTConnector Ee SDTConnector Preferences Client name Path to client executable file l fa Browse Command line format for client executable amp 2 oK 3 Cancel gt Click OK then Close A service typically consis
187. ions Serial amp Network Serial Port Managed UPSes Users amp Groups UPS Description i Username Shutdown Connected Authentication Name Order Via Network Hosts i Tta Hatta No UPSes currently monitored Cascaded Ports UPS Connections Add UPS RPC Connections Environmental Monitored UPS Alerts amp Logging Enabled E Port Log Enable this UPS connection Alerts SMTP amp SMS UPS Name The name of this UPS The address or DNS name of the host managing this UPS Date amp Time An optional description Dial Services DHCP Server Nagios n eek Arrea Connect using this password gt Select the Serial amp Network UPS Connections menu The Managed UPSs section will display all the UPS connections that have already been configured gt Click Add UPS Connect using this username 116 TRIPP LITE rare POWER PROTECTION Serial amp Network UPS Connections Serial amp Network Serial Port Add Managed UPS Users amp Groups UPS Name Authentication Network Hosts The name of this UPS Trusted Networks Description Cascaded Ports UPS Connections An optional description RPC Connections Connected Via Environmental USB The UPS may be connected via USB serial or network HTTP or HTTPS Alerts amp Logging Username i Allow slaves to connect using this username l Password Allow slaves t
188. ions The mechanism to acquire IP settings RPC Connections IP Address Environmental A statically assigned IP address Alerts amp Logging Port Log Subnet Mask Alerts A statically assigned network mask SMTP amp SMS SNMP Gateway A statically assigned gateway Administration Primary DNS Firmware a TA A statically assigned primary name server gt If you select DHCP the Console Server will look for configuration details from a DHCP server on your management LAN This selection automatically disables any static address The Console Server MAC address can be found on a label on the base plate Note In its factory default state with no Configuration Method selected the Console Server has its DHCP client enabled so it automatically accepts any network IP address assigned by a DHCP server on your network In this initial state the Console Server will then respond to both its Static address 192 168 0 1 and its newly assigned DHCP address gt By default the Console Server 10 100 LAN port auto detects the Ethernet connection speed However you can use the Media menu to lock the Ethernet to 10 Mb s or 100M b s and to Full Duplex FD or Half Duplex HD Note Ifyou have changed the Console Server IP address you may need to reconfigure your Computer so it has an IP address that is in the same network range as this new address as detailed in an earlier note in this
189. is is typically the default behavior If you do not already have a public private key pair for your client computer the one which the SDT Connector is running generate them now using ssh keygen PuTTYgen or a similar tool You may use RSA or DSA however it is important that you leave the passphrase field blank PuTTYgen http www chiark greenend org uk sgtatham putty download html OpenSSH http www openssh org OpenSSH Windows http sshwindows sourceforge net download Upload the public part of your SSH key pair this file is typically named id_rsa pub or id_dsa pub to the SSH gateway or add it to the ssh authorized keys in your home directory on the SSH gateway Next add the private part of your SSH key pair this file is typically named id_rsa or id_dsa to SDT Connector Click Edit gt Preferences gt Private Keys gt Add locate the private key file and click OK You do not have to add the public part of your SSH key pair it is calculated using the private key SDT Connector will now use public key authentication when connecting through the SSH gateway Console Server You may have to restart SDT Connector to shut down any existing tunnels that were established using password authentication If you have a host behind the Console Server that you connect to by clicking the SSH button in SDT Connector you may also wish to configure access to it for public key authentication as well This configuration is en
190. ite in particular peruse the tutorials listed on the netfilter HOWTO page A list of useful web locations has been compiled for your convenience below Netfilter Homepage http netfilter org Netfilter iptables Tutorials http netfilter org documentation index html documentation tutorials 15 5 Modifying SNMP Configuration etc config snmpd conf The net snmpd is an extensible SNM P agent which responds to SNMP queries for management information from SNM P management software Upon receiving a request it processes the request s collects the requested information and or performs the requested operation s and returns the information to the sender This includes built in support for a wide range of MIB information modules and can be extended using dynamically loaded modules external scripts and commands Snmpd when enabled should run with a default configuration Its behavior can be customized via the options in etc config snmpd conf Changing standard system information such as system contact name and location can be achieved by editing etc config snmpd conf file and locating the following lines sysdescr tripplite syscontact root lt root localhost gt configure etc default snmpd conf sysname Not defined edit etc default snmpd conf syslocation Not defined edit etc default snmpd conf Simply change the values of sysdescr syscontact sysname and syslocation to the desired settings and restart snmpd 192 T
191. ith a password issue the following command on the command line of a Linux host with the openssl utility installed openssl genrsa des3 out ssl_key pem 1024 2 Generating a Self Signed Certificate with OpenSSL This example shows how to use OpenSSL to create a self signed certificate OpenSSL is available for most Linux distributions via the default package management mechanism Windows users can check http www openssl org related binaries html To create a 1024 bit RSA key and a self signed certificate send the following openssl command from the host you have openssl installed on openssl reg x509 nodes days 1000 newkey rsa 1024 keyout ss _key pem out ssl_cert pem 206 You will be prompted to enter a lot of information M ost of it doesn t matter but the Common Name should be the domain name of your computer e g test tripplite com When you have entered everything the certificate will be created in a file called ssl_cert pem 3 Installing the Key and Certificate The recommended method for copying files securely to the Console Server unit is with an SCP Secure Copying Protocol client The scp utility is distributed with OpenSSH for most Unices while Windows users can use something like the PSCP command line utility available with PuTTY The files created in steps 1 and 2 can be installed remotely with the scp utility as follows scp ssl_key pem root lt address of unit gt etc config scp ssI_cert pem root
192. ix n m k where n lt m and lt k etc This form should not be confused with regular expression character classes also denoted by For example foo 19 does not represent fool or foo9 but rather represents a degenerate range foo19 This range syntax is meant only as a convenience on clusters with a prefix NN naming convention and specification of ranges should not be considered necessary the list fo01 fo009 could be specified as such or by the range foo 1 9 Some examples of powerman targets follow Power on hosts bar baz foo01 fo002 f0005 powerman on bar baz foo 01 05 Power on hosts bar foo foo9 foo10 powerman on bar foo 7 9 10 209 Power on foo0 foo4 foo5 powerman on foo 0 4 5 As a reminder to the reader some shells will interpret brackets and for pattern matching Depending on your shell it may be necessary to enclose ranged lists within quotes For example in tcsh the last example above should be executed as powerman on foo 0 4 5 15 9 2 pmpower The pmpower command is a high level tool for manipulating remote preconfigured power devices connected to the Console Servers either via a serial or network connection pmpower h I device r host o outlet u username p password action h This help message The serial port to use 0 The outlet on the power target to apply to r The remote host address for the power target u Override the configured
193. l Browse Now add a static entry to the ARP table and ping the Console Server to have it get the IP address In the example below we have a Console Server with a MAC address 00 13 C6 00 02 0F designated on the label on the bottom of the unit and we are setting its IP address to 192 168 100 23 The computer issuing the arp command must be on the same network segment as the Console Server i e have an IP address of 192 168 100 xxx Type arp s 192 168 100 23 00 13 C6 00 02 0F Note for UNIX the syntax is arp s 192 168 100 23 00 13 C6 00 02 0F Type ping t 192 18 100 23 to start a continuous ping to the new IP address Turn on the Console Server and wait for it to configure itself with the new IP address It will start replying to the ping at this point Type arp d to flush the ARP cache again Browser Connection gt Activate your preferred browser on the connected computer and enter https 192 168 0 1 The Console Server supports all current versions of the popular browsers Netscape Internet Explorer Mozilla Firefox and more 20 gt You will be prompted to log in Enter the default administration username and administration password Username root Password default System Name 6 Model Number _ _ _ lt r a TRIPP LITE Firmware Rev 2 6 1u1 Current User Up time 0 days 0 hours 23 mins 56 POWER PROTECTION TrippLite Management Console Serial amp Network Seria
194. l The outgoing mail server address If this server uses a secure connection specify its type Alerts amp Logging Port Log Sender Aeris The from address which will appear on the sent email SMTP amp SMS Username If this server requires authentication specify the username Administration Password oe If this server requires authentication specify the password IP Date amp Time Confirm sees Re enter the password Services DHCP Server Subject Line _ If this server requires a specific subject line specify it here gt Inthe SMTP Server field enter the IP address of the outgoing mail Server gt You may enter a Sender email address which will appear as the from address in all email notifications sent from this Console Server Many SM TP servers check the sender s email address with the host domain name to verify the address as authentic So it may be useful to assign an email address for the Console Server such as consoleserver2 mydomian com gt You may also enter a Username and Password if the SM TP server requires authentication Yy Similarly you can specify the Subject Line that will be sent with the email gt Click Apply to activate SM TP 7 1 2 SMS Alerts The Console Server uses email to SM S services to send SMS alert notifications to mobile devices Sending SM S via email using SM TP Simple M ail Transfer Protocol is much faster than sending text pag
195. l Port Users amp Groups Authentication K Network Hosts The following configuration procedure is necessary in order to initialize the unit Complete each step by following the appropriate link Upon completion of each step click on the logo on the top left corner in order to return to this window gt Trusted Networks Change the default administration password on the SystenryAdministration page c dai pots Configure the local network settings on the SystenyIP page la og 4 i Configure serial ports settings and enable supported protocols on the Sero amp UPS Connections Network Serial Port page RPC Connections Configure users with access to serial ports on the Serb amp Network Users page Done Environmental The above screen which lists four initial installation configuration steps will be displayed 1 2 3 4 Change the default administration password on the System Administration page Chapter 3 Configure the local network settings on the System IP page Chapter 3 Configure port settings and enable the Serial amp Network Serial Port page Chapter 4 Configure users with access to serial ports on the Serial amp Network Users page Chapter 3 After completing each of the above steps you can return to the configuration list by clicking in the top left corner of the screen on the logo Note TRIPP LITE POWER PROTECTION If you are not able to connect to the
196. l default to the first network port s IP as entered in System IP In Nagios Server Address enter the IP address or DNS name that the Console Server will use to reach the upstream Nagios monitoring server Check the Disable SDT Nagios Extensions option if you wish to disable the SDT Connector integration with your Nagios server at the head end this would only be checked if you want to run a vanilla Nagios monitoring If not enter the IP address or DNS name the SDT Nagios clients will use to reach the Console Server in SDT Gateway Address When NRPE and NSCA are both enabled NSCA is preferred method for communicating with the upstream Nagios server check Prefer NRPE to use NRPE whenever possible i e for all communication except for alerts 139 10 3 2 Enable NRPE Monitoring Nagios Remote Remote Monitoring Host Gateway Servers Enabling NRPE allows you to execute plug ins such as check_tcp and check_ping on the remote Console Server to monitor serial or network attached remote servers This will offload CPU load from the upstream Nagios monitoring machine which is especially valuable if you are monitoring hundreds or thousands of hosts To enable NRPE NRPE NRPE Enabled Switch on the NRPE service NRPE Port Port to listen on for NRPE Defaults to 5666 NRPE User User to run as Defaults to nrpe NRPE Group Group to run as Defaults te nobody gt Select System Nagios an
197. lanation of this entry IP Date amp Time Apply gt Select the Accessible Port s that the new rule is to be applied to gt Then enter the Network Address of the subnet to be permitted access gt Then specify the range of addresses that are to be permitted by entering a Network Mask for that permitted IP range e g To permit all the users located with a particular Class C network 204 15 5 0 say connection to the nominated port add the following Trusted Network New Rule Network IP Address 204 15 5 0 Subnet M ask 255 255 255 0 f you want to permit only the one user who is located at a specific IP address 204 15 5 13 Say to connect 47 Network IP Address 204 15 5 0 Subnet M ask 255 255 255 255 f however you want to allow all the users operating from within a specific range of IP addresses say any of the thirty addresses from 204 15 5 129 to 204 15 5 158 to be permitted connection to the nominated port Host Subnet Address 204 15 5 128 Subnet M ask 255 255 255 224 Note The above Trusted Networks will limit access by Users and the Administrator to the console serial ports However they do not restrict access by the Administrator to the Console Server itself or to attached hosts To change the default settings for this access you will to need to edit the P tables rules as described in Chapter 14 Advanced gt Click Apply 4 6 Serial Port Cascading Cascaded Ports enables you to clu
198. le Server and the computer are on the same LAN segment with no interposed router appliances 3 1 1 Connected Computer Set Up To configure the Console Server with a browser the connected computer should have an IP address in the same range as the Console Server e g 192 168 0 100 gt To configure the IP address of your Linux or Unix computer simply run ifconfig gt For Windows computers Win9x M e 2000 XP Vista NT Click Start gt Settings gt Control Panel and double click Network Connections for 95 98 Me double click Network Right click on Local Area Connection and select Properties Select Internet Protocol TCP IP and click Properties Select Use the following IP address and enter the following details 19 gt 3 1 2 o IP address 192 168 0 100 o Subnet mask 255 255 255 0 f you wish to retain your existing IP settings for this network connection click Advanced and Add the above as a secondary IP connection If it is not convenient to change your computer network address you can use the ARP Ping command to reset the Console Server IP address To do this from a Windows computer Click Start gt Run Type cmd and click OK to bring up the command line Type arp d to flush the ARP cache Type arp a to view the current ARP cache which should be empty Type the name of a program folder document or Internet resource and Windows will open it for you Open BREE x Cance
199. le debug on bin config run console reboot If at some point in the future you chose to connect a modem for dial in out of band access the procedure can be reversed with the following commands bin config del config console debug bin config run console reboot 15 4 IP Filtering Standard IP Filter Configuration The system uses the iptables utility to provide a stateful firewall of LAN traffic By default rules are automatically inserted to allow access to enabled services and serial port access via enabled protocols The commands which add these rules are contained in configuration files etc config ipfilter This is an executable shell script which is run whenever the LAN interface is brought up and whenever modifications are made to the iptables configuration as a result of CGI actions or the config command line tool The basic steps performed are as follows a The current iptables configuration is erased b If acustomized IP Filter script exists it is executed and no other actions are performed c Standard policies are inserted which will drop all traffic not explicitly allowed to and through the system d Rules are added which explicitly allow network traffic to access enabled services e g HTTP SNMP etc e Rules are added which explicitly allow traffic network traffic access to serial ports over enabled protocols e g Telnet SSH and raw TCP 190 Customizing the IP Filter etc config filter
200. ll be triggered at the value s below The alert ype wi oni be appied to UPSes RPCs and environmental moniter temperature and Aumidity sensors Sensor Type Temperature Specify which environmental sensor type to alert on Set Point Low Low Warning Low Critical A warning alert will be triggered when A critical alert will be triggered when the sensor reading falls to this value or the sensor reading falls to this value or lower lower Se int Hig salah A Ls High Warning High Critical A warning alert will be triggered when A critical alert will be triggered when the sensor reading rises to this value or the sensor reading rises to this value or higher higher Hysteresis Value a sensor reading must drop below a high point or to rise above a low point before the alert is reset gt Select Sensor Alert to activate gt Specify which Sensor Type to alert on Temperature Humidity Power Load and Battery Charge gt Set the levels at which Critical and or Warning alerts are to be sent You can also specify High and or Low Set Points for sending alerts and the Hysteresis to be applied before resetting off the alerts Note Specify the Set Point values are in Degrees Celsius for Temperature Amps Current for Power Load Percentage for Humidity and Battery Charge 108 If you have selected Applicable Alarm Sensor s that are to be monitored for this alert event then you can also set time windows when these sensors will
201. local network as detailed in the previous chapter The SDT Connector can also be pre configured with the access tools and applications that will be available when access to a particular host has been established 69 SDT Connector can connect to the Console Server using an alternate OoB access It can also be configured to access the Console Server itself and to access devices connected to serial ports on the Console Server 6 2 1 SDT Connector Client Installation gt The SDT Connector set up program SDTConnector Setup 1 n exe or sdtcon 1 n tar gz is included on the CD supplied with your Console Server gt Runthe set up program i Tripp Lite SDTConnector Setup Welcome to the Tnpp Lite SDTConnector Setup Wizard This wizard will quide you through the installation of Tripp Lite SDTConnector It is recommended that you close all other applications before starting Setup This will make it possible to update relevant system files without having to reboot your computer Click Next to continue Note For Windows clients the SDTConnectorSetup 1 n exe application will install the SDT Connector 1 n exe and the config file defaults xml If a config file already exists on the Windows computer then it will not be overwritten To remove an earlier config file run the regedit command search for SDT Connector and then remove the directory with this name For Linux and other Unix clients SDTConnector tar gz application will
202. ly reboot the device Apply The Console Server reboots with all settings e g the assigned network IP address preserved However this soft reset does disconnect all Users and ends any SSH sessions that had been established A soft reset will also be performed when you switch OFF power to the Console Server and then switch the power back ON However if you cycle the power while the unit is writing to flash you could corrupt or lose data Therefore the software reboot is the safer option A hard erase hard reset is performed by gt Pushing the Erase button on the rear panel twice The reset button on the B095 003 1E M and B095 004 1E is on the side of the unit A ball point pen or bent paper clip is a suitable tool for 149 performing this procedure Do not use a graphite pencil Depress the button gently twice within a 5 second period while the unit is powered ON This will reset the Console Server back to its factory default settings and clear the Console Server s stored configuration information The hard erase will clear all custom settings and return the unit back to factory default settings i e the IP address will be reset to 192 168 0 1 You will be prompted to log in and must enter the default administration username and administration password por 6 root z Username root Remember my password Connect to 192 168 0 1 192 168 0 1 80 Password default 11 2 Upgrade Firmware Bef
203. ly with any term or condition In such an event you must destroy all copies of the Software You may also terminate this EULA at any time by destroying the Software GOVERNING LAW AND ATTORNEY S FEES This EULA is governed by the laws of the State of Utah USA excluding its conflict of law rules You agree that the United Nations Convention on Contracts for the International Sale of Goods is hereby excluded in its entirety and does not apply to this EULA If you acquired this Software in a country outside of the United States that country s laws may apply In any action or suit to enforce any right or remedy under this EULA or to interpret any provision of this EULA the prevailing party will be entitled to recover its costs including reasonable attorneys fees ENTIRE AGREEMENT This EULA constitutes the entire agreement between you and Tripp Lite with respect to the Software and supersedes all other agreements or representations whether written or oral The terms of this EULA can only be modified by express written consent of both parties If any part of this EULA is held to be unenforceable as written it will be enforced to the maximum extent allowed by applicable law and will not affect the enforceability of any other part Should you have any questions concerning this EULA or if you desire to contact Tripp Lite for any reason please contact the Tripp Lite representative serving your company THE FOLLOWING DISCLAIMER OF WARRANTY AND LI
204. mands in the script echo lt table gt You can of course run any command and its output will be displayed in the widget window directly Below is a sample script which writes the current date to a file and then echoes HTM L code back to the browser The HTML code gets an image from a Specific URL and displays it in the widget 41 bin sh date gt gt tmp test echo lt table gt echo lt tr gt lt td gt This is my custom script running lt td gt lt tr gt echo lt tr gt lt td gt echo lt img src http www vinras com images linux online inc jpg gt echo lt td gt lt tr gt echo lt table gt exit 0 161 13 MANAGEMENT Introduction The Console Server Management Console has a number of reports and tools that can be accessed by both Administrators and Users Access and control configured devices View serial port logs and host logs Use SDT Connector or the java terminal to access serially attached consoles Power control 13 1 Device Management To display all the connected Serial devices Network Hosts and Power devices gt Select Manage Devices By selecting the Serial Network Power item the display will be reduced to only those devices TRIPP LITE POWER PROTECTION Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks Cascaded Ports UPS Connections RPC Connections Environ
205. me network range e g 200 100 1 12 and 200 100 1 67 61 gt Inthe Local Address field enter the IP address for the Dial In PPP Server This is the IP address that will be used by the remote client to access Console Server once the modem connection is established Again you can select any address for the Local IP Address but both must be in the same network range as the Remote IP Address gt The Default Route option enables the dialed PPP connection to become the default route for the Console Server gt The Custom Modem Initialization option allows a custom AT string modem initialization string to be entered e g AT amp C1 amp D3 amp K3 gt Then select the Authentication Type to be applied to the dial in connection The Console Server uses authentication to challenge Administrators who dial in to the Console Server For dial in access the username and password received from the dial in client are verified against the local authentication database stored on the Console Server The Administrator must also have their client computer configured to use the selected authentication scheme Select PAP CHAP M SCHAPv2 or None and click Apply None With this selection no username or password authentication is required for dial in access This is not recommended PAP Password Authentication Protocol PAP is the usual method of user authentication used on the internet sending a username and password to a server where they are compared wi
206. ment Console and or click SSH or Telnet to access the gateway command line console Note To enable SDT access to the gateway console you must now configure the Console Server to allow port forwarded network access to itself gt Browse to the Console Server and select Network Hosts from Serial amp Network Click Add Host and in the IP Address DNS Name field enter 127 0 0 1 this is the Console Server s network loopback address Then enter Loopback in Description gt Remove all entries under Permitted Services except for those that will be used in accessing the Management Console 80 hittp or 443 https or the command line 22 ssh or 23 Telnet Scroll to the bottom and click Apply gt Administrators by default have gateway access privileges However for Users to access the gateway Management Console you will need to give those Users the required access privileges Select Users amp Groups from Serial amp Network Click Add User Enter a Username Description and Password Confirm Select 127 0 0 1 from Accessible Host s and click Apply 83 6 4 SDT Connector Telnet or SSH Connect to Serially Attached Devices SDT Connector can also be used to access text consoles on devices that are attached to the Console Server s serial ports For these connections you must configure the SDT Connector client software with a Service that will access the target gateway serial port and then set the gateway up as a host gt Launch SDT
207. mental Alerts amp Logging Port Log Alerts SMTP amp SMS SNMP Administration Firmware IP Date amp Time Dial Services DHCP Server Manage Devices Network Seral Power Type Device Actions S 192 168 254 100 Linux Server f5 192 168 254 204 Dell 2003 Server S 192 168 1 52 Dell 2003 Server DRAC f 192 168 1 53 Dell 2003 Server BMC S 192 168 254 30 HP 2003 Server fF 192 168 1 35 HP 2003 Server iLO2 lt gt Port 1 PowerEdge Console Linux E amp Bi lt i Port 2 eB Ee lt gt Port 3 HP 2003 Server E Fa The user can take a range of actions on each of these Serial Network Power devices by selecting the Action icon or the related M anage menu item Selecting the M anager Power icon or the Manage Power menu is covered in Chapter 8 13 2 Port amp Host Management Administrator and Users can view logs of data transfers to connected devices gt Select Manage Port Logs and the serial Port to be displayed 162 System Name TLE Model Number B096 016 m TRIPP LITE Firmware Rev 2 6 1u1 Current User vot Up time 1 days urs 2 mins 25 secs POWER PROTECTION Manage Port Logs Serial amp Network Serial Port Authentication Port 9 Port 10 Port 11 Port 12 Port 13 Port 14 Port 15 Port 16 Network Hosts Trusted Networks gt To display Host logs select Manage Host Logs and the Host to be displayed 13 3
208. message Offending key in ssh Known_hosts 1 RSA host key for remhost has changed and you have requested strict checking Host key verification failed If the host key has been legitimately changed it can be removed from the ssh Known_ hosts file and the new fingerprint added If it has not changed this indicates a serious problem that should be investigated immediately 15 6 7 SSH Tunneled Serial Bridging You have the option to apply SSH tunneling when two Console Servers are configured for serial bridging 201 Ethernet LAN Serially connected device COM Port connected N e g security appliance control PC LOS As detailed in Chapter 4 the Server gateway is set up in Console Server mode with either RAW or RFC2217 enabled and the Client gateway is set up in Serial Bridging M ode with the Server Address and Server TCP Port 4000 port for RAW or 5000 port for RFC2217 specified gt Select SSH Tunnel when configuring the Serial Bridging Setting Serial Bridge Settings Serial Bridging Mode Create a network connection to a remote serial port via RFC 2217 Server Address 250 258 72 16 The network address of an RFC 2217 server to connect to Server TCP Port The TCP port the RFC 2217 server is serving on RFC 2217 Enable RFC 2217 access SSH Tunnel Redirect the serial bridge over an SSH tunnel to the server Next you will need to set up SSH keys for each end of the tunnel and upload these k
209. mshell getline 185 pmchat The pmchat command acts similarly to the standard chat command but all serial port access is directed via the portmanager Example To run a chat script via the portmanager pmchat v f etc config scripts port08 chat lt dev port08 For more information on using chat and pmchat you should consult the UNIX man pages http techpubs sqi com library tpl cgi bin getdoc cgi collSinux amp xdbsnan amp fnames usr share catman man chat 8 html pmusers The pmusers command is used to query the portmanager for active user sessions Example To detect which users are currently active on which serial ports pmusers This command will not output anything if there are no active users currently connected to any ports otherwise it will respond with a sorted list of usernames per active port Port 1 userl user Port 2 userl Port 8 user The above output indicates that a user named user1 is actively connected to ports 1 and 2 while user2 is connected to both ports 1 and 8 186 Portmanager Daemon Command line options There is normally no need to stop and restart the daemon To restart the daemon just run the command portmanager Supported command line options are Force portmanager to run in the foreground nodaemon Set the level of debug logging loglevel debug info warn error alert Change which configuration file it uses C etc config portmanager cont
210. n a Console Server located at 192 168 0 50 then you would enter 192 168 0 50 7303 Where there is an SSH tunnel over a dial up PPP connection or over a public internet connection or private network connection simply enter the localhost as the IP address i e 127 0 0 1 For Port Number enter the source port you created when setting SSH tunneling port forwarding in Section 6 1 6 e g 1234 gt Click Option In the Display section specify an appropriate color depth e g for a modem connection it is recommended you not use over 256 colors In Local Resources specify the peripherals on the remote Windows computer that are to be controlled printer serial port etc f Remote Desktop Connection General Display Local Resources Programs Experience Logon settings Type the name of the computer or choose a computer from the drop down list Computer name Password eoneeene Domain i SSS Save my password Connection settings Save curent settings or open saved connection Comec _ _cancel_ Help Options lt lt gt Click Connect 90 Note The Remote Desktop Connection software is pre installed on Windows XP However for earlier Windows computers you will need to download the RDP client Go to the Microsoft Download Center site htto www microsoft com downloads details aspx familyid 801 11F21 D48D
211. n a Linux machine may be displayed on a Windows computer on a Solaris machine or on any number of other architectures There is a C Windows server allowing you to view the desktop of a remote Windows machine on any of these platforms using exactly the same viewer RealVNC was founded by members of the AT amp T team who originally developed VNC TightVNC http www tightvnc com is an enhanced version of VNC It has added features such as file transfer performance improvements and read only password support They have just recently included a video drive much like UltraVNC TightVNC is still free cross platform Windows Unix and Linux and compatible with the standard Real VNC UltraVNC http ultravnc com is easy to use fast and free VNC software that has pioneered and perfected features that the other flavors have consistently refused or been very slow to implement for cross platform and minimalist reasons UltraVNC runs under Windows operating systems 95 98 Me NT4 2000 XP 2003 Download UltraVNC from Sourceforge s UltraVNC file list B For Linux servers and clients M ost Linux distributions now include VNC Servers and Viewers They are generally launched from the Gnome KDE etc front end For example there s VNC Server software with Red Hat Enterprise Linux 4 and a choice of Viewer client software To launch gt Select the Remote Desktop entry in the Main Menu gt Preferences menu gt Click the Allow other use
212. n a subsequent firmware release The second path is to directly add support for the new RPC devices or to customize the existing RPC device support on your particular Console Server The Manage Power page uses information contained in etc powerstrips xml to configure and control devices attached to a serial port The configuration also looks for and loads etc config powerstrips xml if it exists The user can add their own support for more devices by putting definitions for them into etc config powerstrips xml This file can be created on a host system and copied to the Management Console device using scp Alternatively login to the Management Console and use ftp or wget to transfer files Here is a brief description of the elements of the XM L entries in etc config powerstrips xml lt powerstrip gt lt id gt Name or ID of the device support lt id gt lt outlet port port id 1 gt Display Port 1 in menu lt outlet gt lt outlet port port id 2 gt Display Port 2 in menu lt outlet gt lt on gt script to turn power on lt on gt lt off gt script to power off lt off gt lt cycle gt script to cycle power lt cycle gt lt status gt script to write power status to var run power status lt status gt lt speed gt paud rate lt speed gt lt charsize gt character size lt charsize gt lt stop gt stop bits lt stop gt lt parity gt parity setting 4 parity gt lt powerstrip gt The id appears on the web page in the list of
213. nal Connection Remote Console Access B092 016 only BASIC CONFIGURATION LINUX COM M ANDS The Linux Command Line Administration Configuration 138 138 140 141 141 142 143 144 144 147 147 149 149 150 151 152 154 156 156 156 157 157 158 159 160 162 162 162 163 163 165 167 168 170 14 2 1 14 2 2 14 3 14 4 14 4 1 14 4 2 14 4 3 14 5 14 5 1 14 5 2 14 5 3 14 5 4 14 6 14 6 1 14 6 2 14 7 14 7 1 14 8 14 9 15 15 1 15 2 15 3 15 4 15 5 I5 3d 15 6 15 6 1 15 6 2 15 6 3 15 6 4 15 6 5 15 6 6 15 6 7 System Settings Authentication Configuration Date and Time Configuration Network Configuration IP Configuration Dial In Configuration Services Configuration Serial Port Configuration Serial Port Settings Supported Protocol Configuration Users Trusted Networks Event Logging Configuration Remote Serial Port Log Storage Alert Configuration SDT Host Configuration SDT Host TCP Ports Configuration Backup and Restore General Linux Command Usage ADVANCED CONFIGURATION Advanced Portmanager External Scripts and Alerts Raw Access to Serial Ports IP Filtering Modifying SNMP Configuration Adding M ore than One SNMP Server Secure Shell SSH Public Key Authentication SSH Overview Generating Public Keys Linux Installing the SSH Public Private Keys Clustering Installing SSH Public Key Authentication Linux Generating Public Private Keys for SSH Windows Fingerprinting
214. ncement These requirements apply to the modified work as a whole If identifiable sections of that work are not derived from the Program and can be reasonably considered independent and separate works in themselves then this License and its terms do not apply to those sections when you distribute them as separate works But when you distribute the same sections as part of a whole which is a work based on the Program the distribution of the whole must be on the terms of this License whose permissions for other licensees extend to the entire whole and thus to each and every part regardless of who wrote it Thus it is not the intent of this section to claim rights or contest your rights to work written entirely by you rather the intent is to exercise the right to control the distribution of derivative or collective works based on the Program In addition mere aggregation of another work not based on the Program with the Program or with a work based on the Program on a volume of a storage or distribution medium does not bring the other work under the scope of this License 3 You may copy and distribute the Program or a work based on it under Section 2 in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following 235 a Accompany it with the complete corresponding machine readable source code which must be distributed under the terms of Sections 1 and 2 above on a medium c
215. nces routers etc at that site 6 2 5 Manually Adding Hosts to the SDT Connector Gateway For each gateway you can manually specify the network connected hosts that will be accessed through that Console Server and for each host specify the services that will used in communicating with the host gt Select the newly added gateway and click the Host icon a to create a host that will be accessible via this gateway Alternatively select File New Host Feit 3 New SDT Host Host Address Services HTTP E Telnet T VNC Dell RAC Dell Server Administrator Dell IT Assistant SOL 7 IBM RSA II M IBM Director F IBM AMM HP iLO2 VMWare Server Tripp Lite NetCommander L Tripp Lite NetDirector F KVM Vision Viewer Descriptive Name Description Notes 97 0K 9 Cancer gt Enter the IP or DNS Host Address of the host if this is a DNS address it must be resolvable by the gateway gt Select which Services are to be used when accessing the new host A range of service options are pre configured in the default SDT Connector client RDP VNC HTTP HTTPS Dell RAC VM Ware etc However if you wish to add new services to the range then proceed to the next section Adding a new service then return here gt Optionally you can enter a Descriptive Name for the host to be displayed Instead of the IP or DNS address as well as any Notes or a Descript
216. nd operations of your Console Server 156 System Name TLG Model Number B096 016 m gt _ TRIPP LITE Firmware Rev 2 6 1u1 Current User oot Up time 1 days 2 hours 50 mins 39 secs POWER PROTECTION Serial amp Network Serial Port Users amp Groups Interfaces Routes Serial Ports IP ICMP Authentication Network Hosts etho Link encap Ethernet HWaddr 00 13 C6 66 77 89 Trusted Networks inet addr 192 168 0 1 Bcast 192 168 0 255 Mask 255 255 255 0 Cascaded Ports inet6 addr fe80 213 c6ff fe66 7789 64 Scope Link E ra OA UP BROADCAST RUNNING MULTICAST MTU 1500 Metric 1 A sabe naiai RX packets 27083 errors 0 dropped 0 overruns 0 frame 0 Environmental TX packets 7961 errors 0 dropped 0 overruns 0 carrier 0 collisions 0 txqueuelen 1000 Alerts amp Loggi ae Interrupt 29 Memory f03ff000 f040efff Port Log Alerts Link encap Ethernet HWaddr 00 13 C6 66 77 89 SMTP amp SMS inet addr 192 168 254 151 Bcast 192 168 254 255 Mask 255 255 255 0 SNMP UP BROADCAST RUNNING MULTICAST MTU 1500 Metric 1 Interrupt 29 Memory f03ff000 f04 0efff Administration lo Link encap Local Loopback rd inat addr NA N 1 Baeles DCO AANA 12 3 Support Reports The Support Report provides useful status information that will assist the Tripp Lite technical support team to resolve any issues you may experience with your Console Server If you do experience an Issue and have to contact Support ensure you include t
217. ned M aterial Authorization RM A number which is required for service This simple on line form will ask for your unit s model and serial numbers along with other general purchaser information The RMA number along with shipping instructions will be emailed to you Any damages direct indirect special or consequential to the product incurred during shipment to Tripp Lite or an authorized Tripp Lite service center is not covered under warranty Products shipped to Tripp Lite or an authorized Tripp Lite service center must have transportation charges prepaid Mark the RM A number on the outside of the package If the product is within its warranty period enclose a copy of your sales receipt Return the product for service using an insured carrier to the address given to you when you request the RMA Limited Warranty Seller warrants this product if used in accordance with all applicable instructions to be free from Original defects in material and workmanship for a period of 2 years except U S Canada and M exico 1 year from the date of initial purchase If the product should prove defective in material or workmanship within that period Seller will repair or replace the product in its sole discretion Service under this Warranty includes parts and Tripp Lite service center labor On site service plans are available from Tripp Lite through authorized service partners in most areas Visit www tripplite com support for details International
218. nfigured for each user groups Note The Dashboard feature was introduced with Revision 3 0 1 firmware so is only currently available on B095 004 1E B095 003 1E M Console Servers 158 System Name b095 003 le m Model Number 8095 003 1E M PH Oo gt TRIPP LITE Firmware Rev 3 0 1 Current User oot Backup Log Out Up time 0 days 1 hours 21 mins 46 secs SE _ POWER PROTECTION Status Dashboard Serial amp Network Serial Port Users amp Groups UPS Alerts mies connections Authentication Type Description Port Address Event User Device Status Network Hosts Name Trusted Networks Cascaded Ports No UPS UPS Connections Connectionshave RPC Connections been Environmental configured Managed Devices Managed Devices Device Description Notes Related Connections Alerts amp Logging Name Port Log Alerts X no devices configured SMTP amp SMS connections SNMP No RPC Connectionshave Port activity Administration been SSL Certificates i Port Active U Configuration Backup configured Firmware IP 12 5 1 Configuring the Dashboard Only users who are members of the admin group and the root user can configure and access the dashboard To configure a custom dashboard Select System Configure Dashboard and select the user or group you are configuring this custom dashboard layout for System Name b095 003 le m Model Number 8095 003 1em
219. ng a program running on a Windows computer as the terminal device then the cable is made up from a Cat5 UTP cable and two DB 9 to RJ 45 adapters o If you are connecting over the LAN you will need to interconnect the Ethernet ports and direct your terminal emulator program to the IP address of the Console Server 192 168 0 1 by default gt Logon to the Console Server by pressing return a few times The Console Server will request a username and password Enter the username root and the password default You should now see the command line prompt which is a hash The config Tool Syntax config ahv d id gid p path r configurator s id value Description The config tool allows manipulation and querying of the system configuration from the command line Using config the new configuration can be activated by running the relevant configurator which performs the action necessary to make the configuration changes live Configuration elements which can be changed are specified by a unique separated name For example the configuration file version is identified as config version The config tool is designed to perform multiple actions from one command if needed so if necessary options can be chained together 168 Options a run all Run all registered configurators This performs every configuration synchronization action pushing all changes to the live system h help Display a brief usa
220. ning proprietary applications such as Dell OpenManage or Windows applications such as VMware VDI client on a remote management computer which is be used to manage a DRAC service processor or VMware virtual device on a remote server Each B092 016 gateway has an internal VNC server enabling remote administrators to oversee local activity and giving them the option to access and control all the devices themselves To activate the VNC server in the B092 016 gt Select the System Services option in the Management Console menu then check VNC Server or Secure VNC Server Syslog Alternate UPS Status Unauthenticated Telnet RPC Status Base Environmental Statu A secondary TCP port range for Unauthenticated Telnet access to serial ports 7his amp in addition to the default port 6000 VNC Server Manage Devices Port Logs Secure VNC Server a Host Logs Enable the Secure encrypted VNC server for remote access to the local display VNC over SSL on port 5800 v Enable the standard VNC server for remote access to the local display VNC on port 5900 Power S Tand PowerAlert Console KVM Console Server Automatically start PowerAlert console after logging into the local display or VNC session Apply gt Click Manage KVM Console Server then Launch Standard VNC Remote Control and your browser will automatically download and run a Java VNC applet client gt Log in as root or some other configure
221. nnection via a LAN or VPN and the secondary out of band connectivity is provided by a dial up or wireless modem directly attached to the gateway So out of band access enables you to access the hosts and serial devices on the network diagnose any connectivity issues and restore the gateway s primary link In SDT Connector OoB access is configured by providing the secondary IP address of the gateway and telling SDT Connector how to start and stop the OoB connection Starting an OOB connection may be achieved by initiating a dial up connection or adding an alternate route to the gateway SDT Connector allows for maximum flexibility by allowing you to provide your own scripts or commands for starting and stopping the OoB connection cE Tripp Lite SDTConnector E New SDT Gateway a General Out Of Band Remote UDP Gateway Secondary Address Port 22 Start Command connection wait min rasdial OOB login password Stop Command lit min rasdial network_connection login password To configure SDT Connector for OoB access gt When adding a new gateway or editing an existing gateway select the Out Of Band tab gt Enter the secondary OoB IP address for the gateway e g the IP address to be used when dialing in directly You may also modify the gateway s SSH port if it s not using the default of 22 gt Enter the command or path to a script to start the OoB connection in Start Command
222. not be monitored e g for a door open sensor you may not wish to activate the sensor alert monitoring during the working day Alarm Sensor Alert Alarm Sensor Alert An alert will be triggered when an alarm condition occurs This alert type will only be applied to environmental monitor alarm sensors Alarm Disable Sunday From 00 00 Until 00 00 Hour Minute Hour Minute Monday From 00 00 Until 00 00 Hour Minute Hour Minute Tuesday From 00 00 Until 00 00 Hour Minute Hour Minute Wednesday From 00 00 Until 00 00 Hour Minute Hour Minute Thursday From 00 00 Until 00 00 Hour Minute Hour Minute Friday From 00 00 Until 00 00 Hour Minute Hour Minute Saturday From 00 00 Until 00 00 Hour Minute Hour Minute Disable the alarm sensor alert during these times gt Click Apply 7 3 Remote Log Storage Before activating Serial or Network Port Logging on any port or UPS logging you must specify where those logs are to be saved gt Select the Alerts amp Logging Port Log menu option and specify the Server Type to be used and the details to enable log server access 109 Remote Log Storage Server Type Server Address Server Path Syslog Facility Syston Priori 7 4 Serial Port Logging None USB Flash Memory Remote Syslog O NFS CIFS Windows Samba 192 168 254 30 The remote Storage Server address Serial_Log The director
223. nt access to copy the source code from the same place counts as distribution of the source code even though third parties are not compelled to copy the source along with the object code 4 You may not copy modify sublicense or distribute the Program except as expressly provided under this License Any attempt otherwise to copy modify sublicense or distribute the Program is void and will automatically terminate your rights under this License However parties who have received copies or rights from you under this License will not have their licenses terminated so long as such parties remain in full compliance 5 You are not required to accept this License since you have not signed it However nothing else grants you permission to modify or distribute the Program or its derivative works These actions are prohibited by law if you do not accept this License Therefore by modifying or distributing the Program or any work based on the Program you indicate your acceptance of this License to do so and all its terms and conditions for copying distributing or modifying the Program or works based on it 6 Each time you redistribute the Program or any work based on the Program the recipient automatically receives a license from the original licensor to copy distribute or modify the Program subject to these terms and conditions You may not impose any further restrictions on the recipients exercise of the rights granted herein You are not r
224. o connect using this password fi Administration Con Firmware Re enter the password IP Date amp Time Shutdown Order 0 Dial l Control the order in which UPSes are shut down Os are shut down first then 1s 2s etc and 1s are Services not shut down at all Defauits to 0 DHCP Server Nagios Driver genericups v The driver for this UPS model see the hardware compatibility list for details gt Enter a UPS Name and Description optional and identify if the UPS will be Connected Via USB or over pre configured serial port or via HTTP HTTPS over the preconfigured network Host connection gt Enter the UPS login details This Username and Password is used by Slaves of this UPS i e other computers that are drawing power through this UPS to connect to the Console Server for monitoring of the UPS status and shutdown when battery power is low Monitoring will typically be performed using the upsmon client running on the Slave server See section 8 5 4 for details on setting up upsmon on Slave servers powered by the UPS Note These login credentials are not related to the Users and access privileges you will have configured in Serial amp Networks Users amp Groups gt If you have multiple UPSs and require them to be shut down in a specific order specify the Shutdown Order for this UPS This is a positive whole number or 1 Os are shut down first then 1s 2s etc 1s are not shut down at all D
225. o run PowerAlert to manage your power devices and to run the thin clients to manage other devices Note Care should be taken in handling all Console Server products There are no operator serviceable components inside so do not remove cover Refer any service to qualified personnel 18 3 INITIAL SYSTEM CONFIGURATION Introduction This chapter provides step by step instructions for the initial configuration of your Console Server and connecting it to your management or operational network This involves the Administrator Activating the Management Console Changing the Administrator password Setting the IP address for the Console Server s principal LAN port Selecting the network services to be supported This chapter also discusses the communications software tools that the Administrator may use to access the Console Server It also covers the configuration of the additional LAN ports on the B096 016 048 Console Server Management Switch 3 1 Management Console Connection Your Console Server has a default IP Address 192 168 0 1 Subnet M ask 255 255 255 0 gt Directly connect a computer to the Console Server Note For initial configuration it is recommended that the Console Server be connected directly to a single computer However if you choose to connect your LAN before completing the initial setup steps it is important that You ensure there are no other devices on the LAN with an address of 192 168 0 1 The Conso
226. on as the RPC UPS Host refer Chapter8 Power and Environment 58 Also all the outlet names on the PDU will by default be Outlet 1 Outlet 2 When you connect a particular Managed Device that draws power from the outlet the outlet will then take up the name of the powered Managed Device 59 FAILOVER AND OUT OF BAND ACCESS Introduction The Console Server has a number of failover and out of band access capabilities to ensure availability in the event there are difficulties in accessing the Console Server through the principal network path This chapter covers Qut of band OoB access from a remote location using dial up modem Qut dial failover QOoB access using an alternate broadband link B096 048 016 models only Broadband failover 5 1 OoB Dial In Access To enable OoB dial in access first set up the Console Server configuration for dial in PPP access Once the Console Server is so configured it will wait for an incoming connection from a dial in at a remote site Then remote Administrator s must be configured to dial in and must establish a network connection to the Console Server OoB dial in management Note The B096 048 016 and B095 003 M Console Servers have an internal modem for dial up OoB access The B092 016 Console Server needs an external modem to be attached via a serial cable to its DB9 port On the B095 004 Console Server the four serial ports are all configured by def
227. onitoring EM D devices Serial Port Redirection using the VirtualPort windows client Managed Devices presents a consolidated view of all the connections version 3 0 firmware and later IPSec enabling VPN connection version 3 0 firmware and later 4 1 Configuring Serial Ports To configure a serial port you must first set the Common Settings Chapter 4 1 1 that are to be used for the data connection to that port e g baud rate and the mode the port Is to operate in Each port can be set to support one of five operating modes Console Server Mode Chapter 4 1 2 is the default setting and enables general access to the serial console port on serially attached devices Device Mode Chapter 4 1 3 sets the serial port up to communicate with an intelligent serial controlled PDU UPS or Environmental M onitor Devices EM D SDT Mode Chapter 4 1 4 enables graphical console access with RDP VNC HTTPS etc to hosts that are serially connected Terminal Server Mode Chapter 4 1 5 sets the serial port to await an incoming terminal login session Serial Bridge Mode Chapter 4 1 6 enables the transparent interconnection of two serial port devices over a network To select the serial port to configure gt Select Serial amp Network Serial Port and click Edit on the port to be reconfigured 34 Note If you wish to set the same protocol options for multiple serial ports at once click Edit Multiple Ports and select which ports yo
228. only defined on the TACACS server which says he has access to ports 5 and 6 When he attempts to log in a new user will be created for him and he will be able to access ports 5 and 6 If the TACACS server is down he will not have any access Example 3 User Cis defined on a RADIUS server only He has access to all serial ports and network hosts Example 4 User D is locally defined on an appliance using RADIUS for AAA Even if the user is also defined on the RADIUS server he will only have access to those serial ports and network hosts he has been authorized to use on the appliance If a no local AAA option is selected then root will still be authenticated locally Remote users may be added to the admin group via either RADIUS or TACACS Users may have a set of authorizations set on the remote TACACS server Users automatically added by RADIUS will have authorization for all resources whereas those added locally will still need their authorizations specified LDAP has not been modified and will still need locally defined users 130 9 2 PAM Pluggable Authentication Modules The Console Server supports RADIUS TACACS and LDAP for two factor authentication via PAM Pluggable Authentication Modules PAM is a flexible mechanism for authenticating Users Nowadays a number of new ways of authenticating users have become popular The challenge is that each time a new authentication scheme is developed it requires all the necessary
229. or lose data so the software Shutdown or Reboot from the control panel is the safer option 16 2 3 System Logout Clicking System Logout closes the local user log in session and removes the control panel However this does not logout remote users who may be logged into the B092 016 Console Server or accessing attached devices using SSH tunneling 16 2 4 Custom The Custom button on the control panel enables you to customize your B092 016 by adding buttons to the control panel that execute bash and other Linux commands you specify 16 2 5 Status These menu items give the user a snapshot of the serial port and IPM I device status 16 2 6 Logs These menu items give the user an audit log of B092 016 activity 221 16 3 Remote Control You can access the B092 016 locally via a directly connected keyboard monitor and mouse or KVM Switch If the BO92 016 is connected to a KVMoIP infrastructure then this may also provide you with some remote access to the B092 016 local consoles RDP Telnet VNC ICA JRE etc The B092 016 also hosts an embedded VNC server that enables you to remotely monitor and control the thin client software RDP Telnet VNC ICA etc that is running in the B092 016 itself Note You can still run management client software RDP etc on the remote computer and use SDT to securely connect the client directly to the managed devices that are serially or network attached to the B092 016 This is useful when run
230. ore upgrading check if you are already running the most current firmware in your Console Server Your Console Server will not allow you to upgrade to the same or an earlier version The Firmware version is displayed in the header of each page TRIPP LITE POWER PROTECTION System Administration gt Or select Status Support Report and note the Firmware Version gt To upgrade you must first download the latest firmware image from http www tripplite com EN support downloads driver firmware downloads cfm gt Save this downloaded firmware image file on to a system on the same subnet as the Console Server gt Also download and read the release_notes txt for the latest information gt To then upload the firmware image file to your Console Server select System Firmware 150 vstem Name TLE BU96 016 TRIPP LITE Firmware Rev 2 6 1u1 Current User t amp Up time 1 days ours 19 mins 9 secs POWER PROTECTION System Firmware Serial amp Network Serial Port Firmware Upgrade File Users amp Groups Authentication Network Hosts Firmware Options Trusted Networks Cascaded Ports UPS Connections RPC Connections FEnvirnnmental gt Specify the address and name of the downloaded Firmware Upgrade File or Browse the local subnet and locate the downloaded file Specify a valid firmware file to upgrade the unit with Advanced options should only
231. ort as 1234 or any number you choose Set the Destination If your destination computer is network connected to the Console Server set the Destination as lt SDT Host IP address DNS Name gt 3389 For example if the SDT Host IP Address you 79 specified when setting up the SDT Hosts on the Console Server was accounts myco intranet com then specify the Destination as accounts myco intranet com 3389 lt PuTTY Configuration Terminal Keyboard Bell Features El Window Appearance Behaviour Translation Selection Colours Options controlling SSH tunnelling 11 forwarding Enable X11 forwarding Kdupeycaton O Remote X11 authentication protocol MIT Magic Cookie 1 XDM Authorization 1 Port forwarding _ Local ports accept connections from other hosts Remote ports do the same SSH v2 only f your destination computer is serially connected to the Console Server set the Destination as lt port label gt 3389 For example if the Label you specified on the SDT enabled serial port on the Console Server is win2k3 then specify the remote host as win2k3 3389 Alternately you can set the Destination as portXX 3389 where XX is the SDT enabled serial port number So for example if port 4 is on the Console Server is to carry the RDP traffic then specify port04 3389 Note http www jfitz com tips putty_config html has examples on configuring PUTTY for SSH tunneling
232. ote serial port is controlled by the settings for that COM port on Windows computer If not selected then the port serial configuration parameters are set on the Console Server With the Emulate Baud Rate selected VirtualPort will only send data out at the baud rate configured by the local Application using the COM port 4 7 3 To Remove a Configured Port At any stage you can delete a single configured COM port or delete the Console Server connection and all the COM ports configured on that console server gt Select the console server or COM port on the left hand menu and click the Remove button a VirtualPort Configuration El 192 167 28 27 COM13 CE7 192 167 28 27 4 7 4 Configure the Remote Serial Device Connection Ensure the remote serial device is connected to your remote Console Server Then configure the serial port as detailed in the User Guide gt Set the RS232 Common Settings e g baud rate gt Select Console server mode and specify the appropriate protocol to be used e RAW TCP allows connections directly to a TCP socket and the default TCP port address is 4000 serial port I e the address of the second serial port is IP Address _ 4002 e RFC2217 enables serial port redirection on that port and the default port address Is IP Address Port 5000 serial port i e 5001 5048 on a 48 port Console Server e VirtualPort Secure mode enables encrypted communication This
233. ou will also need to run serial port redirector software on your desktop computer This software which supports RFC2217 virtual com ports is available commercially and as freeware for Windows UNIX and Linux and it allows you to use a serial device connected to the remote Console Server as if it were connected to your local serial port Unauthenticated Telnet Selecting Unauthenticated Telnet enables Telnet access to the serial port without requiring the user to provide credentials When a user accesses the Console Server to Telnet to a serial port they are normally given a login prompt However with unauthenticated Telnet they connect directly through to port with any Console Server login at all This mode is mainly used when you have an external system such as conserver managing user authentication and access privileges at the serial device level For Unauthenticated Telnet the default port address is IP Address _ Port 6000 serial port i e 6001 6048 Accumulation Period By default once a connection has been established for a particular serial port such as a RFC2217 redirection or Telnet connection to a remote computer then any incoming characters on that port are forwarded over the network on a character by character basis The accumulation period changes this by specifying a period of time that Incoming characters will be collected before being sent as a packet over the network Escape Character This enables you to change the
234. ould be combined into a single check which uses NSCA as a primary method and falling back to NRPE if a check were late For details see the Nagios documentation http www nagios org docs on Service and Host Freshness Checks Host definitions Console Server define host use generic host host_name tripplite allas Console Server address 192 168 254 147 Managed Host define host use generic host host_name server alias server address 192 168 254 227 NRPE daemon on gateway define command command_ name check_nrpe daemon command _ line USER1 check_nrpe H 192 168 254 147 p 5666 define service service_description NRPE Daemon host_name tripplite use generic service check_command check_nrpe_ daemon Serial Status define command command_name check_serial_ status command line USER1 check_nrpe H 192 168 254 147 p 5666 c check_serial HOSTNAM E define service 144 service_description host_name use check_command define service service description host_name use check_command Serial Status server generic service check_serial_ status serial signals server server generic service check serial status active checks enabled 0 passive checks enabled define servicedependency name host_name dependent_host_name 1 tripplite_nrpe daemon dep tripplite server dependent_ service description Serial Status service_description NRPE Daemon execution failure criteri
235. ourceforge net docs FO2 clients Execute the PUTTYGEN EXE program Select the desired key type SSH2 DSA you may use RSA or DSA within the Parameters section t is important that you leave the passphrase field blank Click on the Generate button Follow the instruction to move the mouse over the blank area of the program in order to create random data used by PUTTYGEN to generate secure keys Key generation will occur once PUTTYGEN has collected sufficient random data PulT Key Generator File Key Conversions Help Key Public key for pasting into OpenSSH authorized keys file Kel fuGsl LE Fee egnmb21 QvyutT Jayo H f3q354F 4D FB Adol TATHH8131bFHEsNE Cr 5m1 bp T TpaLNALYHOB tO LF nEApplLometucpneF re vaegons T YOy TOF lerebOuRA Pod a key 20061212 Kep fingerprint sshersa 1023 91 16 3d 4 F707 86 6462 cada 9b 7ect 184b Key comment rsa key 20061212 Key passphrase Confirm passphrase Actions Generate a public private key pair Generate Load an existing private key file Load Save the generated key Save public key Save private key Parameters Type of key to generate 55H 1 RSA SSH 2 RSA O SSH 2 DSA Number of bite in a generated key 1024 199 Create anew file authorized keys with notepad and copy your public key data from the Public key for pasting into OpenSSH authorized_ keys file section of the PuTTY Key Generator and paste the key data to the authorized_ke
236. pendent of the mode in which the port Is being used These serial port parameters must be set so they match the serial port parameters on the device which Is attached to that port gt Specify a label for the port gt Select the appropriate Baud Rate Parity Data Bits Stop Bits and Flow Control for each port and ensure they match the settings for serial device that is connected The Signaling Protocol is hard configured to be RS232 Note The serial ports are all set at the factory to RS232 9600 baud no parity 8 data bits 1 stop bit and Console Server Mode The baud rate can be changed to 2400 230400 baud using the management console Lower baud rates 50 75 110 134 150 200 300 600 1200 1800 baud can be configured from the command line as detailed in Chapter 14 35 TRIPP LITE POWER PROTECTION Serial amp Network System Name Firmware Rev Model Number B096 016 Current User admin Up time 0 days 17 hours 50 mins 48 secs Serial amp Network Serial Port Serial Port Common Settings for Port 1 Users amp Groups Authentication Network Hosts Trusted Networks Cascaded Ports UPS Connections RPC Connections Environmental Label Alerts amp Logging Port Log Alerts SMTP amp SMS SNMP Parity Stop Bits Flow Control Administration Firmware IP Signaling Date amp Time Protocol Dial Services 4 1 2 Console Server M ode The serial ports unique
237. ple transfer off box via scp config e tmp xxxxx config scp tmp xxxxx config 192 168 0 2 backups The config command is also used to restore a backup config i lt input File gt This will extract the contents of the previously created backup to tmp and then synchronize the etc config directory with the copy in tmp One possible problem that can occur here is that there is not enough room in tmp to extract files to The following command will temporarily increase the size of tmp mount t tmpfs o remount size 2048k tmpfs var If restoring to either a new unit or one that has been factory defaulted it is important to make sure that the process generating SSH keys is either stopped or completed before restoring configuration If this is not done then a mix of old and new keys may be put in place As SSH uses these keys to avoid man in the middle attacks logging in may be disrupted 14 9 General Linux Command Usage 181 The Console Server platform is a dedicated Linux computer optimized to provide access to serial consoles of critical server systems and control network connected hosts Being based around uClinux a small footprint but extensible Linux it embodies a myriad of popular and proven Linux software modules for networking NetFilter IPTables secure access OpenSSH and communications OpenSSL and sophisticated user authentication PAM RADIUS TACACS and LDAP M any components of the Console Server
238. pply Dynamic Address Allocation Pools Pool Start Pool End No address pools currently allocated Add Reserved Addresses IP Address Host Name HW Address No addresses currently reserved To configure the DHCP server for the Management LAN gt Enter the Gateway address that is to be issued to the DHCP clients If this field is left blank the IP address of the B096 048 016 will be used gt Enter the Primary DNS and Secondary DNS address to issue the DHCP clients Again if this field is left blank the IP address of the B096 048 016 is used so leave this field blank for automatic DNS server assignment gt Optionally enter a Domain Name suffix to issue DHCP clients gt Enter the Default Lease time and Maximum Lease time in seconds The lease time is the time that a dynamically assigned IP address is valid before the client must request it again gt Click Apply The DHCP server will sequentially issue IP addresses from a specified address pool s gt Click Add in the Dynamic Address Allocation Pools field gt Enter the DHCP Pool Start Address and End Address and click Apply The DHCP server also supports pre assigning IP addresses to be allocated only to specific MAC addresses and reserving IP addresses to be used by connected hosts with fixed IP addresses To reserve an IP addresses for a particular host gt Click Add in the Reserved Addresses field gt Enter the Hostname the Hardware Address M AC and the
239. programs that need UPS status information upslog is a background service that periodically polls the status of a UPS writing it to a file All these clients run on the Console Server for Management Console presentations but they also are run remotely on locally powered servers and remote monitoring systems This layered NUT architecture enables Multiple architecture support NUT can manage serial and USB connected models with the same common interface SNMP equipment can also be monitored although at this stage this is still pre release with experimental drivers and this feature will be added to the embedded UPS tools in future release Multiple clients monitoring one UPS Multiple systems may monitor a single UPS using only their network connections There s a wide selection of client programs which support monitoring UPS hardware via NUT Big Sister Cacti Nagios Windows and more Refer to www networkupstools org client projects 121 So NUT supports the more complex power architectures found in data centers computer rooms and NOCs where many UPS s from many vendors power many systems with many clients and each of the larger UPS s power multiple devices and many of these devices are themselves dual powered 8 3 Environmental Monitoring The Environmental M onitoring Device EM D model BO90 EM D can be connected to any Console Server serial port and each Console Server can support multiple EMD s Each EMD has one
240. r is drawing power through a M anaged UPS that has already been configured select Local enter the M anaged UPS Name and check Enabled The Console Server continues to be the master of this UPS gt Ifthe UPS that powers the Console Server is not a Managed UPS for that Console Server then the Console Server can still connect to a remote NUT server upsd to monitor its status as a Slave In this case select Remote and enter the address username and password to connect 118 Managed UPSes UPS Description Name Rack4A TrippLite345 Add UPS Monitored UPS Enabled Location UPS Name Description Username Password Log Status Log Rate Enable Nagios Nagios Host Name Nagios UPS Status Apply Driver Username Shutdown Connected er Via genericups YOOX 3 Serial Port Edit 2 Enable this UPS connection Local Remote Connect to a locally managed UPS or remote UPS The name of this UPS The address or DNS name of the host managing this UPS An optional description Connect using this username Connect using this password Re enter the password Periodically log UPS status 15 Minutes between samples Monitor the status of this UPS in Nagios Name of host in Nagios Generated using if unspecified Switch on Nagios UPS status 8 2 3 Configuring Powered Computers to Monitor a Managed UPS Delete Once you have added a M anaged UPS each server that is drawing power through
241. r itself over the enterprise VPN or the remote user may be in the same room or the same office but connected on a separate VLAN to the Console Server Management Console The Console Server Management Console runs in a browser It provides a view of your Console Server Management Switch B096 016 048 Console Server with PowerAlert B092 016 or Console Server B095 004 003 product and all the connected equipment Administrators can use the Management 11 Console either locally or from a remote location to configure the Console Server set up Users configure the ports and connected hosts and set up logging and alerts System Name L6 Model Number Ta _ B096 016 TRIPP LITE Firmware Rev 2 6 1u1 Current User adr Up time 0 days ours 37 mins 3 secs lt lt POWER PROTECTION System Administration Serial Port TLE Users amp Groups An ID for this device Authentication Network Hosts Rack3F Trusted Networks Cascaded Ports UPS Connections RPC Connections Environmental The physical location of this device The secret used to gain administration access to this device eeeeeeee Alerts amp Logging Port Log Alerts SMTP amp SMS SNMP Re enter the above password for confirmation An authorized User can use the Management Console to access and control configured devices review port logs use the in built java terminal to access
242. r must be added as a gateway as detailed in Chapter 6 The alternative to using SDT Connector and your local Telnet client is to download the open source jcterm java terminal applet into your browser in order to connect to the Console Server and attached serial port devices However jcterm does have some JRE compatibility issues which may prevent it from loading gt Select Manage Terminal The jcterm java applet is downloaded from the Console Server to your browser and the virtual terminal will be displayed gt Select File gt Open SHELL Session from the jcterm menu to access the command line using SSH 164 gt To access the Console Server command line enter the gateway s TCP address e g 192 168 254 198 as hostname and the Username e g root 192 168 254 198 Then enter the Password gt To access the Console Server s serial ports append serial to the username For example with the gateway s TCP address of 192 168 254 198 and the Username of root enter root serial 192 168 254 198 Then enter Password and select the TCP Port address for the serial port to be accessed By default 3001 is selected i e Port 1 To access Port 4 this must be changed to 3004 for the Username Java Terminal Select Me gt Open SHELL Sesston from the menu below to access The Tielke unks comerand ine using SSH To access the Thopline unit s saral ports append zeari ba the usemame 13 5 Remote Console Access B092 016 only Admini
243. rating systems There are also a wealth of Java viewers available so that any desktop can be viewed with any Java capable browser http en wikipedia org wiki VNC lists many of the VNC Viewers sources Install the VNC Viewer software and set it up for the appropriate speed connection Note To make VNC faster when you set up the Viewer Set encoding to ZRLE if you have a fast enough CPU Decrease color level e g 64 bit Disable the background transmission on the Server or use a plain wallpaper Refer to http doc uvnc com for detailed configuration instructions gt To establish the VNC connection first configure the VNC Viewer entering the VNC Server IP address 94 A When the Viewer computer is connected to the Console Server through an SSH tunnel over the public Internet or a dial in connection or private network connection enter localhost or 127 0 0 1 as the IP VNC Server IP address and the source port you entered when setting SSH tunneling port forwarding in Section 6 2 6 e g 1234 uttSVNC Win3 Viewer 1 0 1 Release VAC Server Meron 734 b hil host display or host port Quick Options GAUTO Auto select best settings O ULTRA gt 2M bits Experimental LAN gt TMbit s Max Colors Cancel COMEDIUM 128 256K bit s 256 Colors O MODEM 19 128Kbit s 64 Colors O SLOW 19kKbit s 8 Colors View Only Auto Scaling Options Options
244. re bin config set config console initstring ATQOV1HO The following command will synchronize the live system with the new configuration bin config run dialin Please note that supported authentication types are None PAP CHAP and M SCHAP v2 Supported serial port baud rates are 9600 19200 38400 57600 115200 and 230400 Supported parity values are None Odd Even M ark and Space Supported data bits values are 8 7 6 and 5 Supported stop bits values are 1 1 5 and 2 Supported flow control values are Hardware Software and None If you do not wish to use out of band dial in access please note that the procedure for enabling start up messages on the console port is covered in Chapter 15 Accessing the Console Port 14 4 3 Services Configuration You can manually enable or disable network servers from the command line For example if you wanted to guarantee the following server configuration HTTP Server Enabled HTTPS Server Disabled Telnet Server Disabled SSH Server Enabled SNM P Server Disabled Ping Replies Respond to ICMP echo requests Disabled You would need to issue the following commands from the command line to set system configuration bin config set config services http enabled on bin config del config services https enabled bin config del config services Telnet enabled bin config set config services ssh enable
245. remote Console Server end in order to verify connection s integrity and keep the connection alive The Keep Alive Interval specifies the number of seconds to wait on an idle connection before sending a keep alive message The default is 1 second The Keep Alive Timeout specifies how long VirtualPort should wait for a keep alive response before timing out the connection Disable Nagle Algorithm the Nagle Algorithm is enabled by default and it reduces the number of small packets sent by VirtualPort across the network a VirtualPort Configuration El 192 168 252 133 Properties Connection Advanced i COM9 192 176 233 8 COM11 i COM13 Receive DSR Changes V Receive DCD changes V Receive CTS changes V Propogate local port changes Emulate Baud Rate 55 Check Receive DSR DCD CTS changes if the flow control signal status from the physical serial port on Console Server is to be reflected back to the Windows COM port driver as some serial communications applications prefer to run without any hardware flow control i e in two wire mode The Propagate local port changes allows complete serial device control by the Windows application so it operates exactly like a directly connected serial COM port It provides a complete COM port interface between the attached serial device and the network providing hardware and software flow control So the baud rate etc of the rem
246. remote Syslog Server address and port details and then click Apply POWER PROTECTION Status Syslog Serial amp Network Serial Port Remote System Logging Users amp Groups Syslog Server Address Authentication Network Hosts Specify the address of the remote Syslog Server to use Trusted Networks Syslog Server Port Cascaded Ports UPS Connections Specify which port the remote Syslog Server is serving on RPC Connections Environmental Apply Alerts amp Logging Port Log Local System Logging Alerts Match Pattern SMTP amp SMS A regular expression to match against desired log lines SNMP Administration Firmware lt 14 gt Feb 12 09 50 21 cgi 20894 INFO index cgi Add a user secman E ENS lt 14 gt Feb 12 09 50 21 portmanager 388 INFO portmanager Reloading configuration a Local System Logging To view the local Syslog file gt Select Alerts amp Logging Syslog To make it easier to find information in the local Syslog file a pattern matching filter tool is provided gt Specify the Match Pattern that is to be searched for e g the search for M ount is shown below and click Apply The Syslog will then be represented with only those entries that actually include the specified pattern 12 5 Dashboard The Dashboard provides the administrator with a summary of the status of the Console Server and its M anaged Devices Custom dashboards can be co
247. ric shock the power cord protective grounding conductor must be connected through to ground Always pull on the plug not the cable when disconnecting the power cord from the socket Do not connect or disconnect the Console Server during an electrical storm Also it is recommended you use a surge suppressor or UPS to protect the equipment from transients M anual Organization This Owner s M anual covers all aspects of installation configuration and operation and an overview of the information found in the manual is provided below 1 Introduction An overview of the features of the Console Server and information on this manual 2 Installation Details physical installation of the Console Server and the interconnection of controlled devices 3 System Configuration Describes the initial installation and configuration using the Management Console of the Console Server on the network and the services that will be supported 4 Serial and Network Covers configuring serial ports and connected network hosts and setting up Users and Groups 5 Failover and OoB dial in Describes setting up the high availability access features of the Console Server 6 Secure Tunneling SDT Covers secure remote access using SSH and configuring for RDP VNC HTTP HTTPS etc access to network and serially connected devices 7 Alerts and Logging Explains the setting up of local and remote event data logs and triggering SNMP and email alerts 8 Power
248. rip Control The Console Server supports a growing list of remote power control devices RPCs which can be configured using the M anagement Console as described in Chapter 8 These RPCs are controlled using the open source NUT and PowerM an tools and the pmpower utility 15 9 1 PowerM an PowerM an provides power management in a data center or compute cluster environment It performs operations such as power on power off and power cycle via remote power controller RPC devices Target hostnames are mapped to plugs on RPC devices in powerman conf powerman power on off nodes Synopsis powerman option targets pm option targets Options 1 on Power ON targets 0 off Power OFF targets C cycle Power cycle targets r reset Assert hardware reset for targets if implemented by RPC f flash Turn beacon ON for targets if implemented by RPC u unflash Turn beacon OFF for targets if implemented by RPC list List available targets If possible output will be compressed into a host range see TARGET SPECIFICATION below g query Query plug status of targets If none specified query all targets Status is not cached each time this option is used powermand queries the appropriate RPC s 208 Targets connected to RPC s that could not be contacted e g due to network failure are reported as status unknown If possible output will be compressed into host ranges n node Query node power s
249. rname gt lt portxx gt lt username gt lt port label gt lt username gt lt ttySX gt lt username gt lt serial gt So for a user named fred to access serial port 2 when setting up the SSHTerm or the PuTTY SSH client instead of typing username fred and ssh port 3002 the alternate is to type username fred port02 or username fred ttyS1 and ssh port 22 Or by typing usernamesfred serial and ssh port 22 the user is presented with a port selection option 38 TCP RFC2217 login as testi serial Using keyhboard interactive authentication Password Connect to port i 8 gt 1 Connected on port portol Router gt This syntax enables users to set up SSH tunnels to all serial ports with only a single IP port 22 having to be opened in their firewall gateway RAW TCP allows connections directly to a TCP socket Communications programs such as PuTTY also support RAW TCP however this protocol would usually be used by a custom application For RAW TCP the default port address is IP Address _ Port 4000 serial port i e 4001 4048 RAW TCP also enables the serial port to be tunneled to a remote Console Server so two serial port devices can be transparently interconnected over a network see Chapter 4 1 6 Serial Bridging Selecting RFC2217 enables serial port redirection on that port For RFC2217 the default port address is IP Address _ Port 5000 serial port i e 5001 5048 Y
250. rogram in your B092 016 will be started an RDP connection to the Remote Desktop server in the selected computer will be opened the rdesktop window will appear on your B092 016 screen and you will be prompted for a password If the selected computer does not have RDP access enabled then the rdesktop window will not appear 224 z Configure Ea Connect Logs cs Status ats Custom E System rdesktop eae Eee sij E Control Panel O xi Fil Eni WW Fate Taos Hap ar ar Tr gt Search io Folders at Bil Address be Control Panel J gt i Si 6 D ws Vg Control Panel a BS Accessibility Add Hardware Sek or Administrative E Switch to Category View Options emo Tools D a wy See Also a be Automatic Date and Time Display Folder Options Windows Update Updates Help and Support ee Be 9 Fonts Game Internet Keyboard Controllers Options gt p Mouse Network Network Setup Phone and Connections Wizard Modem cii i Da PA start Contral Panel Pi 1 01 Pm d _ E E E E E Sas You can use Add Delete Edit to customize the rdesktop client e g to include login username passwords The command line protocol is rdesktop u windows user id p windows password g 1200x950 ms windows terminal server host name option Description a Color depth 8 16 24 Device redirection i e Redirect soun
251. rred to generically in this manual as Console Servers Once configured you will be able to use your Console Server to securely monitor access and control the computers networking devices telecommunications equipment power supplies and operating environment in your data center branch office or communications room This manual guides you in managing this infrastructure locally at the rack side or across your operations or management LAN or through the local serial console port and remotely across the Internet private network or via dial up FCC Information This is an FCC Class A product In a domestic environment this product may cause radio interference in which case the user may be required to take adequate measures This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of the FCC Rules These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment This equipment generates uses and can radiate radio frequency energy and if not installed and used in accordance with the instruction manual may cause harmful interference to radio communications Operation of this equipment in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at his own expense RoHS This product is ROHS compliant User Notice All information
252. rs and cables may be required to interconnect your Console Server In an endeavor to create some move to standardization Tripp Lite Console Server products all use the same RJ 45 pinout convention as adopted by Cisco SUN and others Serial Port Pinout The 16 48 RJ45 connectors on the B092 016 Console Server with PowerAlert and the B096 048 016 Console Server M anagement Switch have the following pinout Input input The LOCAL console modem port on the Console Server uses a standard DB9 connector as tabled below SIGNAL DB9 Pin DEFINITION TXD 3 Transmitted Data RXD 2 Received Data RTS 7 Request To Send CTS 8 Clear To Send DSR 6 Data Set Ready GND 5 Signal Ground CD 1 Received Line Signal Detector DTR 4 Data Terminal Ready RI 9 Ring Indicator FEM ALE M ALE l 1 9pinDB9 AAAF 230 Connectors Included in Console Server The B092 016 Console Server with PowerAlert and the B096 048 016 Console Server Management Switch ship with a cross over and a straight R 45 DB9 connector for connecting to other vendor s products WIRING TABLE DS oF R45 RTS 7 RTS DB9F R 45S straight ci ae scan RXD 2 4 RXO TXD 3 s TxD GND 5 GND DTR 4 DTR CTs 4 8 TS RI 4 WIRING TABLE DEF RJ45 DB9F RJ 45S cross over sla sol connector a i a TxD 3 4 RxD RXD 3 5 TXD GND 5 GND DSR 6 7 DTR DCD i 7 DTR RTS 7 g CT RI 9 231 Appendix C End User License Agreement READ BEFORE USING THE ACCOM
253. rs checkbox to allow remote users to view and control your desktop 93 Remote Desktop Preferences Sharing a Z Allow other users to yiew your desktop 7 Allow other users to control your desktop Users can view your desktop using tis command yne viewer hoopoe elk 0 Security When a user tnes to view of control your desktop Ask you for confirmation Require the user to enter ths password Passwom re To set up a persistent VNC server on Red Hat Enterprise Linux 4 O O O O O O Set a password using vncpasswd Edit etc sysconfig vncservers Enable the service with chkconfig vncserver on Start the service with service vncserver start Edit home username vnc xstartup if you want a more advanced session than just twm For Macintosh servers and clients OSXvnc http www redstonesoftware com vnc html is a robust full featured VNC server for Mac OS X that allows any VNC client to remotely view and or control Mac OS X machine OSXvnc is supported by Redstone Software Most other operating systems Solaris HPUX PalmOS etc either come with VNC bundled or have third party VNC software that you can download Install Configure and Connect the VNC Viewer VNC is truly platform independent so a VNC Viewer on any operating system can connect to a VNC Server on any other operating system There are Viewers and Servers from a wide selection of sources e g UltraVNC TightVNC or RealVNC for most ope
254. s Power Terminal Serial DBS Port Baud Rate Flow Control Password Confirm Remote Address Local Address Default Route Custom Modem Initialization Authentication Type Number Enable Dial Out Phone Number Model Number B096 016 Current User admin Up time 0 days 3 hours 51 mins 23 secs System Dial Internal Modem Port 9600 The port speed in characters per second Hardware The method of flow control to use O Allow incoming modem communication on this port Doo The user to dial as Doo The secret to use when authenticating the user Oooo SCCi zC Re enter the users password for confirmation DOO The IP address to assign a dial in client DOO The IP address for the Dial In server O The dialed connection is to become a default route for the system D o An optional AT command sequence to initialize non standard modems O None O PAP O CHAP O MSCHAPv2 The method to use when checking the dial in users credentials P Allow an out going connection to be triggered by logging into this port The Phone Number to call back when user logs in O Allow outgoing modem communication on this port The Phone Number to call when dialing out to provide failover CCS The user to dial as DOO The secret to use when authenticating the user DOO Re enter the users password for confirmation 67 6 SECURE TUNNELING AND SDT CONN
255. s EULA Tripp Lite grants you a nonexclusive right and license to install and use the Software on a single CPU provided that 1 you may not rent lease sell sublicense or lend the Software 2 you may not reverse engineer decompile disassemble or modify the Software except and only to the extent that such activity is expressly permitted by applicable law notwithstanding this limitation and 3 you may not transfer rights under this EULA unless such transfer is part of a permanent sale or transfer of the Product you transfer at the same time all copies of the Software to the same party or destroy such materials not transferred and the recipient agrees to this EULA No license is granted in any of the Software s proprietary source code This license does not grant you any rights to patents copyright trade secrets trademarks or any other rights with respect to the Software You may make a reasonable number of copies of the electronic documentation accompanying the Software for each Software license you acquire provided that you must reproduce and include all copyright notices and any other proprietary rights notices appearing on the electronic documentation Tripp Lite reserves all rights not expressly granted herein INTELLECTUAL PROPERTY RIGHTS The Software is protected by copyright laws international copyright treaties and other intellectual property laws and treaties Tripp Lite and its suppliers retain all ownership of and intell
256. s displayed on the Nagios status screen and triggers a notification This can cause the Nagios central server itself to send out an email or an SMS page etc gt Select from the list of all configured serial ports hosts power units monitors and probes which devices this new alert is to be applied to Select Applicable Port s serial and or Applicable Host s and or Applicable UPS es and or Applicable RPC s and or Applicable EM D s and or Applicable Alarm Sensor s that are to be monitored for this alert trigger 7 2 2 Select General Alert Type Select the Alert Type Connection Signal Pattern Match UPS Status or Environment and Power that is to be monitored You can configure a selection of different Alert types and any number of specific triggers Connection Alert Connection Alert An alert will be triggered when a user connects or disconnects from the applicable Host or Serial Port Th alert type wal oniy be applied to hosts and serial parts Serial Port Signal Alert Signal Alert i An alert will be triggered when a signal changes state Thi alert type wi oni be applied to seria ports Signal Type DSR Specify which serial signal change to alert on Serial Port Pattern Match Alert Pattern Match Alert An alert will be triggered if a regular expression is found in the serial ports character Stream The alert type wil only be appled seral parts Pattern A regular expression to match against log UPS Power Stat
257. s for the power device Alerts amp Logging RPC Type N one 7 Specify the type of the connected power device Outlets System Administration Firmware IP Date amp Time Dial Services Update DHCP Server Select the outlet label to change then edit and dick update Gick Apply to commit changes to Nagios configuration i en Enter a RPC Name and Description for the RPC In Connected Via select the pre configured serial port or the network host address that connects to the RPC Select any specific labels you wish to apply to specific RPC Outlets e g the PDU may have 20 outlets connected to 20 powered devices you may wish to identify by name Power Device Outlets Outlet 1 Outlet 2 Outlet 3 Outlet 4 Outlet 5 Stanby Aircon Update Select the outlet label to change then edit and click update Cuck Apoly to conumit changes to configuration Enter the Username and Password used to login into the RPC Note that these login credentials are not related the Users and access privileges you will have configured in Serial amp Networks Users amp Groups Check Log Status and specify the Log Rate minutes between samples if you wish the status from this RPC to be logged These logs can be views from the Status RPC Status screen Click Apply The Management Console has support for a number of network and serial PDU s If your PDU is not on the default list it is simple to add
258. s license document but changing it is not allowed GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING DISTRIBUTION AND MODIFICATION 0 This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License The Program below refers to any such program or work and a work based on the Program means either the Program or any derivative work under copyright law that is to say a work containing the Program or a portion of it either verbatim or with modifications and or translated into another language Hereinafter translation is included without limitation in the term modification Each licensee is addressed as you Activities other than copying distribution and modification are not covered by this License they are outside its scope The act of running the Program is not restricted and the output from the Program is covered only if its contents constitute a work based on the Program independent of having been made by running the Program Whether that is true depends on what the Program does 1 You may copy and distribute verbatim copies of the Program s source code as you receive it in any medium provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty keep intact all the notices that refer to this License and to the absence of any warranty
259. s on the serial ports check_port_log is used to monitor the data logged for a serial port 10 4 3 Additional Plug Ins Additional Nagios plug ins listed below are available for all the Tripp Lite Console Servers 147 check_apt check_http check_nt check_snmp check _by ssh check_imap check_ntp check_spop check_clamd check_jabber check_nwstat check_ssh check_dig check_Idap check_overcr check_ssmtp check_dns check _load check_ping check_swap check_dummy check_mrtg check_pop check_tcp check_fping check_mrtgtraf check_procs check time check_ftp check_nagios check_real check_udp check_game check_nntp check_simap check_ups check_hpjd check_nntps check smtp check_users There also are bash scripts which can be downloaded and run primarily check_log sh gt To configure additional checks the downloaded plug in program must be saved in the tftp addins directory on the USB flash and the downloaded text plug in file saved in etc config gt To enable these new additional checks you select Serial amp Network Network Port then you Edit the Network Host to be monitored and select New Checks The additional check option will have been included in the updated Nagios Checks list You can again customize the arguments Check by SSH o Check CLAMD Check Dummy Check FTP Check HP JetDirect Check HTTP Check IMAP Power Device Password Check Jabber Check LDAP Power Device Username Confirm Password Log Level Nagios Settings
260. s the serial ports on the Console Server and gives examples of its use portmanager documentation Scripts and alerts Raw data access to the ports and modems This chapter also describes details how to perform advanced and custom management tasks using Linux commands and script iptables modifications and updating IP Filtering rules Modifying SNMP with net snmpd Public key authenticated SSH communications SSL configuring HTTPS and issuing certificates Using the pmpower application and powerman for power device management Using IPM I tools 184 15 1 Advanced Portmanager pmshell The pmshell command acts similarly to the standard tip or cu commands but all serial port access is directed via the portmanager Example To connect to port 8 via the portmanager pmshell port08 omshell Commands Once connected the pmshell command supports a subset of the escape commands that tip cu support For SSH you must prefix the escape with an additional command i e use the escape Send Break Typing the character sequence b will generate a BREAK on the serial port History Typing the character sequence h will generate a history on the serial port Quit pmshell Typing the character sequence will exit from pmshell Set RTS to 1 run the command pmshell rts 1 Show all signals pmshell signals DSR 1 DTR 1 CTS 1 RTS 1 DCD 0 Read a line of text from the serial port p
261. sole For information on certificate and user client software configuration refer to Chapter 9 Authentication By default HTTPS is enabled and it is recommended that only HTTPS access be used if the Console Server is to be managed over any public network e g the Internet Allows the Administrator basic browser access to the Management Console It is recommended that you disable the HTTP service if the Console Server is to be remotely accessed over the Internet Gives the Administrator Telnet access to the system command line shell Linux commands While this may be suitable for a local direct connection over a management LAN it is recommended this service be disabled if the Console Server is to be remotely administered Provides secure SSH access to the Linux command line shell It is recommended you choose SSH as the protocol when the Administrator is connecting to the Console Server over the Internet or over any other public network This will provide authenticated communications between the SSH client program on the remote Computer and the SSH sever in the Console Server For more information on SSH configuration refer to Chapter 9 Authentication Alerts amp Logging Allow access to the system command line shell via SSH Port Log SNMP Server T Alerts SE T SMTP amp SMS Allow access to the SNMP server The SNMP server is avaiable on f gig selected products only TFTP Server F Allow access to the TFTP ser
262. sses the root password and the default root password which Is default could gain access It is therefore essential that you enter and confirm a new root password before giving the Console Server any access to or control of your computers and network appliances Note It is also recommended that you set up a new Administrator user as soon as convenient and log in as this new user for all ongoing administration functions rather than root This Administrator can be configured in the admin group with full access privileges through the Serial amp Network Users amp Groups menu as detailed in Chapter 4 22 Note 3 3 TRIPP LITE ee a POWER PROTECTION System Administration Serial amp Network Serial Port System Name TL6 Users amp Grout a Authentication Network Hosts System Description Rack3F Trusted Networks Cascaded Ports UPS Connections System Password RPC Connections Environmental An ID for this device The physical location of this device The secret used to gain administration access to this device Confirm System Alerts amp Logging Password eeccccce Port Log Re enter the above password for confirmation Alerts SMTP amp SMS Apply SNMP Select System Administration Enter anew System Password then re enter it in Confirm System Password This is the new password for root the main administrative user account so it is important t
263. ssor All users can view but not edit these M anaged Device connections by selecting M anage Devices The Administrator can edit and add delete these M anaged Devices and their connections To edit an existing device and add a new connection gt Select Edit on the Serial amp Network Managed Devices and click Add Connection gt Select the connection type for the new connection Serial Network Host UPS or RPC and then select the specific connection from the presented list of configured unallocated hosts ports outlets 57 TRIPP LITE POWER PROTECTION Serial amp Network Managed Devices Serial amp Network Serial Port Add a New Device Users amp Groups Device Authentication Name Network Hosts A descriptive name for this device Trusted Networks Cascaded Ports Description Notes UPS Connections RPC Connections Environmental Managed Devices A brief description of the device Alerts amp Logging Connections Add Connection Administration SSL Certificates Apply Configuration Backup To add a new network connected M anaged Device gt The Administrator adds a new network connected M anaged Device using Add Host on the Note Serial amp Network Network Host menu This automatically creates a corresponding new M anaged Device as covered in Section 4 4 Network Hosts When adding a new network connected RPC or UPS power device
264. ssword 50 4 6 3 Configure the Slaves and their Serial Ports You can now begin setting up the Slaves and configuring Slave serial ports from the M aster Console Server _ a gt gt TRIPP LITE POWER PROTECTION Serial amp Network Cascaded Ports Serial amp Network Serial Port IP Address DNS Name Description Label Number of Locally Allocated Pa Nse s amp Groups Por Port Numbers Authenticatior No slaves currently configured Network Hosts Trusted Networks Add Slave Cascaded Ports gt Select Serial amp Network Cascaded Ports on the M aster s M anagement Console gt To add clustering support select Add Slave Note You will be prevented from adding any Slaves until you have automatically or manually generated SSH keys To define and configure a Slave gt Enter the remote IP Address or DNS Name for the Slave Console Server gt Enter a brief Description and a short Label for the Slave use a convention that enables effective management of large networks of clustered Console Servers and the connected devices gt Enter the full number of serial ports on the Slave unit in Number of Ports gt Click Apply This will establish the SSH tunnel between the M aster and the new Slave The Serial amp Network Cascaded Ports menu displays all the Slaves and the port numbers that have been allocated on the M aster If the M aster Console Server has 16 ports of its own then ports 1 16
265. ster distributed Console Servers so that a large number of serial ports up to 1000 can be configured and accessed through one IP address and managed through the one Management Console One Console Server the M aster controls other Console Servers as Slave units and all the serial ports on the Slave units appear as if they are part of the M aster Each Slave connects to the M aster with an SSH connection using public key authentication So the M aster accesses each Slave using an SSH key pair rather than using passwords ensuring secure authenticated communications So the Slave Console Server units can be distributed locally on a LAN or remotely over public networks around the world 4 6 1 Automatically Generate and Upload SSH Keys To set up public key authentication you must first generate an RSA or DSA key pair and upload them into the Master and Slave Console Servers This can all be done automatically from the M aster gt Select System Administration on M aster s Management Console gt Check Generate SSH keys automatically and click Apply TRIFP LITE POWER PROTECTION Serial amp Network Serial Port Users amp Groups Authentication To generate keys select RSA and or DSA Network Hosts RSA Keys oO Generating each set of keys will require approximately two minutes Any old keys of that type will be destroyed Functions relying on SSH keys e g Cascading may stop functioning until they are upda
266. strator and Users can also connect to the B092 016 Console Server with PowerAlert remotely as if they were plugged in locally to the KVM connectors on the B092 016 This connection will enable the remote users to run the PowerAlert software and the other thin client programs refer to Chapter 16 embedded in the Console Server Select Manage KVM Console Server TRIPP LITE POWER PROTECTION Manage KVM Console Server Serial amp Network Serial Port KVM Console Server Remote Control Users amp Groups Authentication Network Hosts Launch Standard VNC Remote Control using VNC on port 5900 Trusted Networks Click Standard VNC Remote control and a VNC Java applet will be loaded into your browser to connect to the B092 016 Console Server Then log in to the VNC applet and the Console Server refer to Chapter 16 3 for more details 165 Remote Control Disconnect Options Clipboard Send Ctri Alt Del Refresh 166 14 BASIC CONFIGURATION LINUX COMMANDS Introduction For those who prefer to configure their Console Server at the Linux command line level rather than use a browser and the M anagement Console this chapter describes how to get command line access and use the config tool to manage the system and configure the ports etc from the command line Administration Configuration System Settings and Authentication Configuration Date and Time Configuration M anually
267. t Specify the logging level that is to be maintained for that particular TDC UDP port service on that particular Host Level 0 Turns off logging for the selected TDC UDP port to the selected Host Level 1 Logs all connection events to the port Level 2 Logs all data transferred to and from the port gt Click Add then click Apply 111 8 POWER amp ENVIRONMENTAL MANAGEMENT Introduction The B095 004 003 and B092 016 Console Server and B096 048 016 Console Server Management Switch products embed software that can be used to manage connected Power Distribution Systems PDU s IPM devices and Uninterruptible Power Supplies UPS s supplied by a number of vendors and some the environmental monitoring devices B092 016 Console Server with PowerAlert also embeds Tripp Lite s PowerAlert software 8 1 Remote Power Control RPC The Console Server Management Console monitors and controls Remote Power Control RPC devices using the embedded PowerMan and NUT open source management tool RPC s include power distribution units PDU s and IPM I power devices 8 1 1 RPC Connection Serial and network connected RPC s must first be connected to and configured to communicate with the Console Server gt For serial RPC s connect the PDU to the selected serial port on the Console Server From the Serial and Network Serial Port menu configure the Common Settings of that port with the RS232 properties required by the PDU refer
268. t you are ready to continue 10 2 2 Set Up Distributed Console Servers This section provides a brief walk through on configuring a single Console Server to monitor the status of one attached network host a Windows IIS server running HTTP and HTTPS services and one serially attached device the console port of a network router and to send alerts back to the Nagios server when an administrator connects to the router or IIS server While this walk through provides an example details of the configuration options are described in the next section This walk through also assumes the network host and serial devices are already physically connected to the Console Server First step is to set up the Nagios features on the Console Server TRIPP LITE POWER PROTECTION System Nagios Serial amp Network Serial Port Enabled 7 RAA Switch on the Nagios service Authentication Network Hosts Nagios Host Name Trusted Networks Cascaded Ports UPS Connections Nagios Host Address Name of this system in Nagios Generated from System Name if unspecified g RPC Connections Address for Nagios to find this device at Defaults to Network 1 IP if set Environmental Nagios Server Address Alerts amp Logging Address of the upstream server Disable SDT for Nagios a Don t show sdt links in service status SDT Gateway Address _ External address of this system shown in sdt links Defauits to Nagios Host A
269. t http java sun com trademarks html b not do anything harmful to or inconsistent with Sun s rights in the Java Marks and c assist Sun in protecting those rights including assigning to Sun any rights acquired by Licensee in any Java Mark 237 3 Source Code Software may contain source code that unless expressly licensed for other purposes is provided solely for reference purposes pursuant to the terms of your license Source code may not be redistributed unless expressly provided for in the terms of your license 4 Third Party Code Additional copyright notices and license terms applicable to portions of the Software are set forth in the THIRDPARTYLICENSEREADME ttt file 238 Appendix D Service and Warrant Service Your Tripp Lite product is covered by the warranty described in this manual A variety of Extended Warranty and On Site Service Programs are also available from Tripp Lite For more information on service visit www tripplite com support Before returning your product for service follow these steps 1 Review the installation and operation procedures in this manual to insure that the service problem does not originate from a misreading of the instructions 2 If the problem continues do not contact or return the product to the dealer Instead visit www tripplite com support 3 If the problem requires service visit www tripplite com support and click the Product Returns link From here you can request a Retur
270. t151ab9 CN Dell Computer Corporation L Round Rock 5 Te lt gt Specify which Users will be allowed to use this connection This should be the same Users who were given Remote Desktop access privileges in the earlier step Click Next gt On the Network Connection screen select TCP IP and click Properties Incoming TCP IP Properties Teel Nene Allow callers to access my local area network TCP IP address assignment O Assign TCP IP addre Specify TCP IP addresses 169 14 13 Total Allow calling computer to specify its own IP address gt Select Specify TCP IP addresses on the Incoming TCP IP Properties screen Nominate a From and a To TCP IP address and click Next Note You can choose any TCP IP addresses as long as they are addresses which are not used anywhere else on your network The From address will be assigned to the Windows XP 2003 computer and the To address will be used by the Console Server For simplicity use the IP address as shown in the illustration above From 169 134 13 1 To 169 134 13 2 98 Alternately you can set the advanced connection and access on the Windows computer to use the Console Server defaults Specify 10 233 111 254 as the From address Select Allow calling computer to specify its own address Also you could use the Console Server default username and password when you set up the new Remote Desktop User and give this User permission to use the
271. tached serial devices all system activity and a history of the status of any attached environmental monitors UPS and PDU devices The Console Servers can also log access and communications with network attached hosts f port logs are to be maintained on a remote server then the access path to this location needs to be configured Section 7 3 Then you need to activate and set the desired levels of logging for each serial Section 7 4 and or network port Section 7 5 and or power and environment devices refer to Chapter 8 7 1 Configure SM TP SM S SNM P Nagios Alert Service The Alerts facility monitors nominated serial ports hosts UPSs PDUs EM Ds etc for trigger conditions and when triggered sends an alert notification over the nominated alert service Before setting up the alert trigger you must configure these alert services 7 1 1 Email Alerts The Console Server uses SM TP Simple M ail Transfer Protocol for sending the email alert notifications To use SMTP the Administrator must configure a valid SMTP server for sending the email gt Select Alerts amp Logging SMTP amp SMS 102 TRIPP LITE POWER PROTECTION Alerts amp Logging SMTP amp SMS Serial amp Network Serial Port SMTP Server Users amp Groups Server Authentication Network Hosts Trusted Networks Secure Connection Onone Cascaded Ports UPS Connections OTLS RPC Connections O SSL Environmenta
272. tatus of targets if implemented by RPC If no targets are specified query all targets In this context a node in the OFF state could be ON at the plug but operating in standby power mode b beacon Query beacon status if implemented by RPC If no targets are specified query all targets t temp Query node temperature if implemented by RPC If no targets are specified query all targets Temperature information is not interpreted by powerman and is reported as received from the RPC on one line per target prefixed by target name h help Display option summary L license Show powerman license information d destination host port Connect to a powerman daemon on non default host and optionally port V version Display the powerman version number and exit D device Displays RPC status information If targets are specified only RPC s matching the target list are displayed T telemetry Causes RPC telemetry information to be displayed as commands are processed Useful for debugging device scripts X exprange Expand host ranges in query responses For more details refer http linux die net man 1 powerman Also refer powermand http linux die net man 1 powermand documentation and powerman conf http linux die net man 5 powerman conf Target Specification Powerman target hostnames may be specified as comma separated or space separated hostnames or host ranges Host ranges are of the general form pref
273. ted Administrator rights via networked AAA For TACACS a priv lvl of 12 of above indicates an administrator For RADIUS administrators are indicated via the Framed Filter ID See the example configuration files below for example gt Authorization via TACACS for both serial ports and host access Permission to access resources may be granted via TACACS by indicating an appliance and a port or networked host the user may access See the example configuration files below for example TACACS Example user tim service raccess priv lvl 11 portl xxxxx port02 131 port2 192 168 254 145 port05 global cleartext mit RADIUS Example paul Cleartext Password luap Service Type Framed User Fall Through No Framed Filter lId group_name admin The list of groups may include any number of entries separated by a comma If the admin group is included the user will be made an Administrator If there is already a Framed Filter Id simply add the list of group_names after the existing entries including the separating colon 9 3 Secure Management Console Access Selecting HTTPS Server in System Services enables the Administrator to establish a secure browser connection Management Console TRIPP LITE POWER PROTECTION System Services Serial amp Network Serial Port HTTP Server Users amp Groups Authentication Network Hosts HTTPS Server v Allow access to the Management
274. ted access to the Console Server itself The Administrator can configure the services to be enabled System Name 6 Model Number B096 016 _ _ lt r EE TRIPP LITE mere fess 2 crete Up time 0 days 1 hours 27 mins 50 secs POWER PROTECTION System Services X Serial amp Network Serial Port HTTP Server A Users amp Groups Allow access to the Management Console via HTTP Authentication Network Hosts HTTPS Server Trusted Networks Allow access to the Management Console via HTTPS Cascaded Ports i UPS Connections Telnet Server oO RPC Connections Allow access to system command line shell via Telnet wir t Environmental SSH Server Alerts amp Logging Allow access to the system command line shell via SSH Port Log SNMP Server 0 Alerts SMTP amp SMS Allow access to the SNMP server The SNMP server is avaiable on TFTP Server C Allow access to the TFTP server Administration 25 gt Select System Services Then select deselect the service to be enabled disabled The following access protocol options are available HTTPS HTTP Telnet SSH Ensures secure browser access to all the Management Console menus It also allows appropriately configured Users secure browser access to selected Management Console Manage menus If HTTPS is enabled the Administrator will be able to use a secure browser connection to the Console Server s Management Con
275. ted with the new set of keys If unsure select only RSA Trusted Networks Cascaded Ports UPS Connections DSA Keys F Generate RSA Keys RPC Connections Environmental Generate DSA Keys 48 Now select whether to generate the keys using RSA and or DSA if unsure select only RSA Generating each set of keys will require approximately two minutes and the new keys will destroy any old keys of that type that may previously been uploaded Also while the new generation is under way on the master functions relying on SSH keys e g cascading may stop functioning until they are updated with the new set of keys To generate keys gt Select RSA Keys and or DSA Keys gt Click Apply TRIPP LITE POWER PROTECTION System SSH Keys Successfully generated rsa keys Click here to return gt Once the new keys have been successfully generated simply Click here to return and the keys will automatically be uploaded to the M aster and connected Slaves 4 6 2 Manually Generate and Upload SSH Keys Alternately if you have a RSA or DSA key pair you can manually upload them to the M aster and Slave Console Servers Note Ifyou do not already have an RSA or DSA key pair and you do not wish to use it you will need to create a key pair using ssh keygen PuT TYgen or a similar tool as detailed in Chapter 15 6 To manually upload the key public and private key pair to the M aster Console Server
276. teers that use the Internet to communicate plan and develop the OpenSSL toolkit and its related documentation OpenSSL is based on the excellent SSLeay library developed by Eric A Young and Tim J Hudson The OpenSSL toolkit is licensed under an Apache style license which basically means that you are free to get and use it for commercial and non commercial purposes subject to some simple license conditions In the Console Server OpenSSL is used primarily in conjunction with http in order to have secure browser access to the GUI management console across insecure networks More documentation on OpenSSL Is available from 205 http www openssl org docs apps openssl html http www openssl org docs HOW TO certificates txt 15 8 HTTPS The Management Console can be served using HTTPS by running the webserver via sslwrap The server can be launched on request using inetd The HTTP server provided is a slightly modified version of the fnord httpd from http www fefe de fnord The SSL implementation is provided by the sslwrap application compiled with OpenSSL support M ore detailed documentation can be found at http www rickk com sslwrap If your default network address is changed or the unit is to be accessed via a Known Domain Name you can use the following steps to replace the default SSL Certificate and Private Key with ones tailored for your new address 1 Generating an Encryption Key To create a 1024 bit RSA key w
277. temperature humidity and probe status alerts using Alerts amp Logging Alerts refer to Chapter 7 8 3 3 Environmental Status You can monitor the current status of all of EM Ds and their probes 124 Select the Status Environmental Status menu and a table with the summary status of all connected EM D hardware will be displayed Click on View Log or select the Environmental Logs menu and you will be presented with a table and graphical plot of the log history of the selected EM D System Name TL6 Model Number B096 016 p S a TRIPP LITE Firmware Rev 2 6 1u1 Current User oot Up time 1 days 4 hours 17 mins 4 secs POWER PROTECTION Status Environmental Status Serial amp Network Serial Port Users amp Groups Environmental Status Environmental Logs Authentication Network Hosts EMD Engineering Temperature Graph Trusted Networks Cascaded Ports UPS Connections RPC Connections Environmental Alerts amp Logging Port Log Alerts 20 48 20 45 SMTP amp SMS E Temperature W Humidity SNMP Administration EMD Engineering Log Firmware IP Time Temperature Humidity Alarm 1 Alarm 2 Alert Status Date amp Time Fri Jan 16 20 37 05 24 51 Open 0 Open 0 Normal Dial 2009 Services DHCP Server Fri Jan 16 20 38 05 24 47 Open 0 Open 0 Normal Nagios 2009 125 9 AUTHENTICATION Introduction The Tripp Lite
278. tform management and its primary purpose is to handle the autonomous sensor monitoring and event logging features The ipmitool program provides a simple command line interface to this BMC It features the ability to read the sensor data repository SDR and print sensor values display the contents of the System Event Log SEL print Field Replaceable Unit FRU inventory information read and set LAN configuration parameters and perform remote chassis power control Synopsis ipmitool c h v V I open lt command gt ipmitool c h v V I lan H lt hostname gt p lt port gt l 212 U lt username gt A lt authtype gt L lt privivl gt a E P f lt password gt 0 lt oemtype gt lt command gt ipmitool c h v V I lanplus H lt hostname gt p lt port gt l U lt username gt L lt privivl gt a E P f lt password gt 0 lt oemtype gt C lt ciphersuite gt lt command gt Description This program lets you manage Intelligent Platform M anagement Interface IPM I functions of either the local system via a kernel device driver or a remote system using IPM I V1 5 and IPM v2 0 These functions include printing FRU information LAN configuration sensor readings and remote chassis power control IPM I management of a local system interface requires a compatible IPM I kernel driver to be installed and configured On Linux this driver is called OpenIP
279. th a table of authorized users Whilst most common PAP is the least secure of the authentication options CHAP Challenge Handshake Authentication Protocol CHAP is used to verify a user s name and password for PPP Internet connections It is more secure than PAP the other main authentication protocol M SCHAPv2 Microsoft Challenge Handshake Authentication Protocol MSCHAP is authentication for PPP connections between a computer using a Microsoft Windows operating system and a network access server It is more secure than PAP or CHAP and is the only option that also supports data encryption gt Console Servers all support dial back for additional security Check the Enable Dial Back box and enter the phone number to be called to re establish an OoB link once a dial in connection has been logged 5 1 2 Using SDT Connector Client for Dial In Administrators can use their SDT Connector client to set up secure OoB dial in access to all their remote Console Servers With a point and click you can initiate a dial up connection Refer to Chapter 6 5 5 1 3 Set Up Windows XP 2003 Vista 7 Client for Dial In gt Open Network Connections in Control Panel and click the New Connection Wizard New Connection Wizard 62 VV V WV 5 1 4 New Connection Wizard Network Connection Type Ni do you want to do Connect to the Intemet Connect to the Intemet so you can browse the Web and read email Connect to the network at my
280. th launching the client application SDT Connector typically launches a client using command line arguments to point it to the local endpoint of the redirection There are three special keywords for specifying the command line format When launching the client SDT Connector substitutes these keywords with the appropriate values path is path to the executable file i e the previous field host is the local address to which the local endpoint of the redirection is bound i e the Local Address field for the Service redirection Advanced options port is the local port to which the local endpoint of the redirection is bound i e the Local TCP Port field for the Service redirection Advanced options If this port is unspecified i e Any the appropriate randomly selected port will be substituted For example SDT Connector is preconfigured for Windows installations with a HTTP service client that will connect with whichever local browser the local Windows user has configured as the default Otherwise the default browser used Is Firefox 1I Ge Tripp Lite SDTConnector Fite Edit Help CE SDTConnector Preferences q G Edit Client Client name HTTP browser Path to client executable file rundll32 url dll FileProtocolHandler F Browse Command line format for client executable Jepath http host port ey OK I Cancel Also some clients are launche
281. that shows the current alerts status When an alert gets triggered a corresponding XML file is created in var run alerts The dashboard scans all these files and displays a Summary status in the alerts widget When an alert is deleted the corresponding XML files that belong to that alert are also deleted To configure what is to be displayed by each widget Go to the Configure widgets panel and configure each selected widget e g specify which UPS status is to be displayed on the UPS widget or the maximum number of M anaged Devices to be displayed in the devices widget Click Apply Note Dashboard configuration is stored in the etc config config xml file Each configured dashboard will increase the config file If this file gets too big you can run out of memory space on the Console Server 12 5 2 Creating Custom Widgets for the Dashboard To run a custom script inside a dashboard widget 160 Create a file called widget lt name gt sh in the folder etc config scripts where lt name gt can be anything You can have as many custom dashboard files as you want Inside this file you can put any code you wish When configuring the dashboard choose widget lt name gt sh in the dropdown list The dashboard will run the script and display the output of the script commands directly on the screen inside the specific widget The best way to format the output would be to send HTML commands back to the browser by adding echo com
282. thernet LAN Serially connected device COM Port connected N e g security appliance control PC NaS LS gt You may secure the communications over the local Ethernet by enabling SSH however you will need to generate and upload keys refer to Chapter 14 Advanced Configuration 4 1 7 Syslog In addition to built in logging and monitoring which can be applied to serial attached and network attached management accesses as covered in Chapter 7 Alerts and Logging the Console Server can also be configured to support the remote syslog protocol on a per serial port basis gt Select the Syslog Facility Priority fields to enable logging of traffic on the selected serial port to a syslog server and to appropriately sort and action those logged messages i e redirect them send alert email etc Syslog Settings Syslog Fact Syslog facility to use on logging messages Syslog Priority Default Syslog priority level to use on logging messages For example if the computer attached to serial port 3 should never send anything out on its serial console port the Administrator can set the Facility for that port to local0 local0 local7 are meant for site local values and the Priority to critical At this priority if the Console Server syslog server does receive a message it will automatically raise an alert Refer to Chapter 7 4 2 Add Edit Users The Administrator uses this menu selection to set up edit
283. though not very user friendly freeware implementation of SSH for Win32 and UNIX platforms SSHTerm is a useful open source SSH communications package SSH Tectia is a leading end to end commercial communications security solution for the enterprise Reflection for Secure IT formerly F Secure SSH is another good commercial SSH based security solution By way of example the steps below show the establishment of an SSH connection and then forwarding the RDP port over this SSH connection using the PuTTY client software lt PuTTY Configuration Basic options for your PuTTY session A Specify your connection by host name or P address A i oa Host Name for IP address Port Features Protocol E Window Raw O Tena Rogn SSH earnce RE Load save or delete a stored session Trandation Saved Sessions Selection Colours Default Settings E Connection Close window on exit O Awas Never Only on clean exit mn Under the Session tab enter the IP address of the Console Server in the Host Name or IP address field For dial in connections this IP address will be the Local Address that you assigned to the Console Server when you set it up as the Dial In PPP Server For Internet or local VPN connections connections this will be the public IP address of the Console Server Select the SSH Protocol and the Port will be set as 22 Under the SSH gt Tunnels tab Add new forwarded port specifying the Source p
284. three sessions the console session and two other general sessions Therefore more than one user can have an active session ona single computer When the remote user connects to the accessed computer on the console session Remote Desktop automatically locks that computer So no other user can access the applications and files When you come back to the computer you can unlock it by typing CTRL ALT DEL 6 8 2 Configure the Remote Desktop Connection Client Now that you have the Client computer securely connected to the Console Server either locally or remotely thru the enterprise VPN or a secure SSH internet tunnel or a dial in SSH tunnel you are ready to establish the Remote Desktop connection from the Client To do this you simply enable the Remote Desktop Connection on the remote client computer then point it to the SDT Secure Tunnel port in the Console Server A OnaWindows client computer gt Click Start Point to Programs then to Accessories then Communications and click Remote Desktop Connection 89 28 Remote Desktop Connection gt In Computer enter the appropriate IP Address and Port Number Where there is a direct local or enterprise VPN connection enter the IP Address of the Console Server and the Port Number of the SDT Secure Tunnel for the Console Server s serial port the one that is attached to the Windows computer to be controlled For example if the Windows computer is connected to serial Port 3 o
285. tirely independent of SDT Connector and the SSH gateway You must configure the 87 SSH client that SDT Connector launches e g Putty OpenSSH and the host s SSH server for public key authentication Essentially what you are using Is SSH over SSH and the two SSH connections are entirely separate 6 8 Setting up SDT for Remote Desktop Access M icrosoft s Remote Desktop Protocol RDP enables the system manager securely to access and manage remote Windows computers to reconfigure applications and user profiles upgrade the server s operating system reboot the machine etc Secure Tunneling uses SSH tunneling so this RDP traffic is securely transferred through an authenticated and encrypted tunnel SDT with RDP also allows remote Users to connect to Windows XP Vista Windows 2003 computers and to Windows 2000 Terminal Servers and to have access to all of the applications files and network resources with full graphical interface just as though they were in front of the computer screen itself To set up a secure Remote Desktop connection you must enable Remote Desktop on the target Windows computer that is to be accessed and configure the RPD client software on the client computer 6 8 1 Enable Remote Desktop on the Target Windows Computer to be Accessed To enable Remote Desktop on the Windows computer being accessed gt Open System in the Control Panel and click the Remote tab System Properties General Computer Name Hardware
286. to Chapter 4 1 1 Common Settings Then select RPC as the Device Type gt Similarly for each network connected RPC go to Serial amp Network Network Hosts menu and configure the RPC as a connected Host Device Settings Device Type RPC v Specify the device type Apply this setting then use the RPC Connections page to configure the attached power controller gt Select the Serial amp Network RPC Connections menu This will display all the RPC connections that have already been configured TRIPP LITE POWER PROTECTION Serial amp Network RPC Connections Serial amp Network Serial Port Remote Power Controllers Users amp Groups Name Description RPC Type Connected Via Log Authentication Status Network Hosts w Tita hetwaks No RPCs have been configured Cascaded Ports UPS Connections Add RPC RPC Connections 112 gt Click Add RPC Note ar TRIPP LITE Firmware Rev 2 6 1u1 Current User e Up time 1 days 54 POWER PROTECTION Serial amp Network RPC Connections Serial amp Network Serial Port Add RPC Users amp Groups Name Authentication Network Hosts A descriptive name for the power device Trusted Networks Description Cascaded Ports UPS Connections A brief description for the power device RPC Connections Connected Via E lt Environmental Serial Port 1 Specify the serial port or network host addres
287. to flash and reboots the unit The unit will take a few minutes to boot into FIPS mode To disable FIPS mode config d config system fips rm etc config FIPS flatfsd b 155 12 STATUS REPORTS Introduction This chapter describes the selection of status reports that are available for review Port Access and Active Users Statistics Support Reports Syslog UPS Status Dashboard 12 1 Port Access and Active Users The Administrator can see which Users have access privileges to each serial port gt Select the Status Port Access System Name TLE Model Number B096 016 TRIPP LITE Firmware Rev 2 6 1u1 Current User Up time 1 days 2 hours 48 mins gt POWER PROTECTION Status Port Access Serial amp Network Serial Port Users amp Groups User From 1 2 3 4 5 G6 7 8 9 10 ii 12 13 14 15 16 Authentication Network Hosts Trusted Networks secman Anywhere N N Y N N N N N N NWN N N N N N N admin Anywhere x Y Y yi ut Y Y Y Y X a Y Y Hf N w Cascaded Ports UPS Connections RPC Connections Environmental Anywhere Accessible from any IP address Alerts amp Logging Anyone No username is required for access Port Log Legend The Administrator can also see the current status to identify which Users have an active session on each port Select the Status Active Users 12 2 Statistics The Statistics report provides a snapshot of the data traffic and other activities a
288. to the local display or VNC session PowerAlert Console Apply gt Click Apply As you apply your services selections the screen will be updated with a confirmation message Message Changes to configuration succeeded 3 5 Communications Software You need to configure the access protocols that the communications software on the Administrator and User Computer will use when connecting to the Console Server and when connecting to serial devices and network hosts which are attached to the Console Server This section provides an overview of the communications software tools that can be used on the remote computer Tripp Lite recommends the SDT Connector software tool that is provided with the Console Server however generic tools such as PUTTY and SSHTerm may also be used 3 5 1 SDT Connector We recommend using the SDT Connector communications software for all communications with Console Servers Each Console Server is supplied with an unlimited number of SDT Connector licenses to use with that Console Server SDT Connector is a lightweight tool that enables Users and Administrators to securely access the Console Server and the various computers network devices and appliances that may be serially or network connected to the Console Server SDT Connector can be installed on Windows 2000 XP 2003 Vista and on most Linux UNIX and Solaris computers as detailed in Chapter 7 3 5 2 PuTTY Communications packages like PuTT
289. tration Primary DNS gt A statically assigned primary name server Date amp Time Secondary DNS Dial SeNi A statically assigned secondary name server DHCP Server Media Auto Iv The Ethernet media type Failover Interface Management LAN lan A E sh ps e configured and enabled for failover to Active Users Statistics A Serial DB9 Port sercon DISABLED ad a Report pirat Probe Internal Modem Port modem01 DISABLED Syslog ress x aa l UPS Status The address of the first peer to probe for connectivity detection A T A 192 168 0 1 Environmental Status Address The address of the second peer to probe for connectivity detection Devices gt When configuring the principal network connection on the System IP Network Interface menu select Management LAN eth1 as the Failover Interface to be used when a fault has been detected with main Network Interface eth0 gt Specify the Probe Addresses of two sites the Primary and Secondary that the B096 048 016 is to ping to determine if Network eth0 Is still operational POWER PROTECTION Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks Cascaded Ports UPS Connections RPC Connections Environmental Alerts amp Logging Port Log Alerts SMTP amp SMS SNMP Administration Firmware IP Date amp Time Dial Ser
290. ts is accessed gt Select Serial and Network Authentication and check TACAS or LocalTACACS or TACACSLocal or TACACSDownLocal TACACS Authentication and Authorisation Server Address Comma seperated list of remote authentiction and authorisation servers accounting Server Address Comma seperated list of remote accounting servers If unset Authentication and Authorisation Server Address will be used Server Password The shared secret allowing access to the authentication server Confirm Password Re enter the above password for confirmation gt Enter the Server Address IP or host name of the remote Authentication Authorization server M ultiple remote servers may be specified in a comma separated list Each server is tried in succession gt Inaddition to multiple remote servers you can also enter for separate lists of Authentication Authorization servers and Accounting servers If no Accounting servers are specified the Authentication Authorization servers are used Instead gt Enter the Server Password gt Click Apply TACAS remote authentication will now be used for all user access to Console Server and serially or network attached devices TACACS The Terminal Access Controller Access Control System TACACS security protocol is a recent protocol developed by Cisco It provides detailed accounting information and flexible 127 administrative control over the authentication and authorization processes
291. ts of a single SSH port redirection and a local client to access it However it may consist of several redirections some or all of which may have clients associated with them An example is the Dell RAC service The first redirection is for the HTTPS connection to the RAC server it has a client associated with it web browser that is launched immediately upon clicking the button for this service 75 The second redirection is for the VNC service that the user may choose to launch later from the RAC web console It automatically loads in a Java client served through the web browser so it does not need a local client associated with it R Tripp Lite SDTConnector We Edit Help Sse Service Name Dell RAC ies Local gt Remote Port Redirections RDP TCP any gt 443 TCP 3668 gt 3668 Le Remove gt On the Add Service screen you can click Add as many times as needed to add multiple new port redirections and associated clients You may also specify Advanced port redirection options gt Enter the local address to bind to when creating the local endpoint of the redirection It is not usually necessary to change this from localhost gt Enter a local TCP port to bind to when creating the local endpoint of the redirection If this is left blank a random port will be selected R Tripp Lite SDTConnector File Edit Help _ R Edit Port Redirection General e
292. u wish to configure as a group POWER PROTECTION Serial amp Network Serial Port Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks Cascaded Ports UPS Connections Ports 1 8 Ports 9 16 Port Label Mode Logging Parameters Flow Control RPC Connections Level Environmental 1 Port 1 Console Unconfigured 0 9600 8 N 1 None Edit Alerts amp Logging Port Log 2 Port 2 Console Unconfigured 0 9600 8 N 1 None Edit Alerts 3 Port 3 Console Unconfigured 0 9600 8 N 1 None Edit SMTP amp SMS SNMP 4 Port 4 Console Unconfigured 0 9600 8 N 1 None Edit 5 Port 5 Console Unconfigured 0 9600 8 N 1 None Edit Administration 6 Port 6 Console Unconfigured 0 9600 8 N 1 None Edit Firmware IP 7 Port 7 Console Unconfigured 0 9600 8 N 1 None Edit Date amp Time i 8 Port 8 Console Unconfigured 0 9600 8 N 1 None Edit Dial gt When you have configured the common settings and the mode for each port set up any remote syslog Chapter 4 1 7 then click Apply gt If the Console Server has been configured with distributed Nagios monitoring enabled then you will also be presented with Nagios Settings options to enable nominated services on the Host to be monitored refer to Chapter 10 Nagios Integration 4 1 1 Common Settings There are a number of common settings available for each serial port These are inde
293. ualPort Clients Console Serial Port a ea Devices L FF Sa pplication VirtualPort is supplied with each B096 016 B096 048 Console Server Management Switch or B092 016 Console Server with PowerAlert or B095 003 1E M B095 004 1E Console Server You are licensed to install VirtualPort on one or more computers for accessing any serial device connected to any Tripp Lite Console Server port 4 7 1 Install VirtualPort Client 52 VirtualPort is fully compatible with 32 bit and 64 bit versions of Windows NT 4 x Windows XP Windows 2000 Windows 2003 Windows 2008 Windows Vista and 64 bit and Windows 7 The installation process is simple gt The VirtualPort_setup exe program is included on the CD supplied with your Console Server or a copy can be freely downloaded from the ftp site Double click the VirtualPort_ setup exe file to start the installation process C VirtualPort 1 0 Setup Welcome to the VirtualPort 1 0 Setup Wizard This wizard will quide you through the installation of Opengear VirtualPort 1 0 It is recommended that you close all other applications before starting Setup This will make it possible to update relevant system files without having to reboot your computer Click Next to continue Next gt Cancel gt Read the License Agreement then follow the prompts to select the destination path and choose the shortcuts you wish to create Once the installer completes you w
294. undW ork http www groundworkopensource com Nagios takes some time to install and configure but once it is up and running it provides an outstanding network monitoring system With Nagios you can Display tables showing the status of each monitored server and network service in real time Use a wide range of freely available plug ins to make detailed checks of specific services e g don t just check if a database is accepting network connections check that it can actually validate requests and return real data Display warnings and send warning e mails pager or SMS alerts when a service failure or degradation Is detected Assign contact groups who are responsible for specific services in specific time frames 134 10 2 Central Management The Nagios solution has three parts the Central Nagios server Distributed Console Servers and the SDT for Nagios software Central Nagios eas Server Mey Distributed console servers Client Central Nagios server Avanilla Nagios 2 x or 3 x installation typically on a Linux server Generally running on a blade PC virtual machine etc at a central location Runs a web server that displays the Nagios GUI Imports configuration from distributed Console Servers Distributed Console Servers B096 016 B096 048 or B092 016 Console Servers Serial and network hosts are attached to each Console Server Each runs Nagios plug ins NRPE and NSCA add ons
295. us Alert UPS Power Status Alert An alert will be triggered when the UPS power status changes between on line on battery and low battery Thi alert type wil ani be anoled ta LUiPSes Environmental Sensor Alert gt Connection Alert This alert will be triggered when a user connects or disconnects from the applicable Host or Serial Port or when a Slave connects or disconnects from the applicable UPS gt Serial Port Signal Alert This alert will be triggered when the specified signal changes state and is applicable to serial ports only You must specify the particular Signal Type DSR DCD or CTS trigger condition that will send a new alert 107 gt Serial Port Pattern Match Alert This alert will be triggered if a regular expression is found in the serial ports character stream that matches the regular expression you enter in the Pattern field This alert type will only be applied serial ports gt UPS Power Status Alert This alert will be triggered when the UPS power status changes between On Line On Battery and Low Battery This alert type will only be applied to UPSs gt Environment and power alert Refer to next section for details on selecting and configuring this alert type 7 2 3 Configuring Environment and Power Alert Type This alert type will be applied to any UPS s RPC s and EMD temperature and humidity sensors you have nominated Environmental Sensor Alert Environmental F Sensor Alert An alert wi
296. user group Any user in this class is referred to generically in this manual as an Administrator An Administrator can access and control the Console Server using the config utility the Linux command line or the browser based Management Console By default the Administrator has access to all services and ports to control all the serial connected devices and network connected devices hosts Users Embraces those who have been set up by the Administrator with specific limits on their access and control authority These users are set up as members of the users user group or some other user groups the Administrator may have added They are only authorized to perform specified controls on specific connected devices and are referred to as Users These Users when authorized can access serial or network connected devices and control these devices using the specified services e g Telnet HHTPS RDP IPM I Serial over LAN Power Control An authorized User can also use the Management Console to access configured devices and review port logs In this manual when the term user lower case Is used it is referring to both the above classes of users This document also uses the term remote users to describe users who are not on the same LAN segment as the Console Server These remote users may be Users who are on the road connecting to managed devices over the public Internet or it may be an Administrator in another office connecting to the Console Serve
297. username p Override the configured password on This action switches the specified device or outlet s ON off This action switches the specified device or outlet s OFF cycle This action switches the specified device or outlet s OFF and ON again status This action retrieves the current status of the device or outlet Examples To turn outlet 4 of the power device connected to serial port 2 on pmpower port02 o 4 on To turn an IPM device located at IP address 192 168 1 100 to OFF where username is root and password is calvin pmpower r 192 168 1 100 u root p calvin off Default system Power Device actions are specified in etc powerstrips xml Custom Power Devices can be added in etc config powerstrips xml If an action is attempted which has not been configured for a specific Power Device pmpower will exit with an error 15 9 3 Adding New RPC Devices There are two simple paths to adding support for new RPC devices 210 The first is to have scripts to support the particular RPC included in the open source PowerM an project http sourceforge net projects powerman The PowerM an device specifications are unusual and it is suggested that you leave the actual writing of these scripts to the PowerM an authors However documentation on how they work can be found at http linux die net man 5 powerman dev Once the new RPC support has been built into the PowerM an we will include the updated PowerM an build i
298. ustomarily used for software interchange or b Accompany it with a written offer valid for at least three years to give any third party for a charge no more than your cost of physically performing source distribution a complete machine readable copy of the corresponding source code to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange or c Accompany it with the information you received as to the offer to distribute corresponding source code This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer in accord with Subsection b above The source code for a work means the preferred form of the work for making modifications to it For an executable work complete source code means all the source code for all modules it contains plus any associated interface definition files plus the scripts used to control compilation and installation of the executable However as a special exception the source code distributed need not include anything that is normally distributed in either source or binary form with the major components compiler kernel and so on of the operating system on which the executable runs unless that component itself accompanies the executable If distribution of executable or object code is made by offering access to copy from a designated place then offering equivale
299. ver Administration Firmware Ping Replies IP Respond to incoming ICMP echo requests Date amp Time Dial Alternate Telnet Services Base a e ees Sao A secondary TCP port range for Telnet access to serial ports Thi amp in C Server PE i feo ee DHCP Server addition to the default port 2000 Nagios Alternate SSH Base Port Access Active Users Statistics Support Report Syslog UPS Status RPC Status Alternate Raw TCP Base Alternate RFC A secondary TCP port range for SSH access to serial ports Th 6 in addition to the default port 3000 A secondary TCP port range for raw TCP access to serial ports Thi amp in addition to the default port 4000 Environmental Status 2217 Base gt aR T A secondary TCP port range for RFC 2217 access to serial ports Th amp Manage in addition to the default port 5000 Devices Alternate Port Logs Unauthenticated Host Loas Telnet Base A secondary TCP port range for Unauthenticated Telnet access to serial a ports 7his amp in addition to the default port 6000 Terminal Apply 26 gt There are also a number of related service options that can be configured at this stage SNM P TFTP Ping Enables netsnmp in the Console Server which will keep a remote log of all posted information SNMP is disabled by default To modify the default SNMP settings the Administrator must make the edits at the command
300. vices DHCP Server Naning Network Interface System Name Model Number Firmware Rev Current User Up time 0 days 3 hours 35 mins 8 secs Management LAN Interface General Settings d Deactivate this network interface IP Settings Management LAN Currently Failover for Network Interface Configuration Method IP Address Subnet Mask Gateway Primary DNS DHCP O Static The mechanism to acquire IP settings A statically assigned IP address A statically assigned network mask A statically assigned gateway A statically assigned primary name server 65 gt Then configure Management LAN Interface eth1 with the same IP setting that you used for the main Network Interface eth0 to ensure transparent redundancy Redundant LAN connection NETWORK 1 2 Serially connected consoles Management network In this mode Network 2 eth1 is available as the transparent back up port to Network 1 eth0 for accessing the management network Network 2 will automatically and transparently take over the work of Network 1 if for any reason Network 1 becomes unavailable And when Network 1 becomes available again it takes over the work again 5 4 Dial Out Failover The Console Servers can be configured so a dial out PPP connection is automatically set up in the event of a disruption in the principal management network gt When configuring
301. will be presented with a table of the history and detailed graphical information on the select RPC gt Click Manage to query or control the individual power outlet This will take you to the Manage Power screen 8 1 4 User Power Management The Power Manager enables both Users and Administrators to access and control the configured serial and network attached PDU power strips and servers with embedded IPM service processors or BM C s POWO POOTECTTON Target Part 1 Seached COLI utet Ouilata jt Select y power iama to Tarde aol Tur Cin Tuer CHE 3 Cyee GS Status Petar mn ection on Che prer deve Dullkels Ho existing status che Last setien may for be compleced gt Select the Manage Power and the particular Target power device to be controlled or click Manage on the Status RPC Status menu 114 gt The outlet status is displayed You can initiate the desired Action to be taken by selecting the appropriate icon Power ON Power OFF cJ Power Cycle Power Status You will only be presented with icons for those operations that are supported by the Target you have selected 8 2 Uninterruptible Power Supply Control UPS The Console Servers manage UPS hardware using Network UPS Tools refer Section 8 2 6 for an overview of embedded open source Network UPS Tools NUT software 8 2 1 Managed UPS Connections A Managed UPS is a UPS that is connected by serial or USB ca
302. wing procedure to configure the LDAP authentication method to be used whenever the Console Server or any of its serial ports or hosts is accessed gt Note Select Serial and Network Authentication and check LDAP or LocalLDAP or LDAPLocal or LDAPDownLocal LDAP Server address Comma seperated list of remote servers Server Password OOOO O The shared secret allowing access to the authentication server Confirm Password Re enter the above password for confirmation LDAP Base DN The distinguished name of the search base For example dc my company dc caom LDAP Bind DN The distinguished name to bind to the server with The default is to bind anonymously Enter the Server Address IP or host name of the remote Authentication server M ultiple remote servers may be specified in a comma separated list Each server is tried in succession Enter the Server Password To interact with LDAP requires that the user account exist on our Console Server to work with the remote server i e you can t just create the user on your LDAP server and not tell the Console Server about it You need to add the user account Click Apply LDAP remote authentication will now be used for all user access to Console Server and serially or network attached devices 129 LDAP The Lightweight Directory Access Protocol LDAP is based on the X 500 standard but is significantly simpler and more readily adapted to meet custom needs The core LDAP
303. witch and on the side panel of the B095 004 003 Console Server All physical connections are made using industry standard Cat5e patch cables Tripp Lite N001 and N002 series cables Ensure you only connect the LAN port to an Ethernet network that supports 10Base T 100Base T For the initial configuration of the Console Server you must connect a computer to the Console Server s principal network port 2 4 Serial Port Connection The RJ45 serial ports are located on the rear of the B092 016 Console Server on the front of the B096 048 016 Console Server Management Switch and on the side panel of the B095 004 003 Console Server These Console Servers use the RJ45 pinout used by Cisco Use straight through RJ45 cabling to connect to equipment such as Cisco Juniper SUN and more PIN SIGNAL DEFINITION DIRECTION CTS Clear To Send Input DSR Data Set Ready Input 3 RXD Receive Data Input 4 GND Signal Ground NA 5 GND Signal Ground NA 6 TXD Transmit Data Output 7 DTR Data Terminal Ready Output 8 RTS Request To Send Output Conventional Cat5 cabling with RJ 45 jacks are used for serial connections Before connecting the console port of an external device to the Console Server serial port confirm that the device supports standard RS 232C EIA 232 The Console Server also has a DB9 LOCAL Console Modem port This DB 9 connector is on the rear panel of the B092 016 Console Server and on the front panel of the B096 048 016 Console Server
304. workplace Connect to a business network using dial up or VPN so you can work from home a field office or another location Set up a home or small office network Connect to an existing home or small office network or set up a new one Set up an advanced connection Connect directly to another computer using your serial parallel or infrared port or set up this computer so that other computers can connect to it Select Connect to the Internet and click Next On the Getting Ready screen select Set Up My Connection Manually and click Next On the Internet Connection screen select Connect Using a Dial Up Modem and click Next Enter a Connection Name any name you choose and the dial up Phone Number that will connect thru to the Console Server modem New Connection Wizard Internet Account Information You will need an account name and password to sign in to your Intemet account Type an ISP account name and password then write down this information and store it in a safe place If you have forgotten an existing account name or password contact your ISP User name Password Confirm password _ Use this account name and password when anyone connects to the Intemet from this computer _ Make this the default Intemet connection Enter the PPP User Name and Password for have set up for the Console Server Set Up Earlier Windows Clients for Dial In For Windows 2000 the PPP client set up pro
305. y simply activating the VNC Viewer software on the Viewer computer and entering the password 95 Password MHM Note For general background reading on Remote Desktop and VNC access we recommend the following The Microsoft Remote Desktop How To http www microsoft com windowsxp using mobility getstarted remoteintro mspx The Illustrated Network Remote Desktop help page http theillustratednetwork mvps org RemoteDesktop RemoteDesktopSetupand I roubleshooting ht ml What is Remote Desktop in Windows XP and Windows Server 2003 by Daniel Petri http www petri co il what s remote desktop htm Frequently Asked Questions about Remote Desktop http Awww microsoft com windowsxp using mobility rdfag mspx Secure remote access of a home network using SSH Remote Desktop and VNC for the home user http theillustratednetwork mvps org RemoteDesktop SSH RDP VNC RemoteDesktopVNCandSSH html Taking your desktop virtual with VNC Red Hat magazine http www redhat com magazine O06apr05 features vnec and http Awww redhat com magazine 007may05 features vnc Wikipedia general background on VNC http en wikipedia org wiki VNC 6 10 Using SDT to IP Connect to Hosts that are Serially Attached to the Gateway Network IP protocols like RDP VNC and HTTP can also be used to connect to host devices that are serially connected through their COM port to the Console Server To do this you must establish a PPP connection Section 6 7 1 b
306. y where to store log in Administrator The login name required for remote server r J The secret required to access the remote server kasa Re type the above secret for confirmation Daemon The facility field to include in syslog messages Info x The priority field to include in syslog messages In Console Server mode activity logs of all serial port activity can be maintained These records are stored on an off server or in the Console Server flash memory Specify which serial ports are to have activities recorded and to what level data Is to be logged Console Server Settings Console Server Mode Logging Level Telnet O Enable remote network access to the console at this serial port level 0 Disabled v level 0 Disabled level 1 user connects disconnects to port level 2 input output logging on ports level 1 Enable Telnet access O Enable SSH access gt Select Serial amp Network Serial Port and Edit the port to be logged gt Specify the Logging Level of for each port as Level 0 Turns off logging for the selected port Level 1 Logs all connection events to the port Level 2 Logs all data transferred to and from the port and all changes in hardware flow control status and all User connection events gt Click Apply Note Acache of the most recent 8K of logged data per serial port is maintained locally in addition to the Logs which
307. ys file Make sure there is only one line of text in this file Use WinSCP to copy this authorized_keys file into the users home directory eg etc config users testuser ssh authorized_keys of the Console Server which will be the SSH server You will need to make sure this file is in the correct format with the correct permissions with the following commands dos2unix etc config users testuser ssh authorized_keys amp amp chown testuser etc config users testuser ssh authorized_keys Using WinSCP copy the attached sshd_config over etc config sshd_config on the server M akes sure public key authentication is enabled Test the Public Key by logging in as testuser Test the Public Key by logging in as testuser to the client device and typing you should not need to enter anything ssh o StrictHostKeyChecking no lt Server ip gt To automate connection of the SSH tunnel from the client on every power up you need to make the clients etc config rc local look like the following 1 bin sh ssh L9001 127 0 0 1 4001 N o StrictHostkKeyChecking no testuser lt Server ip gt amp This will run the tunnel redirecting local port 9001 to the server port 4001 15 6 6 Fingerprinting Fingerprints are used to ensure you are establishing an SSH session to who you think you are On the first connection to a remote server you will receive a fingerprint which you can use on future connections This fingerprint is relat
Download Pdf Manuals
Related Search