Manuel d'utilisation / d'entretien du produit LES1432A du fabricant Black Box
Aller à la page of 286
B L A C K B O X ® S e c u r e l y m a n a g e d a t a c e n t e r a n d n e tw o r k equ ipm en t f rom an y where in the wo rld. V alue-Line and Advanced Console Servers User’ s Manual L E S110 8 .
72 4 - 7 4 6 -5500 | blac kbox. com 72 4 - 7 4 6 -5500 | blac kbox. com Pa ge 2 V alue- Lin e and Adv anc ed Console Ser vers Man ua l T rademarks Used in this Manual Black Box and the D ouble Diamond lo go are registered trademarks of B B T echnologies, Inc.
72 4 - 7 4 6 -5500 | blac kbox. com 72 4 - 7 4 6 -5500 | blac kbox. com Pa ge 3 V alue- Lin e and Adv anc ed Console Ser vers Man ua l W e ‘ re h er e t o he l p! I f y o u h a v e a n y q ue st io n s a bo ut y ou r a p pl i ca ti o n or o ur p rodu c t s, c on tac t Bl ack Bo x T ech S uppo r t at 7 2 4 -74 6 - 5 5 0 0 or go t o blackbox.
72 4 - 7 4 6 -5500 | blac kbox. com 72 4 - 7 4 6 -5500 | blac kbox. com Pa ge 4 V alue- Lin e and Adv anc ed Console Ser vers Man ua l Feder al Com mun icat ions Co mmissi on and Industr y Canada Rad .
72 4 - 7 4 6 -5500 | blac kbox. com 72 4 - 7 4 6 -5500 | blac kbox. com Pa ge 5 V alue- Lin e and Adv anc ed Console Ser vers Man ua l Instrucc iones de Seguri dad ( Normas Ofici ales Mexican as E lec tr ical Sa fety Statemen t ) 1 .
INDEX INTRODUCTION 13 INSTALLATION 18 2.1 Models 18 2.1.1 Kit components LES1508A Console Server 19 2.1.2 Kit componen ts LES1308A - LES1348A a nd LES1408A - LES1448A Advance d Console Se rvers 19 2.1.3 Kit componen ts LES1208A - R 2, LES1216A - R2, LES1232 A and LES12 48A - R2 Advanced Co nsole Servers 20 2.
4.1.8 Cisco USB conso le conn e ction 56 4.2 Add/ Edit Use rs 56 4.3 Authenticati on 60 4.4 Network Hos ts 60 4.5 Trusted Ne tworks 61 4.6 Serial Por t Cascading 62 4.6.1 Automatically gener ate and upload SSH keys 62 4.6.2 Manually gener ate and upload S SH keys 63 4.
6.2.1 SDT Connector installa tion 104 6.2.2 Configuring a new console server g ateway in th e SDT Conn ector client 1 05 6.2.3 Auto - configure SD T Connector client with the user’s access pri vileges 106 6.2.4 Make an SDT c onnection through t he gateway t o a host 107 6.
8.1 Remote P ower Control (RPC) 149 8.1.1 RPC connecti on 149 8.1.2 RPC access priv ileges and alert s 152 8.1.3 User power management 152 8.1.4 RPC status 153 8.2 Uninterrup tible Power Supply C ontrol ( UPS) 153 8.2.1 Managed UPS connectio ns 154 8.
11.3 Configure Date and Time 197 11.4 Confi guration Bac kup 198 11.5 Delayed Config uration Comm it 201 11.6 FIPS Mode 202 STATUS REPORTS 203 12.1 Port Access a nd Active Use rs 203 12.2 Statistics 203 12.3 Support Reports 204 12.4 Syslog 204 12.5 Dashboard 205 12.
15.1.8 Backing - u p the configura tion and restori ng using a loc al USB stick 243 15.1.9 Backing - up the configur ation off - box 244 15.2 Advanced Portmanager 245 15.2.1 Portmanager commands 245 15.2.2 External Scripts and Alerts 246 15.3 Raw Ac cess to S erial Por ts 247 15.
APPENDIX A. CLI Commands and Source Co de B. Hardware Sp ecification C. Safety an d Certifica tions D. Connec tivity and Serial I/ O E. Terminolog y F. End User Lice nse Agreeme nt G. Service and W arranty ________________________ __________________ _____________________ ______ 724 - 746 - 5500 | blackbox.
Chapter 1 Introduction INTRODUCTIO N This Manual This User’s M anual walks y ou through in stalling and configuring your Black Box Console S erver ( LES1108A , LES1116A, LES1132A, LES1148A, LES1508A.
10. Nagios Int egration Des cribes how to s et Nagios centra l manageme nt with SDT e xtensions and configur e the console serv er as a distributed Nagios server. 11. System M anagement Covers access to and configuration of services th at will run on the console server.
ports and serially connected devices, network conne cted hosts, and connected power devices; a nd to view associated logs and configure alerts . A Us er can also use the Management C onsole , but has limited menu access to control select devices, review their logs and ac cess them using the built - in j ava termin al or control power to them .
Date Revision Update details September 20 11 1.1 Prere lease October 2011 2.0 Release for V2.8 firmware and later December 2012 3.0 Release for V3.5 firmware and late r ________________________ __________________ _____________________ ______ 724 - 746 - 5500 | blackbox.
Copyright © Black Box Corpora tion 2011 . All Rights Reserved. Information i n this docum ent is subject to change wi thout notice and does not represent a co mmitment on the part o f Black Box.
Chapter 2 Installation INSTALLATION Introduction This chapter describes how to install the co nsole ser ver hardware a nd connect it to controlle d devices.
If you are in stalling the cons ole server in a rac k, you will need to attach the ra ck mounti ng brackets supp lied with the uni t, then i nstall the uni t in the rack.
DB9F - RJ45S straight and DB9F - RJ45S cro ss - over connectors USB micro - AB adapter cable A ntenna with 10 foot ex tension cabl e Dual IEC AC power cord s Printed Quick Start Guide a nd User’s Ma nual on CD - ROM 2.
2.1. 4 Kit components LES1116A, LES1132A and LES1148A Console Serv ers LES1116A, LES1132A or LES1148A Console S erver (2) UTP CAT5 blue cab les DB9F - RJ45S straight and DB9F - RJ45S cr oss - ov er connectors IEC AC power co rd Printed Quick Start Guide a nd User’s Ma nual on CD - R OM 2.
VDC connecto r from the power supply plugs in to the 12VDC (P WR) power socket on t he side of the LES1508A. 2.2. 2 LES1408A - LES1448A, LES1308A - LES1348A and LES1208A - LES12 48A power The Advanced.
2.2. 4 LES1108A power The LE S1108A includes an external DC po wer supply unit. This unit accepts an AC input vol tage between 100 and 250 VAC with a frequency of 50Hz or 60Hz. The DC power supply has an IEC AC power so cket, which accepts a conventional IEC AC power cord.
PIN SIGNAL DEFINIT ION DIRECTION 1 RTS Request To S end Output 2 DSR Data Set Ready Input 3 DCD Data Carrier Detect Input 4 RXD Receive Data Input 5 TXD Transmit Data Output 6 GND Signal Groun d NA 7 .
− connecting to USB consoles of Managed Devices (e.g. for managi ng UPS supplies) − att aching other extern al USB peripheral s (e.g. an external USB mem ory stick or modem) − adding supported S i er ra Wireless cellular US B modems − plugging in USB hubs t o pr ovide additional port s The USB1.
Chapter 3 Initial System Configura tion SYSTEM CONFIGURATION Introduction This chapter provides step - by - step instructions for the console server’s initial configuration, and fo r connectin g it to the M anagement or O perational LAN. The Admi nistrator must: Activate the Manageme nt Console.
o Subnet mask: 255.255.255.0 If you want t o retain your existing IP se ttings for this network co nnectio n, click Advanced and Add the a bove as a seco ndary IP conn ection. If it is not convenient to change your PC /workstatio n network addr ess, you can use the ARP -Ping command to reset the con sole server IP address.
You will be p rompted to lo g in. Enter the defa ult administratio n username a nd administra tion password: Username: root Password: default Note Console server s are factor y configured with HTTP S access enabled and HTTP access disab led.
After completing ea ch of the abo ve steps, you ca n return to the confi guration list by cli cking in th e top left corner of the screen o n the Black Box logo.
Click Apply . Since you have cha nged the pas sword you w ill be prompte d to log i n again. This time, use the new password. Note If you are not confident t hat your console server has the current firmwar e rel ease, you can upgrade. Refer to Upg rade Firm ware — Chapter 10 .
The next step is to enter a n IP address for the prin cipal Ethernet ( LAN/Netw ork/Networ k1 ) port on the console s erver ; or enable its DHCP client so that it automatically obtai ns an IP address from a DHCP server on the network it will connect to.
3.3.1 IPv6 config uration You can also configure th e console serv er Network a nd Management L AN Interfaces for IPv6 opera tion: On the Syste m: IP menu select G eneral Settings page and check Enable IPv 6. Then, configu re the IPv6 pa rameters on each Interface page .
3.4 System Se rvice s The Administrator can acc ess and configure the co nsole s erver (and conn ected devices) u sing a range of access p rotocols/servi ces – and for eac h such access, the particular service must be running with a ccess through the firew all enabled.
The Services Acces s settings specify wh ich services the Administrato r can use over whi ch net work interface to access the c onsole server. It also nominates the en able d s ervices that t he A dministrato r and the User can use t o c onnect through the console server to att ach ed serial and networ k c onne cted devices.
in rack mount models. To modify the default SNMP settings , the Administrator mus t make the edits at the co mmand line as descri bed in Chapter 15 —Advanced Configuration.
To enable a service che ck Enable . For s ome servces you will be as ked to specify the TCP/IP port to be used for thie s ervice. T here are also some serial po rt access pa rameters that yo u.
Black Box provides the SDT Connector Java applet as the recomme nded client software tool . Y ou can use other generic tools such a s PuTTY and S SHTerm. Thes e tools are all described below as well. 3.5.1 SDT Connector Each console server has an unli mited number o f SDT Connector licenses to us e with tha t console ser ver .
To use PuTTY fo r an SSH terminal s ession from a Windows client, enter the cons ole server ’s IP address as the ”Host Name ( or IP address).” To ac cess the co nsole serv er command line, select “SSH” as the pr otocol, and use the default IP Port 22.
3.6.1 Enable the Managemen t LAN The LES15 08 A , LES1408A, LES1416A, LE S1432 A , LES1448 A , LES1308A, LES1316A, LES1332 A , LES1348 A , LES1208A - R2, LES1216A - R2, LES1232A and LES1248A - R2 console serve rs pro vi de a firewall, router, and DHCP server .
Note You can configure the se co nd Ethernet port as eithe r a gateway port or as a n OO B/Failover port ( but not both ) . Make s ure you did not allocate N etw ork 2 as the Failover Interface when you configured the principal Network connection on the Sy stem : I P menu.
Enter the Default Lease t ime and Maxi mum Lease time in seconds. The lease time is the tim e that a dynam ically assigne d IP address is valid befo re the client must request i t again.
By default, the failover is not enabled. To ena ble, select the Netw ork page on t he System: IP menu. S elect the Failover In terface to be used i f the main fai ls.
Click Apply . You hav e selected the failo ver method. It is no t active until you specify t he external sites to be probed to trigger failover, and set up t he failover ports themselves. This is cover ed in Chapter 5 . Note Y ou can configure the seco nd Ethernet port as eithe r a gateway port or as an OO B/Failover port, but not both.
Select Enable Bridging on the System: IP Gener al Settings menu. Select Bridge Interfac es or Bond Interfac es o When bridgin g is enabled, network traffic is forwarded a cross all Et hernet ports w ith no firewall restrictions.
To add to the static ro ut e to the route table of t he system: Select the Route Settings tab on the System: IP General Setting s menu . Enter a meaningful Rou te Name for the route . In the Destination N etwork/Host f ield enter the IP addre ss of the destination net work/host tha t the route provides a ccess to.
Chapter 4 Serial Port, Host, Devi ce & Use r Configuration SERIAL PORT AND N ETWORK HOST Introduction The Black Box console s erver enable s access and control of s erially attached devices a nd networ k attached dev ices ( host s ).
1) Conso le S erver Mode is t he default and this enable s general access to serial console port on the serially attached devices. 2) Device Mode sets the serial port up to communicate with an int elligent serial controlled PDU, UPS, or Enviro nmental Monito r Device (EMD).
Specify a label for the po rt. Select the appropriate Baud R ate , Parity , Data Bits , Stop Bi ts, and Flow Contr ol for each port. (Note: The RS - 485/RS - 422 option is not relevant for console server s .
Logging Lev el This specifies the level of info rmation to be logged and moni tored (referto Cha pter 7 — Alerts and Logging). T elnet When the Telnet service is enabled on the cons ole server , a Telnet client on a Us er or Administrator ’s computer can connect to a s erial device attached to thi s serial por t on the console serv er .
I f the remot e co mmunic ations are tunneled with SDT Connector , then you can use Tel net to securely access these attached devices (refer to the N ote below).
PuTTY can be downloaded at http:/ /www.t ucows.com/previe w/195286.html SSH We r ecommend that you use SSH as the pro tocol where the User or Administrator co nnects to the consol e server (or connects through the co nsole serv er to the attached seria l consoles) over the Internet or a ny other p ublic ne twork.
For a User named “ fred” to access serial po rt 2, when s etting up the S SHTerm or the PuTTY SSH client, instead of typin g username = fred and ssh port = 3002 , the al ternate i s to type username = fred:port02 ( or username = fred:ttyS1) an d ssh port = 22.
Web Terminal Selecting Web Terminal ena bles web browser acc ess to the serial port via Manage : Devices: Serial usin g the Manage ment Conso le's built in AJA X terminal. W eb Terminal connects as th e currently au thenticated Management Cons ole user and does not re - authenticate.
For configuration details, r efer to Chapter 6.6 — Usin g SDT Con nector to Telnet o r SSH con nect to d evices that are s erially at tached t o the conso le server .
4.1.6 Serial Bridging Mode With serial bri dging, the serial da ta on a nominated s erial port on on e console serv er is encapsulated into netwo rk packets and the n transp orted ove r a networ k to a se cond con sole server . It is then represented on its serial port aga in as serial data.
For example, if the com puter attached to s erial port 3 should nev er send anything out on i ts serial console po rt, the Adminis trator can set th e Facility for that port to local0 ( local0 .. local7 are for site local values), and the Priority to critical .
Users can be author ized to access specified co nsole ser ver serial ports and spe cified network- atta ched hosts. These u sers can also b e give n full Administra tor status (wit h full config uration and management and access privileges). To simplify u s er set up, the y can be conf igured as me mbers of Group s.
3. If a user is set up wit h pptd, dialin, ftp or pmshell gr oup membership they will h ave restricted user shell a ccess to the nominat ed m ana ged devices but t hey will not have any direct access to t he con sole server itself. To add this the users mus t also be a member of t he "users" or "admin" grou ps 4.
Note The User Name can contain from 1 to 127 alphanumeric chara cter s ( you can al so use the special characte r s “ - ”, “_”, and “.” ). There are no restrictio ns on the charact ers that you c an us e in the user Password (each can contain up to 254 char acters).
4.3 Authenticat ion Refer to Chapt er 9.1 — Remote Authentication C onfiguration for authentication configuratio n details. 4.4 Network Hosts To access a locally networked computer o r device (referred to a s a Host ), you must identify the Host a nd specify the TCP or UDP ports/ser vices that wil l be used to control that Ho st.
If the console ser ver has been co nfigured with dis tributed Nagio s monitorin g enabled, then you wil l also be presented with Nag ios Settings options to ena ble nominated services on the Ho st to be monitored (refer to Ch apter 10 — Nagios Integration ).
Network Mask 255.255.255.255 If, however, you want to allow all th e users operating from within a specifi c range of IP addresses (for example, any of the thirty addresses from 204.15.5.129 to 204.15.5.158) to be permitted connection t o the nomina ted port: Host /Subnet Address 204.
Select System : Administr ation on Master’s Management Console. Check Gene rate SSH k eys autom atically a nd c lick Apply. Next, you must select wh ether to generate keys using RSA and/or DSA (if unsure, select only RSA ).
Next, you mu st register the P ublic Key as an Authoriz ed Key on the Sl ave. In a ca se that has o nly one Master with multiple Slaves, you only need to uplo ad the one RS A or DSA public key for each Slave. Note Using key pairs can be con fusing since one fil e (P ubl i c Key) fulfills two roles — Public Key and Authorized Key.
Once the SSH connection h as been esta blished, the s ystem asks you to accept the key. Answer ye s and the fingerprint will be added to the list of known host s. For more details o n Fingerprinting, refer to Chapter 15.6 . If the system asks you to s upply a pas sword, then t here is a pro blem with upl oading keys .
Once you hav e added all th e Slave conso le server s, you can assign and access the Slave serial ports and the connecte d devices fro m the Master’ s Management Co nsole menu.
This serial port redirector software is loaded in your desktop PC, and it allows you to use a serial device that’s c onnected to the remo te consol e server as if i t were connected to your lo cal serial port.
Select the connection type for the new conne ction (Serial, Network Ho st, U PS, or RPC) and then select the specific connection f rom the presented list o f configured una llocated hosts/ ports/outlets.
Note To set up a new serially conne cted RPC UPS or EM D device, configure the serial port, design ate it as a Device, t hen ent er a Name and Descriptio n for that device in the Serial & Net w ork: RPC Connections (or UPS Connections or Env ironmental ).
console s erve r s provide a simple GUI int erface for basic set up a s described belo w. Ho wever for more detailed informat ion on configuring Ope nswan IPsec at t he comm a nd line and interconne cting with other IPsec VPN gateway s and road warrior IPsec sof t w are refer http:/ /wi ki.
If the VPN gat eway i s s erv i ng as a VPN gateway to a local subnet (e. g. the console server has a Management LAN co nf igured) enter the private subnet detai l s in Le ft Subnet. Use the CIDR notation (where the I P addr ess number is follow ed by a slash and the number of ‘one’ bits in the binary notation of t he netmask).
Enter any descript i v e name you wish to identi f y the OpenVPN Tun nel y ou are adding, for example NorthS tOutlet - VPN Select the Dev i ce Driver to be used, either Tun - IP or Tap-E thernet .
o If Server has been selected , enter the IP Pool Netwo rk address and the IP P ool Network mask for the IP Pool. The network defined by t he IP Pool Network addre s s/mask is used to provide the addres ses for connect ing client s. Click App ly to save changes To enter authent ication certif i cat es an d files, Edit the OpenVP N t unnel .
When the OpenVPN s of tware is started, t he C: Program Fil es OpenVPN config f ol der will be scanned for “ .opvn ” files. This folder w ill be rechecked for ne w configuration files w hen ever the OpenVP N GUI icon is right - clicked.
5 = helps with debugging connection problem s 9 = extremely verbos e, excellent for troubl es hooting dev tun dev tap Select ‘dev tun’ to create a routed IP tunnel or ‘dev t a p’ to create an Ethernet tunnel. T he cli ent and server must use t he same settings.
The log file will be di spl ayed as the connection i s established Once established, the OpenVPN icon wi l l di splay a m essage notifying of the successful connection and assig ned IP. This infor mation, as well as the t i m e t he connection was estab lished, is available anytim e by scrolling over the OpenVP N icon.
4.11 PPTP VPN The LES1508A, LES1408A, LES1416A, LES1432A, LES1448A, LES1308A, LES1316A, LES1332A, LES1348A, LES1208A - R2, LES1216A - R2, LES1232 and LES1248A - R2 console ser ver s include a PPTP (Point - to - Point Tunneling Protocol ) server. PPTP i s t y pically used for communicat ions over a physical or v irtual serial link.
Select the Enable check b ox to enable the PPTP Server Select the Minimum Authentication Required . A c cess is denied to remot e u sers attempting t o connect using an authe ntication scheme wea ker than the selecte d scheme. The scheme s a re described below, f rom st r ongest to wea ke st.
Enable Verbose Logging to assist in debugging con nection problems Click Apply S ettings 4.11.2 Add a PPTP user Select Users & Groups on the Serial & Networks m enu and complete t he f ields as covered in section 4.2. Ensure the pptpd Group has been chec ked, t o al low access to the PPTP VPN s erver.
Note: To connect remote V PN clients to the lo cal net work, you need to know the user name and password for t he P P TP account you added, as w el l as the Internet IP addre s s of the console server . I f your ISP has not allocat ed y ou a static IP add re ss, co n sid er usi ng a dy namic DNS service.
Chapter 5 F irewall, F ailover an d OoB Dial Access FIREWALL, FAIL OV ER A ND OoB DIAL - IN Introduction The c onsole s erver has a number of fa il - over and out - of - band access capabilities to make sure it’s available if there are dif ficulties accessing the console server through the pr incipal network path.
external modem v ia a serial cable to the DB9 po rt, and you can confi gur e the second Ethern et port for broadband OoB ac cess. Make sure you unplu g the console server po wer before installi ng t he modem. When it nex t boots, it will detect the mode m an d a PC Card Modem tab will ap pear under System - > Dial.
In the Remote Ad dress field, enter t he IP a ddress to be assigned t o the dial - in client. You can select any add ress for the Remote IP Ad dress. It, and the Local IP Ad dress, must both be in th e same network ra nge ( e.g. 200.100.1.12 and 200.
Note: The User na me and Passw ord to be used for the dial - in PPP link are setup when the User is initially set up wit h dialin Group membership . The dialin Group support s multiple dial - in users . A ny dial - back phone n umbers are also configured when the U ser is set up .
Enter the PPP U ser name a nd Password you set up fo r the console s erver. 5.1.4 Set up earlier Windows c lients For Windows 2 000, the PPP cli ent set up pro cedure is the same as a bove, except yo u get to t he Dial - Up Network ing Fold er by clickin g the Start but ton and sel ecting Setting s.
active broadband acce ss paths to the console s erver , if yo u are unable to a ccess it through the primary management networ k ( Network or Network1 ), you can still acces s it through the altern ate broadba nd path (for exa mple, a T1 lin k) .
On the Managem ent LAN Inter face - Netw ork 2, conf igure the IP Address / Su bnet Mask / G ateway the same as Network I nterface - Network 1 . In this mode, Network 2 (e th1) is avai lable as the tra nsparent ba ck - up port to Network 1 (eth0) for accessing the management ne twork.
________________________ __________________ _____________________ ______ 724 - 746 - 5500 | blackbox.com P age 88.
5.4.2 Failover dial- out T he c onsole s erver modem can be configured so a dia l - out PPP connect ion i s automati cally s et up in th e event of a dis ruption in the principal management n etwork.
Note: Yo ur 3G car rier ma y h ave provided you with de tails for configuring t he co nnection including A P N (Access Point Name ), Pin Code (option al PIN code which may be requi red to unlock the S.
5.6.2 Connect to the CD MA EV - DO carrier net w ork The LES1408A , LES1416A, LES1432A and LES1448A cons ole s ervers have an int ernal CDMA modem. The LES1508A, LES1208A - R2, LES12 1 6A - R2, LES1232A and LE S1248A - R2 console server s also support attaching an ext ernal USB CDMA cellul a r modem from Sierr a Wireless to one of it s US B 2.
Navigate to the I ntern al C ellular Modem tab on Sy stem: Dial . To conne ct to your carriers 3G network enter the appro priate phone number ( usually #777 ) and a Username and Password if directed to by your accou nt/plan documentat i on Select Enable and then click Apply t o initi at e t he Al way s On Out -of- Band connection 5.
5.7 Cellular Operation When set up as a console ser ver the 3G cellular modem can b e set up to connect to t he car rier in either: - Failover mode . I n this case a dial - out ce llular connection is only established in event of a ping failure - OOB mode .
Specify the Probe Addres ses of two sites ( the Primary and Secondar y ) that the con sole server is to ping to determine if t he principal network is still operational In event of a failure of the principal network the 3 G network connecti on is activated as the access path to the console s erver (and its Man aged Devices).
5.8 Firewall & Forwarding The cons ole s erver has routi ng, NAT, packet f iltering a nd port forwa rding suppo rt on all phys ical and virtual network interfaces. This enables t he console se rver to functi on as an Inter net or extern al network ga teway : − Network For warding allo ws the netwo rk packe ts on one n etwork interface (i.
− With Firewall Rules , pa cket filtering inspects each packet passing through the firewall and accepts or rejects i t based on user - defin ed rules. − Then Service Acc ess Rules can be set for co nnecting to the co nsole s erver/ro uter itself 5.
IP Masquerading performs So urce Network Addres s Translatio n (SNAT) on o utgoing pa ckets, to make them appear like they've come from the consol e server (rat her than devi ces on the in ternal network ).
Click on the Disabled lin k next to D HCP Server which will bring up the System: DHCP Server pa ge Check Enable DHCP Server To configure the DHCP ser ver, tick the Use i nterface ad dress as g ateway c heck bo x Set the DNS s erver address(es) to be the s ame as used on the externa l network i.
Source Address : This allows the user to restrict access to a port forward to a specific address. In most cases, thi s should be left blank Input Port Range : T he range of por ts to for ward to the desti nation IP. Thes e will be the port(s) specified when a ccessing the port forw ard.
Click New Fir ewa ll Rule Fill in the following fields : Name: Name the rul e. This name sho uld describe the policy the firewall rule is being used to implement ( e.g. block ftp, Allow Tony) Interface: Sele ct the interface tha t the firewall rule will be applied to (i.
Pro tocol: TCP Dire ction: Egress Action: Block The firewall rules are pro cessed in a set o rder - from top to bottom. So r ule placemen t is impor tant.
Chapter 6 Secure S SH Tunneling & SDT Connector SECURE SSH TUNNELING A ND SDT CONNECT O R Introduction Each Black Box console se rver has an embedded S SH server and uses SSH tun neling so remote .
Using SDT Co nnector to Telnet or SSH connect to devices that are serially a ttached to the console s erver ( S ection 6 .4 ). The chapter then cover s more advanced SDT Co nnector and SS H tunneling topics : Using SDT Co nnector for out - of - band access ( Section 6.
6.2.1 SDT Connec tor installation The SDT Connector set up progra m ( SDTConnector Setup - 1.n.exe or sdtco n - 1.n.tar.gz ) is included on t he CD supplie d with your B lack Box console server . Run the set - u p program. Note For Windows clients, the SDTConnector Setup - 1.
configure cli ents to r un on the P C that w ill use the serv ice to conn ect to the ho sts and serial port devic es (refer to Section 6.2. 7 and 6.2.9 ). Yo u can also set up SDT Connector to connect out - of - band to the console s erver ( refer to Section 6.
Or, enter a D escriptive Name to dis play instead of the IP or DNS addres s, and any Notes or a Description of this gateway (such as its firmware version, sit e location, or anything spe cial about its network c onfiguration) . Click OK and an icon fo r the new gateway will now a ppear in the SDT Connector home p age.
configu re access to network c o nnected H osts that the us er is au thorized to access and set up (f or each of th ese H osts) the services (for example , HTTPS, IPMI2.0) and the related IP ports be ing redirected. configur e access to the console serv er itself (this is s hown as a Local Services host).
Note T he SDT Connector client can b e configured with unli mited number of Gateways (that is, console servers ) . You can configu re each Gateway t o port forward to an unl im i t ed number o f locally networked Hosts. Th ere i s no limit on the number of SDT Connect or clients that can be configured to acce ss t he o ne Gateway.
6.2.6 Manually adding new services to the new hosts To extend th e range of ser vices that yo u can use wh en accessing hosts with SDT Connector : Select Edit: Prefere nces and clic k the Servic es tab. Cl ick Add. Enter a Serv ice Name an d click A dd.
An example is the Dell RAC service. The first re direction is for the HTTPS connection to t he RAC server — it has a client ass ociated with it (web bro wser) that it launches im mediately when you click t he button for this service. The second redir ection is fo r the VNC ser vice that you may choose to later launch fr om the RAC we b consol e.
Note SDT Connector can als o tunnel UDP services. S DT Conne ctor tunnels the UDP t raffic through the TCP SSH redirect i o n, so it is a “tunnel wit hin a tunnel.” Enter the UDP port whe re the service is runni ng on t he host. This will als o be t he local UDP port that SDT Connector binds as the local endpoint of the tunnel.
Enter a Nam e for the client. E nter the Path to the ex ecutable file f or the client (or click Br owse to locate the executa ble). Enter a C ommand Line associated wi th launching the client application. SDT Connector typically launches a cli ent using co mmand line a rguments to point it at the local e ndpoint of the redirection.
Click OK. 6.2.8 Dial in configuration If the client PC is dialing into Local/Cons ole port on t he console server, you will need to set up a dial -in PPP link: Configure the co nsole serv er for dial - in access (following the step s in the Configuring for Dial - In PPP Acces s section in Cha pter 5 , Configuring D ial In Access ).
Click the HTT P or HTTPS Services ic on to access the Management Console, and/ or click SSH or Telnet to acce ss the co mmand line c onsole. Note : To enable S D T access to the console, y ou must.
Assuming you h ave alread y set up the t arget console server as a gatew ay in your SDT Connector client (with username/ passwo rd etc), select this gateway and clic k the Host icon to cr eate a host. Or, s elect File - > New Host . Enter 127.
Description, and Passwo rd/Confirm . Select 1 27.0.0.1 from Acces sible Host (s) and s e lect Por t 2 from Accessible Port(s). C lick Apply. 6.5 Using SDT Connector for out - of - band connection to t he gateway You can also set up SDT Connec tor to co nnect to th e consol e server (gateway) out - of - band (OoB).
where network_co nnectio n is the name of the netwo rk connection as displayed in Control Panel - > Network Connections , login is the dial- in username, and p assword is th e dial -in pa ssword fo r the connectio n.
To enable the distribution of pre - configured client config files, SDT Connector has an Export/Import facility: To save a con figuration.xm l file (for bac kup or for i mporting into other SDT C onnector cl ients) select File - > Expo rt Preferenc es and select the location where you want to save the configuration file.
6.8 Setting up SD T for Remote De sktop access The Microso ft Remote Des ktop Proto col (RDP) ena bles th e system manager to securel y access and manage remote Windo ws computers — to reconfigure applica tions and user pro files, upgrade the server’s operating system, reboot the machine, etc.
To set the user(s) w ho can remotely acc ess the system with RDP, click Ad d on the Re mote Desktop User s dialog box. Note If you need to set up new users for Remote Desktop ac ce ss, open User Accoun ts i n t he Control Panel and follow the ste ps to nominate the ne w us er’ s name, password, and a ccount type ( Administrator or Limited).
In Computer , enter the ap propriate IP Addr ess and P ort Number: Where there i s a direct lo cal or enterpri se VPN conne ction, enter t he IP Address of the console s erver , and t he Port Number of the SDT S ecure Tunnel for the con sole ser ver serial port that you attach to th e Windows co mputer you wa nt to control.
Click Connect. Note The Remote Desktop Co n nection software is p re - installed with Wi ndows XP, Vista and Se rver 2003/2008 . For ea rli er Windows PCs, you need t o download the RDP client : Go to the Microsof t Download Center sit e http://www.
Note The rdesktop client is sup plied with Red Hat 9. 0: rpm - ivh rdesktop - 1.2.0 - 1.i386.rp m For Red Hat 8.0 or othe r d istributions of Linux ; download source, u nt ar, configure, make, ma ke, then install. rdesk top currently runs on most UNI X base d platforms with the X Wind ow System and can b e downloaded from http://www.
6.9 SDT S SH Tunnel f or VNC With SDT and Vir tual Network C omputing (VNC), Us ers and Administrators can securely access and control Wi ndow s 98/NT/2000/XP/2003, Linu x, Macintosh, Solaris, and UNI X computers. There’s a range of popular free and c ommercial VNC software avai lable (UltraVNC, RealVN C, TightVNC).
To set up a pers istent VNC server on Re d Hat Enterprise Linux 4: o Set a passwo rd using vncpasswd o Edit /etc/sysconfig/vncservers o Enable the service with chkconfig vncserver on o Start the s ervice wi th service v ncserver start o Edit /home/ username /.
To establish the VNC con nection, first configure the VNC Viewer , entering the VNC Server IP address. A. When the Viewer P C is connect ed to the conso le server thru an S SH tunnel (over the publ ic Internet, or a dia l - in connection, or private network conn ection), enter local host (or 127.
Note For general background re ading on Remote Deskto p and VNC access we re c ommend the following: The Microsoft Remote Desktop How -To. http://www.microsoft.com /windowsxp/using/mobili ty/getstarted/remoteintr o.mspx The Illustrate d Network Remote Deskto p help page.
B. For Windows XP a nd 2003 computers, fo llow the steps below to set up a n advanced network connection between the Windows co mputer, through its COM port to th e console serv er .
Specify which Users will be allowed to use this connection. This s hould be the s ame Users who were given Remote Desktop a ccess privileges in the earlier step. Click Nex t. On the Network Connecti on screen select TCP/IP an d click Pr opertie s.
Or, you can set the adv anced connection and a ccess on the Window s com puter to use the console server default s: Specify 10.233. 111.254 as the From: address Select Allow calling compu t er.
C. For earlier version Windows computers , follow the steps in Section B. above . To get to the Make New Connecti on button: For Windows 2000, click Start , and sele ct Settings . At the Dial - Up Networking Folder, click Network and Dia l- up Connec tions, and cl ick Make Ne w Connection.
6.10.3 Set up SDT C onnector to SSH port forward over the console server Serial Port In the SDT C onnector software running on your remote computer, specify the gateway IP address of your console server and a usern ame/passwo rd for a user yo u set up on the console server that has access to the d esired por t.
In the Session menu, ente r the IP addre ss of the co nsole serv er in the Host N ame or I P addre ss field. For dial- in connec tions, this IP address w ill be the Loc al Address that y ou assigned to the console s erver when yo u set it up a s the Dial - In PPP Server.
Destination as portXX:3389 (where XX is the SDT enabled serial po rt number). Fo r example, if port 4 is on the consol e server is to carry the RDP tr affic, then specify port04:3389 Note http://www.jfi tz.com/tips/putty_confi g.html has useful examples on configuring PuTTY f or SSH tunneling .
Chapter 7 Alerts , Auto -response and Logging ALERTS AND LOGGI NG Introduction This chapter describes the automated response, alert generat ion and logging featur es of the console server . The new Auto - Res ponse facility (in f irmware V3.5.1 and later) extend s on the basic Ale rt facility availabl e in earlier firmware rev isions.
To configure a new Aut o - Response: Select New Auto - Response in the Configured Auto - Response fie ld. You will be presente d with a new Auto - Response Setti ng s menu Enter a unique Name .
7.2 Check C onditions To configure the condi t ion that will trigge r t he Auto - Response: Click on the Check Condi tion type (e.g. Environmental , UPS Status or ICMP ping ) to be configured as the t rigger f or this new Auto - Res ponse in the Auto - Response Set tings menu 7.
7.2. 3 Serial Login/Logout To monitor serial po rt s an d check for login/logout or pattern match es for Auto - Response trigg ers events: Click on Serial Login/Logout as the Check C ondi ti on .
Click on Custom Check as the Check Condition Create an executa ble trigger check sc ri pt file e.g. /etc/config/test.sh #!/bin/sh logger "A test scr ipt" logger Argument 1 = $1 logger Argument 2 = $2 logger Argument 3 = $3 logger Argument 4 = $4 if [ - f /etc/config/customscr ipt.
Note: The SMS command trigger co nd ition can only be set if t here is an internal or ext ernal USB cellular modem detected 7.3 Trigger Actions To configure the seque nce of actions tha t is to be taken in the event of the trigger condition: For a nominated A uto - Response - with a defined Ch eck Condit ion - click on Add Trigger Action (e.
Specify the Recipient Email Address to send this email t o and the Subject of the email. For multiple recipient s y ou c an enter comma sep arat e d addresses Edit the Email Text message t o send and click Sav e Ne w Action Note An SMS alert can also be sent via an S MTP (email) gateway.
Click Save Ne w Action Note: To notify the central Nagios server of Aler ts, NSCA must be enable d unde r System: Nagios and Nagios must be enabled f o r each applicable ho st or p ort 7.
In the SMTP Server field, enter the out going mail Se rver ’s IP address . If this mail server uses a Secure Con nection , specify its ty pe. You may ente r a Sender email addres s which will appea r as the “ from” address in all email notificatio ns sent fr om this console serv er .
Select a Secure Co nnection (if appli cable) and s pecify the S MTP port to be used (if other than the default port 25) You may also enter a Sender e mail address which will appear as the “ from” address in all email notificatio ns sent fr om this console serv er .
Note The option to directly send SMS alerts via the cellul ar modem was included i n t he Management GUI in V3.4. Advance d console servers al ready had the gateway s oftware ( SMS S erve r Tools 3) emb edded however you t his could only be ac ce ssed from the comm and line to send SMS messages .
Note All console server s have the snm ptrap daemon to se nd traps/notification s to remote SN MP servers on defined t rigge r events as deta i led abov e.
Select the Al erts & Logging: Port Log menu opti on and specify the Server Ty pe to be used, and the details to enabl e log server acce ss From the Manage: Dev ic es menu the Adm inistrator will can vie w seri al, network and pow er device logs stored in the conso l e reserve memory (o r f lash USB).
Level 4 Logs all data transferred to t he port and all changes in hard wa re flow control status and all Use r connection event s Click Apply Note A cache of the most recent 8K of logged data per serial port i s mai ntained locally (in addition to the Logs which are tra nsmi t ted for remote/USB flash storage).
Chapter 8 Power & Environmental Management POWER & ENVI RONMENTAL MANAGE MENT Introduction Black Box console server s mana ge embedded so ftware that yo u can use to ma nage connected Po wer D.
Select the Serial & Network: RPC C onnections menu. This will dis play all the RPC connec tions that have alrea dy been configured. Click Add RPC .
Select the appropriate R PC Type for the PDU (or IP MI) being co nnected: If you are connecting to the RPC via the network, you will be pr esented with the IPMI protocol opti ons and the S NMP RPC Typ es currently sup ported by the e mbedded Network UPS T ools.
Enter the Username and Password use d to login i nto the RPC (Note that t hes e login credentials are not rela ted to the Users and access privileges you co nfigured in Serial & Networks: Users & Groups ).
Turn OFF Cycle Status You will only be presented with icons fo r those opera tions that a re supported b y the Targe t you have selected . 8.1. 4 RPC status You can m oni tor the curre nt status of y our netw ork and s erially connected PDUs and IPMI RPCs.
8.2.1 Managed UP S connec tions A Managed UPS is a UPS that i s directl y connected as a Managed Device to the console se rver . You ca n connect i t via serial or U SB cable or by the netwo rk.
For serial UPSes attach the U PS to the se lected seria l port o n the con sole serv er . F rom the Se rial and Networ k: Serial Port menu, configure the C ommon Se ttings of th at port with the RS - 232 p roperties, et c. required by the U PS (refer to Chapt er 4.
S elect if the UPS will be Connected Vi a USB, over a pr e-configured serial port, o r via SNMP/ HTTP/ HTTPS over the pr econfigured network Host con nection.
Note : T hese login credentials are not re lated to the Users and access privileg es you configured in S erial & Networks: Us ers & Grou ps. If you have m ultiple UPSes and require them to be sh ut down in a specific or der, specify the Shutdown Order for this UPS.
E nter the Name of the particul ar remote UPS that you wa nt to remotely monitor. This name must be the name that the remot e UPS was configur ed with on the remote co nsole serv er (because the r emot e console s erver may itself hav e multiple UPSe s attached that it manages locally with NUT).
on battery. In contrast, mo re critical ser vers may not be shut dow n until a lo w battery war ning is received). Refer to t he online N UT documenta tion for detail s on how to do this : http://eu1.networkupstools.org/doc/2.2 .0/INSTALL.html http://linux.
Click on any particular All Data for any UPS System i n the table fo r more status and configuration information about the se l ected UPS S ystem. Select UPS Logs and you will be presented wit h the log table of the load, battery charge level , temperature, an d other status information f rom all the Managed and Monitored UPS systems.
NUT is built on a networke d model with a layered scheme of drivers , server and clients: The driver pro grams talk di rectly to the UPS equipme nt and run on the same ho st as the NUT network server ( upsd ).
The latest relea se of NUT (2.4) also controls PDU systems. It can do this either nativel y using SNMP or thro ugh a binding to Po werman (open source software from Li vermore Labs that also is embedded in Black Box console server s).
8.3.1 Connecting the EMD The Environmental Monit or Device (EMD) connects to any serial port on the console server via a special EMD Adapter and s tandard CAT5 ca ble. The EMD is powered ov er this seri al connection and commun icates using a custom hand shake protoco l.
Note : You can attach two ext ernal se nsors onto the termi nal s on EMDs that a re connected to LE S1108A, LES1116A, LES1132 and LES1148A console server s.
Check Log S tatus and spe cify the Log Rate (minutes between sam ples) if you w ant to log th e status from this EMD. These logs c an be views from the Status: E nvironmen tal Status screen. Click Apply . This will also create a new M an aged Device (with the sa me name).
Chapter 9 Authentication AUTHENTICAT ION Introduction The consol e server is a dedicated Li nux computer with a myr iad of popula r and proven Linux softwa re modules for networking, secure acces s (OpenSSH), an d communica tions (OpenSSL ), and sophistica ted user authentica tion (PAM, RADIUS, TACAC S+ and LDAP ).
You can confi gure the con sole server to the default ( L ocal ) or using an alternate auth entication method ( TACACS , RADIUS, or LDAP ). Optio nally, you can select the order in which local and remo te authentication is used: Local TACACS /RADIUS/LD AP : Tries local authenticatio n first, falling back to rem ote if local fails.
In addition to multiple rem ote servers, you can also enter se parate lists of Authentica tion/ Authorization serve rs and A ccounting servers. If no Accounting serv ers are specified, the Authenticatio n/Authorizati on servers ar e used instead. Enter and confirm the Serv er Password .
Enter the S erver Address (IP or host na me) of the re mote Authenti cation/ Autho rization serv er. Multiple remote servers ma y be specified in a comma - separated list.
Enter the S erver Address (IP or host name ) of the remote Aut hentication server. Multiple remote servers may be sp ecified in a comma - sepa rated list.
9.1.5 RADIUS/TACACS User Conf iguration Users may be added to the l ocal console server applia nce. If they ar e not added a nd they log i n via remote AAA, a user will be added for the m.
Select Serial & Netw ork: Authentication Select the relev ant Aut he ntication Method Check the Use Remot e Groups button 9.1.7 Remote gr oups with RA DIUS aut henticati on Enter the RADIUS A uthentication and Authorization S erv er Address and Server P ass w ord Click Apply.
For example, in an exi st ing Active Directory setup, a group of use rs may be part of the “ UPS Admin ” and “ Router Admin ” group s. On the consol e serve r , t hese users will be required t.
9.1.9 Remote groups w ith TACACS+ authentication When using TACACS + authenticatio n, there are two ways to g rant a remotely authenticated user privileges. The f i rst is t o se t the priv - lvl and port att ributes of the racces s s erv i c e to 12, this is discu ss ed further in section 9.
Note: Kerberos is very sensit i v e to time difference s bet ween the Key Distribution Center (K D C) authentication serv e r and the client devi ce. P lease make sure that NTP is enabled, and the ti me zone is set correctly on the console server .
TACACS+ - pam_tacplu s ( http://ec helon.pl/pubs /pam_tacplus.h tml ) LDAP - pam_ldap ( http://www.pa dl.com/OSS/ pam_ldap.html ) Further modul es can be a dded as requir ed. Changes may be made to fi le s in /etc/config/pam.d/ t hat will persist, even if the authentication configurator runs .
If there is already a Fram ed -Filter- Id, simpl y add the list of group_ names after the existing entries, includ ing the s eparating co lon “:”. 9.3 SSL Certifi cate The co nsole server uses the Secure Socket Layer (SSL) pro tocol for encrypte d network tr affic betw een itself and a conne cted user .
Select System : SSL Certif icate and fill out the fields as explained below: Common name This is the network name o f the consol e server onc e it is installed in the network (usually the fully qualified do main name).
Key length T his is the length o f the generated key in bits. 1024 Bits a re supposed to be sufficient for most cases. Lo nger keys may result in slower respo nse time of the console server when establishing connection. Once this is do ne, click on the but ton Generate C SR w hich will initiate the Certificate Signing Reques t generation.
Chapter 10 Nagios Integration NAGIOS INTE GRATION Introduction Nagios is a po werful, high ly extensible open sourc e tool for mo nitoring netwo rk hosts and s ervices. The core Nagios software packa ge will typically be install ed on a server o r virtual server, the centra l Nagios server.
10.1 Nagios Overv iew Nagios provides central monito ring of the hosts and services in your dis tributed network. Nagios is freely downloadable, open sourc e software. This section of fers a quick b ackground of Nagios and i ts capabilities. A complete o verview, FAQ, and compre hensive documentation ar e available at: http://w w w.
Distribute d console server s Black Box console server s . Serial and network hosts a re attached to each c onsole s erver. Each runs Nagi os plug - ins, NRPE, and NSCA add - ons, but not a full Nagios server. Clients Typically a cl ient PC, lap top, etc.
10.2.2 Set up distrib uted console server s This section provi des a brief wal kthrough on configuring a s ingle con sole server to monitor the status of one attached netwo rk host (a Windows IIS serv.
Remove all Permitted Services . This s erver will be accessible using Terminal Services, so check TCP , Port 3389 and log level 1 and cl ick Add . Remove a nd re - add the serv ice to enable logging. Scro ll down to Nagios Settin gs and check Enabl e Nagios.
Select Users & Gr oups fro m the Serial & Network menu. Click Add User. In Username , enter: s dtnagiosuser , the n enter and c onfirm a Pass word. In Access ible Hosts click the IP address /DNS name of the IIS server, and in Acces sible Ports click the serial port tha t has the router co nsole port a ttache d.
When NRPE a nd NSCA are bo th enabled, NSC A is preferr ed method for co mmunicating w ith the upstream Nagios serve r— check Prefer NRPE to use NRPE whenever possible (that is, for all communica tion ex cept for al erts).
Select System: Nagios and chec k NSCA Enable d. Select the Encryption to b e used from t he drop dow n menu, then ent er a Secret pa ssword and specify a check Inte rval. Refer to the s ample Nagios co nfiguration s ection belo w for some exa mples of co nfiguring specific NSCA checks.
10.3.6 Configure the upstream Nagios monitoring ho st Refer to the Nagios documentation ( http://www.nagios.org/docs/ ) for co nfiguring the upstream ser ver: The section en titled Distributed Moni toring steps thr ough what you ne ed to do to configure NSCA on the upstream serv er (under Central S erver Configuration ).
service_de scription NRPE Da emon host_name Black Box use generic - service check_command check_nrpe_daemon } ; Serial Status define command { command_name check_serial_status command_line $USER1 $/check_nr pe - H 192.
} define serv ice { service_descri ption port-log- ser ver host_name server use generic - service check_command check_port_log active_checks_ena bled 0 passive_checks_ enabled 1 } define serv icedepen.
execution_failure_criteria w,u,c } ; SSH Port define command{ comm and_name check_conn_via _ Black Box command_line $USER1$/ch eck_nrpe - H 192.168.254.
check_serial_signals is use d to monitor the handshak ing lines on the serial po rts check_port_log is used to monitor the data logged fo r a serial po rt.
Time No encryptio n 3DES SSH tunnel NSCA for single check ~ ½ second ~ ½ second ~ ½ second NSCA for 100 sequential c hecks 100 seconds 100 seconds 100 seconds NSCA for 10 sequenti al checks, batche.
II. Remote site In this scenar io, configu re the console s erver NRPE server o r NSCA client to actively check configured services and upload the checks to the Nagios server that’s wait ing passively. You can also configure it to service NRPE commands to perform chec ks on demand.
Remote site with no network ac cess In this scenar io the conso le server allows dial-in access for the Nagios server. Periodically, the Nagios server will establish a co nnection to th e con sole serv er and execute a ny NRPE com mands, befor e dropping the connection.
Chapter 11 System Management SYSTEM MANAGEMENT Introduction This chapter describes how the Administrator can p erform a range of general console server system administrat ion and configuration tasks such as: Applying Soft and Hard Re sets to t he gateway.
Pushing the Erase button on the rea r panel twice . A ball - p oint pen o r bent paper clip is a suitable tool for this pro cedure. Do not use a grap hite pencil. P ress the button gently twice (within a couple of se conds) while the unit is powered ON.
Select the System: Da te & Time menu o ption. Manually set the Year , M onth , Day , Hour and Minut e using the D ate and Time s election boxes, then click Set Time . The gate way can synchronize its s ystem time with a remote time server using the Network Time Protocol (NTP).
With all cons ole server s , you can s ave the backup file remotely o n your PC a nd you can res tore configuration s from remote lo cations: Click Save Backup in the Remote Co nfiguration Ba ckup menu. The config ba ckup file ( Sy stem Name_date_config.
To backup to the USB, e nter a brief Desc ription of the backup in the Local Configuration Ba ckup s menu and select S ave Backup. The Local Conf iguration Ba ckup menu will di splay all the configura tion backup files you have stored on to the USB flash.
11.5 Delayed Configuration Comm it With Advanced Console Servers ( LES1208A - R2 , LES1216A - R2 , LES1232A, LES1248A - R2 ), a Delayed Co nfig Commit mod e i s available which a llows the groupin g or queuing o f configura tion changes a nd the simultaneous application o f these chang es to a specif ic device.
Click Apply to run the systemset tings configura tor The Commit Config button will no lo nger be displ ayed in the top right - ha nd corner of t he screen and configuration s will no lon ger be queued .
Chapter 12 Status Reports STATUS REPORTS Introduction This chapter describes the dashboard fe ature and the status reports that are availabl e : Port A ccess and Acti ve Users Statistics Support Repo rts Syslog Dashboard Other status reports that are covered elsewhere include: UPS Status ( Chapter 8.
Select the Status: St atistics You can find detailed s tatistics report s by s electing the va rious submen us. 12.3 Support Reports The Support Repo rt provides useful statu s information that wi ll assist the Blac k Box Technical Support team to solve a ny problems you may exper ience with yo ur console server .
Enter the re mote Syslog Server Address and S yslog Serv er Port details and click Apply. The console maintains a l ocal Syslog. To view the local Sys log file: Select Status : Syslog To make it easier to fin d information in the local Syslog file, use th e provided p attern matchi ng filter tool.
Select System : Configure Dashboar d and select th e user (or group) you are configuring thi s custom dash board layout for. Click Next. Note: Yo u can configure a custom da shboard for any adm in user or for the admi n group or you can reconfigure the def aul t dashboard.
Note : The Alerts widget is a new sc ree n that shows the curre nt alerts status. When an al ert gets triggered, a correspon ding .XML file i s cr eat ed in /var/run/alerts/. The dashboard scans all these f i les and displays a summary st at us in the alerts widg et.
12.5. 2 C reating custo m widgets for the Dashboard T o run a cust om script insi de a dashbo ard widget : Create a file called " widg et- <name>.sh " in the folder /etc/ co nfig/scripts/ where < nam e > can be anything. You can have as many custom dashboard fil es as you wa nt.
Chapter 13 Management MANAGEMENT Introduction The console s erver has a small number of Manage reports a nd too ls that are available to bo th Administrator s and Users : Access an d contro l authori zed devices. View serial port logs and host logs for those devices.
13.2 Port and Host L ogs Administrators and User s can view logs of data transfers to c onnected devices. Select Manage : Port Logs and the serial Port # to be display ed. To display Host logs, s elect Manage : Host Logs and t he Host to be displayed.
13.3.1.2 Web T erm inal to Serial Devic e To enable the Web Te rmi n al service for each se rial p or t you want to ac cess: Select Serial & Netw ork: Serial Port and click Edit .
13.4 Power Management Administrators and User s can access and manage the connected power de vices. Select Manage : Power ________________________ __________________ _____________________ ______ 724 - 746 - 5500 | blackbox.
Chapter 14 Command Line Configu ration CONFIGURATION FROM THE COMMAND LINE Introduction For those who prefer to configure their console server at the Linu x command line level (rather than use a brows.
o If you are connec ting over the L AN, then you wil l need to in terconnect th e Ethernet ports and direct your termina l emulator p rogram to the IP addres s of the console serv er (192.168.0.1 by default). Log on to the console serv er by pressing “ return” a f ew times.
- v –verbose Log extra deb ug informatio n. - d – del=id Remove the given conf iguration eleme nt specified b y a '.' sepa rated identifier. - g – ge t=id Displa y the value of a configuratio n element. - p – path=file Specify an a lternate configuration f ile to use.
Note: The c onfig command does not v erify whether the node s edited/added by t he user are valid. Thi s means that any node may be add ed to the tree. If a user run s the following com m and: # /bin/config - s config. fruit.apple=sweet T he configurator will not complain, but this comman d is useless.
Console server mode The comman d to set the p ort in portmanager mode: # config - s config.ports.por t5.mode=portmanager To set the fo llowing option al config ele ments for this mode: Data accumulati.
Terminal serv er mode Enable a TTY login for a lo cal term inal attached to serial port 5: # config - s config.ports.por t5.mode=terminal # config - s confi g.ports.port5.t er minal=[vt220 | vt102 | vt100 | linux | an si] The default terminal is v t220.
14.3 Adding and Removing U sers First, determine the total number of existing Users (if you have no existing Users you can ass ume this is 0 ): # config - g conf ig.users.total This command s hould disp lay con fig.user s.total 1 . Note that if yo u see config.
# config - s confi g.sdt.hosts.ho st5.users.user1= John # config - s config.sdt.ho sts.host5.users.total=1 (total number of u sers having access to host) To give another user called “Peter” access to the same host: # config - s confi g.sdt.hosts.ho st5.
Attention: The rmuser scr ipt is a generic scri pt to re move any co nfig ele ment fro m config.x ml correctly . However, any dependencies or references to this gro up will not be affected. Only the group details are deleted. The Administrator is responsible f or goi ng through config.
14.6 Network Ho sts To determine the total nu mber of currently configur ed hosts: # config - g co nfig.sdt.hosts .total Assume this value is equal to 3. If you add ano ther host, make sure yo u increment the tot al number of hosts from 3 to 4: # config - s confi g.
If you want t o add the ne w host as a ma naged device, ma ke sure you us e the current total number of managed devices + 1, fo r the new device number. To get the cu rrent number o f managed dev ices: # config - g co nfig.devices.to tal Assuming we alr eady have one ma naged device, our new devi ce will be dev ice 2.
# config - s confi g.cascade.slaves .slave1.addre ss=192.168.0.15 3 # config - s "config.ca scade.slaves.slave1.descriptio n=CM in office 42" # config - s config.cascad e.slaves.slave1.label= les1 11 6 -5 # config - s conf i g.cascade.slaves .
M ake sure to incremen t the total monito rs: # con fig - s conf ig.ups.monitors.to tal=1 The five commands bel ow will add the UPS to Managed devices . Assuming there a re already two managed devices configured: # config - s "config.d evices.device3.
Logging Ena bled Log interval 600 second Number of po wer outlets 4 (depends on the type/ model of the RPC) # config - s config.ports.port2.power.type=APC 7900 # config - s confi g.p orts.port2.power.name=MyRPC # config - s "config.ports.port2.power.
To get the to tal number of m anag ed devices: # config - g co nfig.devices.to tal Make sure yo u use the tota l + 1 for the new device b elow: # config - s config. devic es.device5.connections.connection1. name=Envi4 # config - s "config. devices.
Error Notice Warning Assume the remo te log serv er needs a user name 'name1' a nd passwor d 'secret': # config - s con fig.eventlo g.server.u sernam e=name1 # config - s confi g.eventlog.serv er.password=secr et To set the remote p ath as '/ Black Box /lo gs' to save logged data: # config - s config.
# config - s config.al erts.alert2.signal=[ DSR | DCD | CTS ] # config - s config.al erts.alert2.type=signal Pattern Ma tch Alert To trigger an alert if the regular expressi on '.*0.0% id' is found in s erial port 10 's character s tream.
# config - s config.al erts.alert2.enviro.high.critical=300 # config - s config.al erts.alert2.enviro.high.warning=2 80 # config - s config.al erts.alert2.enviro.hysteresis=20 # config - s co nfig.al erts.alert2.enviro.low.critical=50 # config - s config.
# config - s config.system .smtp.encryption2=SSL (can also be TLS o r None ) # config - s confi g.system.smtp.s ender2=John@ Black Box .com # config - s config.sys tem.smtp.usernam e2=john # config - s confi g.system.smtp.pa ssword2=secret # config - s con fig.
# config - s config.interfaces.wan.address=192.168.0.23 # config - s config.interfaces.wan.netmask=255.255.255.0 # config - s config.interfac es.wan.gateway=192.16 8.0 .1 # config - s confi g.interfaces.wan. dns1=192.168 .0.1 # config - s confi g.interfaces.
To change th e timezone: # config - s con fig.system .timezone= US/Easter n The following co mmand wi ll synchronize the live syste m with the n ew configura tion: # config - r ti me 14.20 Dial - in set tings To enable dia l - in access on the DB9 seri al port from the comman d line with the follow ing attributes: Local IP Address 172.
DNS server1 192.168.2.3 DNS server2 192.168.2.4 Domain name company.com Default gateway 192.168.0.1 IP pool 1 star t address 192.168.0.20 IP pool 1 end address 192.168.0.100 Reserved IP a ddress 192.168.0.50 MAC to reserve IP for 00:1e:67:82:72:d9 Name to iden tify this hos t Jo hn - PC I ssue the comma nds: # config - s config.
# config - s config.services .rfc2217.portbase='port ba se number' Default: 5000 # config - s config.services .unauthtel.portbase='port b ase number Default: 6000 The following co mmand wi ll synchronize the live syste m with the n ew configura tion: # config -a 14.
Chapter 15 Advanced Configuration ADVANCED CONF I GURATION Introduction Black Box console server s ru n the embedded Linux op erating system. So Administrator class users can configure the console ser.
# dos2unix /etc/config/rc.l ocal Another s cen ario wou ld be to call anothe r custom scr ipt from the /etc/config/rc. local file, maki ng sure that your custom script wi ll run whenever the sys tem is booted. 15.1.2 Running custom sc ripts when aler ts are trigg ered Whenever an alert gets triggered, specific scripts get called.
15.1.3 Example script - Power Cycli ng on Patte rn Match For example , we have an RP C (PDU) connected to port 1 o n a consol e server and also have some telecommunications devic e c onnected to por t 2 (which is powered by the RPC outlet 3 ).
delete -node is a general scr ipt for deleting a ny n ode you desire (users, groups, hosts, UPSes, e tc.) from the command line. The sc ript deletes t he specified node and shu ffles the rema inder of the node values.
NUM BER=`echo $L ASTFIELD | s ed 's/^[a - zA - Z]*// g'` TOTALNODE=`echo ${1%.*} | sed 's/ (.* )/ 1.total/'` TOTAL=`config - g $TOTALNOD E | sed 's/.* //' ` NEWTOTAL=$[ $TOTAL - 1 ] # Make backup copy of config file cp /etc/config/config.
config - g $RO OTNODE.$LA STFIELDT EXT$((NU MBER+COUN TER)) | while read LINE do config - s "`echo "$LI NE" | s ed - e "s/$L ASTFIELDTEX T$((NUMB ER+ COUNTER))/$LA STFIELDTEXT$( (NUMBER+COUNTE R - 1))/" - e 's/ /=/'`" done let COUNT ER++ done # deleting last user config - d $ROOTNODE.
The above co mmand will c ause the ping - detect script to continuously ping the hos t at 192.168.22.2 which is the r outer. If the r outer crashes , it will no lo nger respond t o ping reques ts. If this ha ppens, the two comma nds pmpower a nd date will run.
15.1.7 Running custom sc ripts when a c onfigurator is invoked A configurator is responsib le for reading the va lues in /etc/config/c onfig.xml and making the appropriate c hanges live. S ome changes ma de by the configurators are part of t he Linux conf iguration itself, such as user p a sswords or ipconfig .
To save the c onfiguration: # /etc/scripts/backup- usb save config- 2 0May To check i f the bac k up was saved correctly: # /etc/scripts/backup-usb l ist If this comma nd does not d isplay "* conf ig - 20May" then there was an error savi ng the configur ation.
This will extract the contents of the previously created backup to /tmp , and then synchr onize the /etc/confi g directory with the copy in /tmp . One problem that can crop up here is that there is not enough room in /tmp to extract files to.
For more info rmation on u sing chat (an d pmchat ) you s hould cons ult the UNIX ma n pages: http://techpubs.sgi.com/libr ary/tpl/cgibin/getdoc.cgi?coll=lin ux&db=man&fname=/usr/sh are/catman/ man8/chat.8.html pmusers The pmusers command is used to quer y the portma nager for acti ve user session s.
- The portmanager will attempt to execute /etc/ config/scripts/portXX.alert (where XX is the port number, e.g. 0 8) - The script is r un with STD IN containin g the data wh ich triggered t he alert, and S TDOUT redire cted to /dev/null, NO T to the seria l port.
With stty , the changes made to the port only “s tick” until that port is clo sed and o pened again. P eople probably will not want to use stty f or more than initial deb ugging of the seria l connection. If you want t o use stty to configure the port, you ca n put stty commands in /etc/config/scripts/portXX.
system. - Rules are added which explicitly allow networ k traffic to access ena bled services , for example, TTP, SNMP , etc. - Rules are added that explicitly allow traffic networ k traffic access to serial ports over enabled protocols e.g. Telnet, SSH and raw TCP.
sysname Not defined ( edit /etc/default/snmpd.c onf) syslocation Not defin ed (edit /etc/default/snmpd. conf) Simply change the values of sysdescr, sy scontact, sysname and syslocation to th e desired settings and restart snmp d . The sn mpd.conf provides is extremely powerful and too flexible to completely co ver here.
.. replacing y ourusername with the us ername config.system.snmp.userna me2 (3 only) To set the Engine ID field (SNMP version 3 only ) config -- set config.
15.6.2 Generating Public Keys (Linux) To generate new SSH key pairs use the Linux ss h - keygen co mmand. This will produ ce an RSA or DSA public/privat e key pair and you will be prompted for a path to store the two ke y files, for example, id_d sa.pub (the pu blic key) and id_dsa (the priva te key).
15.6.4 Installing SS H Public Key Authen tication (Li nux) Alternately, the public key can be installed on the unit remotely fr om the linux hos t with the scp utility as follo ws. Assuming the us er on the Management C onsole is ca lled "fred"; th e IP address o f the conso le server is 192.
If the Black Box device selected to be the server will only have one client devic e, then the authorized _keys file is simply a copy of the public key fo r that device. If one o r more devices will b e clients of the server, then the authori zed_keys file wi ll contain a copy o f all of the public key s.
More documentati on on OpenS SH can be fou nd at: http://openssh.org/portable.htm l http://www.openbsd.org/ cgi-bin/man.cgi?query=ssh&sektion =1 http://www openbsd.org/cgi -bin/m an.cgi?query=sshd. 15.6.5 Generat ing public/private keys for SSH (Windows) This section describes ho w to generate and configure SSH keys usin g Windows.
- Execute the P UTTYGEN.EXE pro gram. - Select the desired key typ e SSH2 DSA (you may use RSA or D SA) within the Pa rameters se ction. - It is importan t that you lea ve the passp hrase field b lank.
To automate connection of the SSH tun nel from the client on ever y power - up y ou need to m ake the clients /etc/config/rc.local look like the following: #!/bin/sh ssh - L9001:127.0.0.1:4001 -N - o StrictH ostKeyC hecking=no testuser @<server - i p> & This will run the tunnel redirecting local port 9001 to the server port 4001.
If the host ke y has been le gitimately ch anged, it can be removed f rom the ~/.ssh/ known_hosts file a nd the new finge rprint added. If it has not changed, this i ndicates a ser ious problem that shoul d be investigated immediately.
For simplicity going forw ard, the term private key will be used to re fer to either id_rsa or id_dsa and public key to refer to either id_rsa.pub or id_dsa.pu b. To generate t he keys using Ope nBSD's OpenSS H suite, we use the ssh - k eygen progr am: $ ssh - keygen - t [rsa|dsa] Generating pub lic/private [r sa|dsa] key pair.
then the a uthorized _keys file will contai n a copy of al l of the public keys. RSA and DSA keys ma y be freely mixed in the a utho rized_key s file. For example, assume we al ready have one server, cal led bridge_server , and two sets of keys, for the control_room and the plant_entrance : $ ls /home/user/keys control_r oom control_room.
The consol e server includes OpenSSL. The OpenSSL Project is a collaborative effort to develop a robus t, commercial - grade, f ull - featured, and Open Source toolkit implementi ng the Secure Sockets Layer (SSL v2/v3) and Transport Layer Sec urity (TLS v1) protocols as well as a full - strength general purpos e cryptography libr ary.
15.8.3 Installing the key and certific ate We recommend t hat you use a n SCP (Secure C opying Pro tocol) client to copy fil es securel y to the console s erver unit. T he scp utility is distribut ed with OpenSSH for most Unix distributio ns, while Windows use rs can use so mething like t he PSCP command l ine utility a vailable with P uTTY.
15.9.1 The PowerM an tool PowerMan provi d es power manage ment in a data center or comp ute cluster en vironment. It perf orms operations su ch as power on, power of f, and power c ycle via remo te power controller (RPC) devices. Synopsis powerman [- option] [ta rgets] pm [- option] [targets] Options - 1, -- on Po wer ON targets.
should not b e confused w ith regular ex pression char acter classes (al so denoted by ''[]''). For exam ple, foo[19] does not represent foo1 or foo9, but rather represents a degenerate range: foo19.
The first is to have scrip ts to support the particular RPC included in either t he open sourc e PowerMa n project (http://sourceforge.net/projects/powerman ) or the open source NUT UPS Tools p roject.
15.10 IPMItool The console s erver includ es the ipmitool utili ty for managing and confi guring devices tha t support th e Intelligent Pla tform Manag ement Interfa ce (IPMI) versio n 1.
-A < a uthtype > Specify an au thentication ty pe to use du ring IPMIv1.5 lan s ession activation. Su pported types are NONE, PASS WORD, MD5, o r OEM. -c Present output in CSV (comma sep arated variable) format. This is not available wit h all commands.
The ipmitool documentation high lights that there ar e several security issues t o be considered befor e enabling the I PMI LAN interf ace. A remote sta tion has the ability to contr ol a system's power state as well as being able to gather certain platf orm informat ion.
channels sessio n Prin t session in formation exec Run list of commands fro m file set Set r untime variable for shell a nd exec ipmitool chassis h elp Chassis Commands: st atus, power, identify, poli.
This script wo uld, for exa mple , parse each po rt log file line by line, each time it sees 'LO GIN: username' , it adds username to the list of connected us ers for that port, ea ch time it sees 'LO GOUT: user name' it removes it from the list.
Appendix A Linux Commands & Source Code The con sole server platform is a dedicated L inux computer, o ptimized to provide monito ring and secur e access to serial and network consoles of critical serve r systems and their supportin g power an d networking inf rastructure .
flashw Write data to individual f lash devices flatfsd Daemon to save RAM file systems back to FLASH ftp Internet file transfer program gen - keys SSH key generation progra m getopt * Parses comma nd .
pgrep Display proce ss(es) selected by regex pattern pidof Find the proc ess ID of a ru nning progra m ping Send ICMP E CHO_REQUEST pa ckets to networ k hosts ping6 IPv6 ping pkill Sends a signal to p.
sync * Flush file system buffers sysctl Configure kernel paramet er s at runtime syslogd System logging utility tar * The tar archiving utility tc Show traffic control settings tcpdump Dump traffic on.
There are also a number of o ther CLI comma nds related to other o pen source to ols embedded in t he console s erver includin g : • PowerMan p rovides power mana gement for many preconfigure d remote pow er controller (RPC) devices. For CLI detai ls refer http://linux.
false fc [- e ename] [ - nlr] [first] [last] fg [job_spec] for NAME [in WORDS ... ;] do COMMA function NAME { COMMANDS ; } or NA getopts opts t ring name [arg] hash [ - r] [- p pathnam e] [name .. .] help [ - s] [pattern ...] history [ - c] [- d off s et ] [n] or hi if COMMANDS; then COM M A NDS ; [ elif jobs [ - lnprs] [ jobspec .
Appendix B Hardware Specifications FEATURE VALUE Dimensions LES1408A /16A/32A/ 48A , LES1308A /16A/32A/4 8A, LES120 8A - R2 /16A - R2 / 32A/48A - R2 : 17 x 12 x 1.75 i n (43.2 x 3 1.3. x 4.5 cm ) LES 11 16 A/ 32A/48 A : 17 x 8.5 x 1.75 in (43. 2 x 21x 4.
Appendix C Safety & Certifications Plea se take care to follow the safe ty precautions below when installin g and operating the console server : - Do not remove the m etal covers. There are no operato r serviceable compo nents insi de. Opening or removing the co ver may expose y ou to dangerous voltage wh ich may cause fire or electric shock.
Appendix F End User L icense Agreement READ BEFORE USIN G THE ACCOMPANY ING SOFTWARE YOU SHOULD CAREFUL LY READ THE FO LLOWING TERMS AND CONDIT IONS BEFORE USING THE ACCOMPANYING SOFTWARE, THE USE OF WHICH IS LICENSED FOR USE ONLY AS SET FORTH BELOW. IF YOU DO NOT AGREE T O THE TERMS AND CONDIT IONS OF THIS AGREEMENT , DO NOT USE THE SOFTWARE.
Sale of Goods is hereby exclu ded in its entirety and does not apply to this EULA. If you acquired th is Software in a country outs ide of th e United St ates, that country’s laws may apply.
2. Redistributi ons in binar y form must reprod uce the above c op yright notic e, this list of c onditions and th e following disclaimer in the documentati on and/or other materials prov i ded with the di s tributi o n.
b) You must cause an y work that you dist ribute or pu bl ish, that in whol e or in part conta ins or is derive d from the Program or an y part thereof, t o be licensed a s a whole at no charge t o all third par t ies under the ter m s of this License.
6. Each time you red istribute t he Program (or an y work based on t he P rogram), t he r ecipient aut om aticall y rec eives a license from t he original lic ensor to cop y, di stribute or mod ify the Program subject to thes e terms and condi t ions.
OUT OF THE USE OR INABILIT Y TO USE T HE PROGRAM (INCLUDIN G BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH AN Y OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
________________________ __________________ _____________________ ______ 724 - 746 - 5500 | blackbox.com P age 285.
72 4 - 7 4 6 -5500 | blac kbox. com About Bl ack B ox Black Box Net work Ser v ices is your source for an ex tensive range of n etworking and inf rastructure product s.
Un point important après l'achat de l'appareil (ou même avant l'achat) est de lire le manuel d'utilisation. Nous devons le faire pour quelques raisons simples:
Si vous n'avez pas encore acheté Black Box LES1432A c'est un bon moment pour vous familiariser avec les données de base sur le produit. Consulter d'abord les pages initiales du manuel d'utilisation, que vous trouverez ci-dessus. Vous devriez y trouver les données techniques les plus importants du Black Box LES1432A - de cette manière, vous pouvez vérifier si l'équipement répond à vos besoins. Explorant les pages suivantes du manuel d'utilisation Black Box LES1432A, vous apprendrez toutes les caractéristiques du produit et des informations sur son fonctionnement. Les informations sur le Black Box LES1432A va certainement vous aider à prendre une décision concernant l'achat.
Dans une situation où vous avez déjà le Black Box LES1432A, mais vous avez pas encore lu le manuel d'utilisation, vous devez le faire pour les raisons décrites ci-dessus,. Vous saurez alors si vous avez correctement utilisé les fonctions disponibles, et si vous avez commis des erreurs qui peuvent réduire la durée de vie du Black Box LES1432A.
Cependant, l'un des rôles les plus importants pour l'utilisateur joués par les manuels d'utilisateur est d'aider à résoudre les problèmes concernant le Black Box LES1432A. Presque toujours, vous y trouverez Troubleshooting, soit les pannes et les défaillances les plus fréquentes de l'apparei Black Box LES1432A ainsi que les instructions sur la façon de les résoudre. Même si vous ne parvenez pas à résoudre le problème, le manuel d‘utilisation va vous montrer le chemin d'une nouvelle procédure – le contact avec le centre de service à la clientèle ou le service le plus proche.