INTRODUCTION INSTALLATION Models 2.1.1 Kit components: B096-048 and B096-016 Console Server Management Switch 2.1.2 Kit components: B092-016 Console Server with PowerAlert Power connection 2.2.1 Power: Console Server Management Switch 2.2.2 Power: Console Server with PowerAlert Network connection Serial Port connection...
Page 3
Set up Windows XP/ 2003/Vista client for dial-in 5.1.4 Set up earlier Windows clients for dial-in 5.1.5 Set up Linux clients for dial-in OoB Broadband Access (B096-048/016 only) Broadband Ethernet Failover (B096-048/016 only) Dial-Out Failover SECURE TUNNELING AND SDT CONNECTOR Configuring for SDT Tunneling to Hosts SDT Connector Configuration 6.2.1...
Page 4
6.2.9 Choosing an alternate SSH client (e.g. PuTTY) SDT Connector to Management Console SDT Connector - Telnet or SSH connect to serially attached devices Using SDT Connector for out-of-band connection to the gateway Importing (and exporting) preferences SDT Connector Public Key Authentication Setting up SDT for Remote Desktop access 6.8.1 Enable Remote Desktop on the target Windows computer to be accessed...
Page 5
8.1.4 User power management Uninterruptible Power Supply Control (UPS) 8.2.1 Managed UPS connections 8.2.2 Configure UPS powering the Console Server 8.2.3 Configuring powered computers to monitor a Managed UPS 8.2.4 UPS alerts 8.2.5 UPS status 8.2.6 Overview of Network UPS Tools (NUT) Environmental Monitoring 8.3.1 Connecting the EMD...
Page 6
10.4.2 Basic Nagios plug-ins 10.4.3 Additional plug-ins SYSTEM MANAGEMENT 11.1 System Administration and Reset 11.2 Upgrade Firmware 11.3 Configure Date and Time STATUS REPORTS 12.1 Port Access and Active Users 12.2 Statistics 12.3 Support Reports 12.4 Syslog MANAGEMENT 13.1 Device Management 13.2 Port and Host Management 13.3...
Page 7
Alert Configuration 14.7 SDT Host Configuration SDT Host TCP Ports 14.8 Configuration backup and restore 14.9 General Linux command usage ADVANCED CONFIGURATION 15.1 Advanced Portmanager 15.2 External Scripts and Alerts 15.3 Raw Access to Serial Ports 15.4 IP- Filtering 15.5 Modifying SNMP Configuration Adding more than on SNMP server 15.6...
Page 8
16.1.4 Connect- SSH 16.1.5 Connect- IPMI 16.1.6 Connect- Remote Desktop (RDP) 16.1.7 Connect- Citrix ICA 16.1.8 Connect- PowerAlert 16.2 Advanced Control Panel 16.2.1 System: Terminal 16.2.2 System: Shutdown / Reboot 16.2.3 System: Logout 16.2.4 Custom 16.2.5 Status 16.2.6 Logs 16.3 Remote control Appendix A Hardware Specification Appendix B Serial Port Connectivity...
INTRODUCTION This Manual This User Manual is provided to help you get the most from your B096-016 / B096-048 Console Server Management Switch or B092-016 Console Server with PowerAlert product. These products are referred to generically in this manual as Console Servers.
Opening or removing the cover may expose you to dangerous voltage which may cause fire or electric shock. Refer all service to Tripp Lite qualified personnel To avoid electric shock the power cord protective grounding conductor must be connected through to ground...
10. Nagios Integration 11. System Management 12. Status Reports 13. Management 14. Basic Configuration 15. Advanced Config 16. Thin Client Types of users The Console Server supports two classes of users: Administrative users: Those who will be authorized to configure and control the Console Server; and to access and control all the connected devices.
location, to configure the Console Server, set up Users, configure the ports and connected hosts, and set up logging and alerts. An authorized User can use the Management Console to access and control configured devices, review port logs, use the in-built java terminal to access serially attached consoles and control power to connected devices.
Text presented like this highlights important issues and it is essential you read and take heed of these warnings Text presented with an arrow head indent indicates an action you should take as part of the procedure. Bold text indicates text that you type, or the name of a screen object (e.g. a menu or button) on the Management Console.
B096-048 B096-016 B092-016 2.1.1 Kit components: B096-048 and B096-016 Console Server Management Switch Unpack your Console Server Management Switch kit and verify you have all the parts shown above, and that they all appear in good working order Console Modem...
2.2.1 Power: Console Server Management Switch The B096-048/16 Console Server Management Switch has dual universal AC power supplies with auto failover built in. These power supplies each accept AC input voltage between 100 and 240 VAC with a frequency of 50 or 60 Hz and the total power consumption per Console Server is less than 30W. Two IEC AC power sockets are located at the rear of the metal case, and these IEC power inlets use conventional IEC AC power cords.
B096-048/016 Console Server Management Switch. All physical connections are made using industry standard Cat5e patch cables (Tripp Lite N001 and N002 series cables). Ensure you only connect the LAN port to an Ethernet network that supports 10Base-T/100Base-T. For the initial configuration of the Console Server you must connect a computer to the Console Server’s principal network port.
The Console Server also has a DB9 LOCAL (Console/Modem) port. This DB-9 connector is on the rear panel of the B092-016 Console Server, and on the front panel of the B096-048/016 Console Server Management Switch. USB Port Connection The B096-048/016 Console Server Management Switch has one USB port on the front panel. External USB devices can be plugged into this USB port.
INITIAL SYSTEM CONFIGURATION Introduction This chapter provides step-by-step instructions for the initial configuration of your Console Server and connecting it to your management or operational network. This involves the Administrator: Activating the Management Console Changing the Administrator password Setting the IP address for the Console Server’s principal LAN port Selecting the network services to be supported This chapter also discusses the communications software tools that the Administrator may use to access the Console Server.
o IP address: 192.168.0.100 o Subnet mask: 255.255.255.0 If you wish to retain your existing IP settings for this network connection, click Advanced and Add the above as a secondary IP connection. If it is not convenient to change your computer network address, you can use the ARP-Ping command to reset the Console Server IP address.
Page 20
You will be prompted to log in. Enter the default administration username and administration password: Username: root Password: default The above screen, which lists four initial installation configuration steps, will be displayed: Change the default administration password on the System/Administration page Configure the local network settings on the System/IP page Configure port settings and enable the Serial &...
3.1.3 Initial B092-016 connection For the initial configuration of the B092-016 Console Server, you will need to connect a console (keyboard, mouse and display) or a KVM switch directly to its mouse, keyboard and VGA ports. When you initially power on the B092-016, you will be prompted on your directly connected video console to log in Enter the default administration username and password (Username: root Password: default).
Select System: Administration Enter a new System Password then re-enter it in Confirm System Password. This is the new password for root, the main administrative user account, so it is important that you choose a complex password, and keep it safe You may now wish to enter a System Name and System Description for the Console Server to give it a unique ID and make it simple to identify Click Apply.
If you select DHCP, the Console Server will look for configuration details from a DHCP server on your management LAN. This selection automatically disables any static address. The Console Server MAC address can be found on a label on the base plate Note In its factory default state (with no Configuration Method selected) the Console Server has its DHCP client enabled, so it automatically accepts any network IP address assigned by a DHCP...
You will then need to configure the IPv6 parameters on each interface page System Services The Administrator has a selection of access protocols that can be used to access the Console Server. The factory default enables HTTPS and SSH access to the Console Server and disables HTTP and Telnet. The User can also use the nominated services for limited access to the Console Server itself.
Page 25
Select System: Services. Then select /deselect the service to be enabled /disabled. The following access protocol options are available: HTTPS Ensures secure browser access to all the Management Console menus. It also allows appropriately configured Users secure browser access to selected Management Console Manage menus.
Page 26
There are also a number of related service options that can be configured at this stage: SNMP Enables netsnmp in the Console Server which will keep a remote log of all posted information. SNMP is disabled by default. To modify the default SNMP settings, the Administrator must make the edits at the command line as described in Chapter 15 –...
This section provides an overview of the communications software tools that can be used on the remote computer. Tripp Lite recommends the SDT Connector software tool that is provided with the Console Server, however, generic tools such as PuTTY and SSHTerm may also be used.
3.5.3 SSHTerm Another common communications package that may be useful is SSHTerm. This is an open source package that can be downloaded from To use PuTTY for an SSH terminal session from a Windows client, enter the Console Server’s IP address as the ‘Host Name (or IP address)’...
Management Network Configuration (B096-048/016 only) The B096-048/016 Console Server Management Switches have a second Ethernet network port that can be configured as a management Console Server/LAN port or as a failover/OoB access port. 3.6.1 Configure Management Switch as a Management LAN gateway The Management Switch in the B096-048/016 Console Servers can be configured to provide a management LAN gateway.
Page 30
Management LAN as the Failover Interface when you configured the principal Network connection on the System: IP menu The B096-048/016 Console Server Management Switches also host a DHCP server which by default is set at disabled. The DHCP server enables the automatic distribution of IP addresses to hosts running DHCP clients on the Management LAN.
Page 31
IP address of the B096-048/016 will be used Enter the Primary DNS and Secondary DNS address to issue the DHCP clients. Again if this field is left blank, the IP address of the B096-048/016 is used, so leave this field blank for automatic DNS server assignment Optionally enter a Domain Name suffix to issue DHCP clients Enter the Default Lease time and Maximum Lease time in seconds.
Configure Management Switch for Failover or Broadband OoB The Management Switch in the B096-048/016 Console Server can be configured to provide a failover option. In the event of a problem using the main LAN connection for accessing the Console Server, an alternate access path is used.
SERIAL PORT AND NETWORK HOST Introduction The Console Server enables access and control of serially-attached devices and network-attached devices (hosts). The Administrator must configure access privileges for each of these devices, and specify the services that can be used to control the devices. The Administrator can also set up new users and specify each user’s individual access and control privileges.
When you have configured the common settings and the mode for each port, set up any remote syslog (Chapter 4.1.7), then click Apply If the Console Server has been configured with distributed Nagios monitoring enabled then you will also be presented with Nagios Settings options to enable nominated services on the Host to be monitored (refer to Chapter 10 –...
4.1.2 Console Server Mode Select Console Server Mode to enable remote management access to the serial console that is attached to the serial port: Logging Level This specifies the level of information to be logged and monitored (refer to Chapter 7 - Alerts and Logging)
Page 36
Telnet Check to enable Telnet access to the serial port. When enabled, a Telnet client on a User or Administrator’s computer can connect to a serial device attached to this serial port on the Console Server. The default port address is IP Address _ Port (2000 + serial port #) i.e. 2001 – 2048 Telnet communications are unencrypted, so this protocol is generally recommended for local connections only.
Page 37
PuTTY can be downloaded at http://www.tucows.com/preview/195286.html It is recommended that the User or Administrator uses SSH as the protocol for connecting to serial consoles attached to the Console Server when communicating over the Internet or any other public network. This will provide an authenticated, encrypted connection between the SSH client program on the remote user’s computer and the Console Server.
Page 38
This syntax enables users to set up SSH tunnels to all serial ports with only a single IP port 22 having to be opened in their firewall/gateway. RAW TCP allows connections directly to a TCP socket. Communications programs such as PuTTY also support RAW TCP, however, this protocol would usually be used by a custom application.
4.1.3 SDT Mode This setting allows port forwarding of LAN protocols such as RDP, VNC, HTPP, HTTPS, SSH and Telnet through to computers which are connected locally to the Console Server by their serial COM port. However such port forwarding requires a PPP link to be set up over this serial port. Refer to Chapter 6.6 - Using SDT Connector to Telnet or SSH connect to devices that are serially attached to the Console Server for configuration details 4.1.4...
The getty will then configure the port and wait for a connection to be made. An active connection on a serial device is usually indicated by the Data Carrier Detect (DCD) pin on the serial device being raised. When a connection is detected, the getty program issues a login: prompt, and then invokes the login program to handle the actual system login.
You may secure the communications over the local Ethernet by enabling SSH however you will need to generate and upload keys (refer to Chapter 14 – Advanced Configuration) 4.1.7 Syslog In addition to built-in logging and monitoring (which can be applied to serial-attached and network- attached management accesses, as covered in Chapter 7 - Alerts and Logging), the Console Server can also be configured to support the remote syslog protocol on a per serial port basis: Select the Syslog Facility/Priority fields to enable logging of traffic on the selected serial port to...
Page 42
Users can be authorized to access specified Console Server serial ports and specified network-attached hosts. These users can also be given full Administrator status (with full configuration and management and access privileges). To simplify user setup, they can be configured as members of Groups. There are two Groups set up by default (admin and user).
Page 43
Select Serial & Network: Users & Groups to display the configured Groups and Users Click Add Group to add a new Group Add a Group name and Description for each new Group, then nominate Accessible Hosts and Accessible Ports to specify the serial ports and hosts you wish any users in this new Group to be able to access Click Apply Select Serial &...
Add a Username and a confirmed Password for each new User. You may also include information related to the user (e.g. contact details) in the Description field Nominate Accessible Hosts and Accessible Ports to specify which serial ports and which LAN connected hosts you wish the user to have access to Specify which Group (or Groups) you wish the user to be a member of.
Page 45
Selecting Serial & Network: Network Hosts presents all the network connected Hosts that have been enabled for access, and the related access TCP ports/services Click Add Host to enable access to a new Host (or select Edit to update the settings for existing Host) Enter the IP Address or DNS Name of the new network connected Host (and optionally enter a Description)
Trusted Networks The Trusted Networks facility gives you the option to nominate specific IP addresses that users (Administrators and Users) must be located at in order to have access to Console Server serial ports: Select Serial & Network: Trusted Networks To add a new trusted network, select Add Rule Select the Accessible Port(s) that the new rule is to be applied to Then enter the Network Address of the subnet to be permitted access...
Network IP Address Subnet Mask If however you want to allow all the users operating from within a specific range of IP addresses (say any of the thirty addresses from 204.15.5.129 to 204.15.5.158) to be permitted connection to the nominated port: Host /Subnet Address Subnet Mask Click Apply...
Now select whether to generate the keys using RSA and/or DSA (if unsure, select only RSA). Generating each set of keys will require approximately two minutes and the new keys will destroy any old keys of that type that may previously been uploaded. Also while the new generation is under way on the master, functions relying on SSH keys (e.g.
Page 49
Next, you must register the Public Key as an Authorized Key on the Slave. In the simple case with only one Master with multiple Slaves, you need only upload the one RSA or DSA public key for each Slave. Note The use of key pairs can be confusing because in many cases one file (Public Key) fulfills two roles –...
4.6.3 Configure the Slaves and their serial ports You can now begin setting up the Slaves and configuring Slave serial ports from the Master Console Server: Select Serial & Network: Cascaded Ports on the Master’s Management Console To add clustering support select Add Slave Note You will be prevented from adding any Slaves until you have automatically or manually generated SSH keys:...
4.6.4 Managing the Slaves The Master is in control of the Slave serial ports. So, for example, if you change a User’s access privileges or edit any serial port setting on the Master, the updated configuration files will be sent out to each Slave in parallel.
Then remote Administrator’s must be configured to dial-in and must establish a network connection to the Console Server. Note The B096-048/016 Console Servers have an internal modem for dial-up OoB access. The B092- 016 Console Servers need an external modem to be attached via a serial cable to their DB9 port. 5.1.1...
Page 53
Select the System: Dial menu option and the port to be configured (Serial DB9 Port or Internal Modem Port) Note The Console Server’s console/modem serial port is set by default to 115200 baud, No parity, 8 data bits and 1 stop bit, with software (Xon-Xoff) flow control enabled. You can modify the baud rate and flow control using the Management Console.
established. Again, you can select any address for the Local IP Address but both must be in the same network range as the Remote IP Address The Default Route option enables the dialed PPP connection to become the default route for the Console Server The Custom Modem Initialization option allows a custom AT string modem initialization string to be entered (e.g.
Select Connect to the Internet and click Next On the Getting Ready screen select Set Up My Connection Manually and click Next On the Internet Connection screen select Connect Using a Dial-Up Modem and click Next Enter a Connection Name (any name you choose) and the dial-up Phone Number that will connect thru to the Console Server modem Enter the PPP User Name and Password for have set up for the Console Server 5.1.4...
Do not set up the Console Server PPP link as the default for Internet connection OoB Broadband Access (B096-048/016 only) The B096-048/016 Console Server Management Switch has a second Ethernet network port that can be configured for alternate and OoB (out-of-band) broadband access. With two active broadband access paths to the Console Server, in the event you are unable to access through the primary management network, you may still have access through the alternate broadband path (e.g.
Page 57
Management LAN (eth1) as the Failover Interface to be used when a fault has been detected with main Network Interface (eth0) Specify the Probe Addresses of two sites (the Primary and Secondary) that the B096-048/016 is to ping to determine if Network (eth0) is still operational...
Then configure Management LAN Interface (eth1) with the same IP setting that you used for the main Network Interface (eth0) to ensure transparent redundancy In this mode, Network 2 (eth1) is available as the transparent back-up port to Network 1 (eth0) for accessing the management network.
SECURE TUNNELING AND SDT CONNECTOR Introduction Each Console Server has an embedded SSH server and uses SSH tunneling. This enables one Console Server to securely manage all the systems and network devices in the data center, using text-based console tools (such as SSH, Telnet, SoL) or graphical desktop tools (VNC, RDP, HTTPS, HTTP, X11, VMware, DRAC, iLO etc).
Using SDT Connector to Telnet or SSH connect to devices that are serially attached to the Console Server (Section 6.4) The chapter then covers more advanced SDT Connector and SDT tunneling topics: Using SDT Connector for out of band access (Section 6.5) Automatic importing and exporting of configurations (Section 6.6) Configuring Public Key Authentication (Section 6.7) Setting up a SDT Secure Tunnel for Remote Desktop (Section 6.8)
SDT Connector can connect to the Console Server using an alternate OoB access. It can also be configured to access the Console Server itself and to access devices connected to serial ports on the Console Server. 6.2.1 SDT Connector client installation The SDT Connector set up program (SDTConnector Setup-1.n.exe or sdtcon-1.n.tar.gz) is included on the CD supplied with your Console Server Run the set-up program:...
To operate SDT Connector, add the new gateways to the client software by entering the access details for each Console Server (refer to Section 6.2.2). Then let the client auto-configure with all host and serial port connections from each Console Server (refer Section 6.2.3). Now point-and-click to connect to the Hosts and serial devices (refer to Section 6.2.4) Alternately you can manually add network connected hosts (refer Section 6.2.5) as well as manually configure new services to be used when accessing the Console Server and the hosts (refer Section 6.2.6).
Optionally, you can enter a Descriptive Name to display instead of the IP or DNS address, and any Notes or a Description of this gateway (such as its firmware version, site location or anything special about its network configuration). Click OK and an icon for the new gateway will now appear in the SDT Connector home page Note For an SDT Connector user to access a Console Server (and then access specific hosts or serial devices connected to that Console Server), that user must first be set up on the Console Server,...
configure access to network-connected Hosts that the user is authorized to access and set up (for each of these Hosts) the services (e.g. HTTPS, IPMI2.0) and the related IP ports being redirected configure access to the Console Server itself (this is shown as a Local Services host) configure access with the enabled services for the serial port devices connected to the Console Server Note...
However, there is a limit on the number of SDT Connector SSH tunnels that can be open at one time on a particular Gateway. The B096-016 / B096-048 Console Server Management Switch and B092-016 Console Server with PowerAlert each support at least 50 such concurrent connections.
6.2.6 Manually adding new services to the new hosts To extend the range of services that can be used when accessing hosts with SDT Connector: Select Edit: Preferences and click the Services tab. Click Add Enter a Service Name and click Add Under the General tab, enter the TCP Port that this service runs on (e.g.
Page 68
The second redirection is for the VNC service that the user may choose to launch later from the RAC web console. It automatically loads in a Java client served through the web browser, so it does not need a local client associated with it. On the Add Service screen, you can click Add as many times as needed to add multiple new port redirections and associated clients You may also specify Advanced port redirection options:...
6.2.7 Adding a client program to be started for the new service Clients are local applications that may be launched when a related service is clicked. To add to the pool of client programs: Select Edit: Preferences and click the Client tab. Click Add Enter a Name for the client.
Also some clients are launched in a command line or terminal window. The Telnet client is an example of this: Click OK 6.2.8 Dial-in configuration If the client computer is dialing into Local/Console port on the Console Server, you will need to set up a dial-in PPP link: Configure the Console Server for dial-in access (following the steps in the Configuring for Dial-In PPP Access section in Chapter 5, Configuring Dial In Access)
Page 71
SDT Connector client software that is supplied with the gateway. However there is also a wide selection of commercial and free SSH client programs that are supported: PuTTY is a complete (though not very user-friendly:) freeware implementation of SSH for Win32 and UNIX platforms SSHTerm is a useful open source SSH communications package...
Page 72
specified when setting up the SDT Hosts on the Console Server was accounts.myco.intranet.com, then specify the Destination as accounts.myco.intranet.com:3389 If your destination computer is serially connected to the Console Server, set the Destination as <port label>:3389. For example, if the Label you specified on the SDT enabled serial port on the Console Server is win2k3, then specify the remote host as win2k3:3389.
Page 73
Select Local and click the Add button Click Open to SSH connect the Client computer to the Console Server. You will now be prompted for the Username/Password for the Console Server User you SDT enabled Note You can also secure the SDT communications from local and enterprise VPN-connected Client computers using SSH as above.
Page 74
Note How secure is VNC? VNC access generally allows access to your whole computer, so security is very important. VNC uses a random challenge-response system to provide the basic authentication that allows you to connect to a VNC server. This is reasonably secure and the password is not sent over the network.
SDT Connector to Management Console SDT Connector can also be configured for browser access to the gateway’s Management Console – and for Telnet or SSH access to the gateway command line. For these connections to the gateway itself, you must configure SDT Connector to access the gateway (itself) by setting the Console Server up as a host, and then configuring the appropriate services: Launch SDT Connector on your computer.
SDT Connector - Telnet or SSH connect to serially attached devices SDT Connector can also be used to access text consoles on devices that are attached to the Console Server’s serial ports. For these connections, you must configure the SDT Connector client software with a Service that will access the target gateway serial port, and then set the gateway up as a host: Launch SDT Connector on your computer.
Click Add then scroll to the bottom and click Apply Administrators by default have gateway and serial port access privileges; however for Users to access the gateway and the serial port, you will need to give those Users the required access privileges.
Page 78
cmd /c start "Starting Out of Band Connection" /wait /min rasdial network_connection login password The network_connection in the above is the name of the network connection as displayed in Control Panel -> Network Connections. Login is the dial-in username, and password is the dial-in password for the connection.
Importing (and exporting) preferences To enable the distribution of pre-configured client config files, SDT Connector has an Export/Import facility: To save a configuration .xml file (for backup or for importing into other SDT Connector clients), select File -> Export Preferences and select the location to save the configuration file To import a configuration, select File ->...
SSH client that SDT Connector launches (e.g. Putty, OpenSSH) and the host's SSH server for public key authentication. Essentially, what you are using is SSH over SSH, and the two SSH connections are entirely separate. Setting up SDT for Remote Desktop Access Microsoft’s Remote Desktop Protocol (RDP) enables the system manager securely to access and manage remote Windows computers: to reconfigure applications and user profiles, upgrade the server’s operating system, reboot the machine, etc.
To set the user(s) who can remotely access the system with RDP, click Add on the Remote Desktop Users dialog box Note If you need to set up new users for Remote Desktop access, open User Accounts in the Control Panel and proceed through the steps to nominate the new user’s name, password and account type (Administrator or Limited) Note...
Page 82
In Computer, enter the appropriate IP Address and Port Number: Where there is a direct local or enterprise VPN connection, enter the IP Address of the Console Server, and the Port Number of the SDT Secure Tunnel for the Console Server’s serial port (the one that is attached to the Windows computer to be controlled).
Page 83
Note The Remote Desktop Connection software is pre-installed on Windows XP. However, for earlier Windows computers, you will need to download the RDP client: Go to the Microsoft Download Center site http://www.microsoft.com/downloads/details.aspx?familyid=80111F21-D48D-426E-96C2- 08AA2BD23A49&displaylang=en and click the Download button This software package will install the client portion of Remote Desktop on Windows 95, Windows 98 and 98 Second Edition, Windows Me, Windows NT 4.0, Windows 2000, and Windows 2003.
Page 84
Note The rdesktop client is supplied with Red Hat 9.0: rpm -ivh rdesktop-1.2.0-1.i386.rpm For Red Hat 8.0 or other distributions of Linux; download source, untar, configure, make, make then install. rdesktop currently runs on most UNIX based platforms with the X Window System and can be downloaded from http://www.rdesktop.org/ C.
SDT SHH Tunnel for VNC Alternately, with SDT and Virtual Network Computing (VNC), Users and Administrators can securely access and control Windows 98/NT/2000/XP/2003, Linux, Macintosh, Solaris and UNIX computers. There’s a range of popular VNC software available (UltraVNC, RealVNC, TightVNC) freely and commercially.
To set up a persistent VNC server on Red Hat Enterprise Linux 4: o Set a password using vncpasswd o Edit /etc/sysconfig/vncservers o Enable the service with chkconfig vncserver on o Start the service with service vncserver start o Edit /home/username/.vnc/xstartup if you want a more advanced session than just twm and an xterm C.
Page 87
A. When the Viewer computer is connected to the Console Server through an SSH tunnel (over the public Internet, or a dial-in connection, or private network connection), enter localhost (or 127.0.0.1) as the IP VNC Server IP address and the source port you entered when setting SSH tunneling/port forwarding (in Section 6.2.6) e.g.
Note For general background reading on Remote Desktop and VNC access, we recommend the following: The Microsoft Remote Desktop How-To http://www.microsoft.com/windowsxp/using/mobility/getstarted/remoteintro.mspx The Illustrated Network Remote Desktop help page http://theillustratednetwork.mvps.org/RemoteDesktop/RemoteDesktopSetupandTroubleshooting.ht What is Remote Desktop in Windows XP and Windows Server 2003? by Daniel Petri http://www.petri.co.il/what's_remote_desktop.htm Frequently Asked Questions about Remote Desktop http://www.microsoft.com/windowsxp/using/mobility/rdfaq.mspx...
Page 89
Windows 2003 and Windows XP Professional allow you to create a simple dial-in service which can be used for the Remote Desktop/VNC/HTTP/X connection to the Console Server: Open Network Connections in Control Panel and click the New Connection Wizard Select Set up an advanced connection and click Next On the Advanced Connection Options screen, select Accept Incoming Connections and click Next Select the Connection Device (i.e.
Page 90
Specify which Users will be allowed to use this connection. This should be the same Users who were given Remote Desktop access privileges in the earlier step. Click Next On the Network Connection screen, select TCP/IP and click Properties Select Specify TCP/IP addresses on the Incoming TCP/IP Properties screen. Nominate a From: and a To: TCP/IP address and click Next Note You can choose any TCP/IP addresses as long as they are addresses which are not used...
Note The above notes describe setting up an incoming connection for Windows XP. The steps are the same for Windows 2003, except that the setup screens present slightly differently: Put a check in the box for Always allow directly connected devices such as palmtop….. Also, the option to Set up an advanced connection is not available in Windows 2003 if RRAS is configured.
On the SDT Settings menu, select SDT Mode (which will enable port forwarding and SSH tunneling) and enter a Username and User Password. Note When you enable SDT, this will override all other Configuration protocols on that port Note If you leave the Username and User Password fields blank, they default to portXX and portXX where XX is the serial port number.
ALERTS AND LOGGING Introduction This chapter describes the alert generation and logging features of the Console Server. The alert facility monitors the serial ports, all logins, the power status and environmental monitors and probes. It sends emails, SMS, Nagios or SNMP alerts when specified trigger events occurs. First, enable and configure the service that will be used to carry the alert (Section 7.1) Then specify the alert trigger condition and the actual destination to which that particular alert is to be sent (Section 7.2)
In the SMTP Server field, enter the IP address of the outgoing mail Server You may enter a Sender email address which will appear as the “from” address in all email notifications sent from this Console Server. Many SMTP servers check the sender’s email address with the host domain name to verify the address as authentic.
In the SMTP SMS Server field in the Alerts & Logging: SMTP &SMS menu, enter the IP address of the outgoing mail Server You may enter a Sender email address which will appear as the “from” address in all email notifications sent from this Console Server.
Note The Console Servers have an snmptrap daemon to send traps/notifications to remote SNMP servers on defined trigger events, as detailed above. The Console Servers also embed the net- snmpd daemon which accept SNMP requests from remote SNMP management servers and provides information on network interface, running processes, disk usage, etc.
Select Alerts & Logging: Alerts which will display all the alerts currently configured. Click Add Alert 7.2.1 Add a new alert The first step is to specify the alert service that will be used to send notification for this event, who to notify, and what port/host/device is to be monitored: At Add a New Alert.
Activate Nagios notification if it is to be used for this event. In an SDT Nagios centrally managed environment, you can check the Nagios alert option. On the trigger condition (for matched patterns, logins, power events and signal changes), an NSCA check "warning" result will be sent to the central Nagios server.
Serial Port Pattern Match Alert – This alert will be triggered if a regular expression is found in the serial ports character stream that matches the regular expression you enter in the Pattern field. This alert type will only be applied serial ports UPS Power Status Alert - This alert will be triggered when the UPS power status changes between On Line, On Battery, and Low Battery.
If you have selected Applicable Alarm Sensor(s) that are to be monitored for this alert event, then you can also set time windows when these sensors will not be monitored (e.g. for a door-open sensor, you may not wish to activate the sensor alert monitoring during the working day) Click Apply Remote Log Storage Before activating Serial or Network Port Logging on any port or UPS logging, you must specify where...
Serial Port Logging In Console Server mode, activity logs of all serial port activity can be maintained. These records are stored on an off-server, or in the Console Server flash memory. Specify which serial ports are to have activities recorded and to what level data is to be logged: Select Serial &...
Network TCP or UDP Port Logging The Console Servers can also log any access to and communications with network attached Hosts. For each Host, when you set up the Permitted Services which are authorized to be used, you also must set up the level of logging that is to be maintained for each service Specify the logging level that is to be maintained for that particular TDC/UDP port/service on that particular Host: Level 0...
POWER & ENVIRONMENTAL MANAGEMENT Introduction The B092-016 Console Server and B096-048/016 Console Server Management Switch products embed software that can be used to manage connected Power Distribution Systems (PDU’s), IPMI devices and Uninterruptible Power Supplies (UPS’s) supplied by a number of vendors, and some the environmental monitoring devices.
Page 104
Click Add RPC Enter a RPC Name and Description for the RPC In Connected Via, select the pre-configured serial port or the network host address that connects to the RPC Select any specific labels you wish to apply to specific RPC Outlets (e.g. the PDU may have 20 outlets connected to 20 powered devices you may wish to identify by name) Enter the Username and Password used to login into the RPC.
system is unresponsive. To set up IPMI power control, the Administrator first enters the IP address/domain name of the BMC or service processor (e.g. a Dell DRAC) in Serial & Network: Network Hosts. Then in Serial & Network: RPC Connections, the Administrator specifies the RPC Type to be IPMI1.5 or 2.0 8.1.2 RPC alerts...
The outlet status is displayed. You can initiate the desired Action to be taken by selecting the appropriate icon: Power ON Power OFF Power Cycle Power Status You will only be presented with icons for those operations that are supported by the Target you have selected Uninterruptible Power Supply Control (UPS) The Console Servers manage UPS hardware using Network UPS Tools (refer Section 8.2.6 for an...
Page 107
Select UPS as the Device Type in the Serial & Network: Serial Port menu for each port which has Master control over a UPS and in the Serial & Network: Network Hosts menu for each network connected UPS (refer to Chapter 4) No such configuration is required for USB-connected UPS hardware.
Page 108
Enter a UPS Name and Description (optional) and identify if the UPS will be Connected Via USB or over pre-configured serial port or via HTTP/HTTPS over the preconfigured network Host connection Enter the UPS login details. This Username and Password is used by Slaves of this UPS (i.e. other computers that are drawing power through this UPS) to connect to the Console Server for monitoring of the UPS status and shutdown when battery power is low.
Check Log Status and specify the Log Rate (i.e. minutes between samples) if you wish the status from this UPS to be logged. These logs can be views from the Status: UPS Status screen Check Enable Nagios to enable this UPS to be monitored using Nagios central management Click Apply You can also customize the upsmon, upsd and upsc settings for this UPS hardware directly from the command line...
8.2.3 Configuring powered computers to monitor a Managed UPS Once you have added a Managed UPS, each server that is drawing power through the UPS should be setup to monitor the UPS status as a Slave. This is done by installing the NUT package on each server, and setting up upsmon to connect to the Console Server.
- password is the Password of the Manager UPS 8.2.4 UPS alerts You can now set UPS alerts using Alerts & Logging: Alerts (refer to Chapter 7) 8.2.5 UPS status You can monitor the current status of all your Managed or Monitored UPS’s, whether they are on the network or connected serially or via USB: Select the Status: UPS Status menu and a table with the summary status of all connected UPS hardware will be displayed...
Page 112
NUT can be configured using the Management Console as described above, or you can configure the tools and manage the UPS’s directly from the command line. This section provides an overview of NUT. You can find full documentation at http://www.networkupstools.org/doc. NUT is built on a networked model with a layered scheme of drivers, server and clients.
So NUT supports the more complex power architectures found in data centers, computer rooms and NOCs where many UPS’s from many vendors power many systems with many clients and each of the larger UPS’s power multiple devices and many of these devices are themselves dual powered. Environmental Monitoring The Environmental Monitoring Device (EMD), model B090-EMD, can be connected to any Console Server serial port and each Console Server can support multiple EMD’s.
8.3.1 Connecting the EMD The Environmental Monitoring Sensor (EMD) connects to any serial port on the Console Server via a special EMD Adapter and standard CAT5 cable. The EMD is powered over this serial connection and communicates using a custom handshake protocol. It is not an RS232 device and should not be connected without the adapter: The EMD can be used only with a Console Server and cannot be connected to standard RS232 serial ports on other appliances.
Click Add Enter a Name and Description for the EMD and select pre-configured serial port that the EMD will be Connected Via Provide Labels for each of the two alarms Check Log Status and specify the Log Rate (minutes between samples) if you wish the status from this EMD to be logged.
Page 116
Select the Status: Environmental Status menu and a table with the summary status of all connected EMD hardware will be displayed Click on View Log or select the Environmental Logs menu and you will be presented with a table and graphical plot of the log history of the select EMD...
AUTHENTICATION Introduction The Tripp Lite Console Server is a dedicated Linux computer, and it embodies popular and proven Linux software modules for secure network access (OpenSSH) and communications (OpenSSL) and sophisticated user authentication (PAM, RADIUS, TACACS+ and LDAP). This chapter details how the Administrator can use the Management Console to establish...
Local TACACS /RADIUS/LDAP: Tries local authentication first, falling back to remote if local fails TACACS /RADIUS/LDAP Local: Tries remote authentication first, falling back to local if remote fails TACACS /RADIUS/LDAP Down Local: Tries remote authentication first, falling back to local if the remote authentication returns an error condition (e.g.
administrative control over the authentication and authorization processes. TACACS+ allows for a single access control server (the TACACS+ daemon) to provide authentication, authorization, and accounting services independently. Each service can be tied into its own database to take advantage of other services available on that server or on the network, depending on the capabilities of the daemon.
login, and other authentication mechanisms. Further information on configuring remote RADIUS servers can be found at the following sites: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/d4fe8248-eecd- 49e4-88f6-9e304f97fefc.mspx http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800945cc.shtml http://www.freeradius.org/ 9.1.4 LDAP authentication Perform the following procedure to configure the LDAP authentication method to be used whenever the Console Server or any of its serial ports or hosts is accessed: Select Serial and Network: Authentication and check LDAP or LocalLDAP or LDAPLocal or LDAPDownLocal...
LDAP The Lightweight Directory Access Protocol (LDAP) is based on the X.500 standard, but is significantly simpler and more readily adapted to meet custom needs. The core LDAP specifications are all defined in RFCs. LDAP is a protocol used to access information stored in an LDAP server.
PAM (Pluggable Authentication Modules) The Console Server supports RADIUS, TACACS+ and LDAP for two-factor authentication via PAM (Pluggable Authentication Modules). PAM is a flexible mechanism for authenticating Users. Nowadays, a number of new ways of authenticating users have become popular. The challenge is that each time a new authentication scheme is developed, it requires all the necessary programs (login, ftpd, etc.) to be rewritten to support it.
port2 = 192.168.254.145/port05 global = cleartext mit RADIUS Example: paul Cleartext-Password := "luap" Service-Type = Framed-User, Fall-Through = No, Framed-Filter-Id=":group_name=admin" The list of groups may include any number of entries separated by a comma. If the admin group is included, the user will be made an Administrator. If there is already a Framed-Filter-Id, simply add the list of group_names after the existing entries, including the separating colon ":".
Page 124
When you first enable and connect via HTTPS, it is normal that you may receive a certificate warning. The default SSL certificate in your Console Server is embedded during testing and is not signed by a recognized third party certificate authority. Rather, it is signed by our own signing authority. These warnings do not affect the encryption protection you have against eavesdroppers.
Nagios software package will typically be installed on a server or virtual server, the central Nagios server. Tripp Lite Console Servers can operate in conjunction with a central/upstream Nagios server to provide distributing monitoring of attached network hosts and serial devices. The Console Servers can embed the NSCA (Nagios Service Checks Acceptor) and NRPE (Nagios Remote Plug-in Executor) add-ons.
Typically a client PC, laptop, etc. running Windows, Linux or Mac OS X Runs Tripp Lite SDT Connector client software 1.5.0 or later Connect to the central Nagios server web UI to view status of monitored hosts and serial devices...
Enter the IP address that the clients running SDT Connector will use to connect through the distributed Console Servers in SDT Gateway address Check Prefer NRPE, NRPE Enabled and NRPE Command Arguments _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 127...
Page 128
Check Telnet (SSH access is not required, as SDT Connector is used to secure the otherwise unsecured Telnet connection) Scroll down to Nagios Settings and check Enable Nagios Check Port Log and Serial Status _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 128...
Lastly the central/upstream Nagios monitoring host must be configured 10.3.1 Enable Nagios on the Console Server Select System: Nagios on the Console Server Management Console and tick the Nagios service Enabled _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 129...
Page 130
When NRPE and NSCA are both enabled, NSCA is preferred method for communicating with the upstream Nagios server – check Prefer NRPE to use NRPE whenever possible (i.e. for all communication except for alerts) _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 130...
By default, the Console Server will accept a connection between the upstream Nagios monitoring server and the NRPE server with SSL encryption, without SSL, or tunneled through SSH. The security for the connection is configured at the Nagios server. _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 131...
Hosts that are network connected to the Console Server. To enable Nagios to monitor a device connected to the Console Server serial port: Select Serial & Network: Serial Port and click Edit on the serial Port # to be monitored _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 132...
Select Check Permitted TCP/UDP to monitor a service that you have previously added as a Permitted Service Select Check TCP/UDP to specify a service port that you wish to monitor, but do not wish to allow external (SDT Connector) access Select Check TCP to monitor _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 133...
If NRPE is enabled, then the upstream server will be able to request status updates under its own scheduling. _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 134...
10.4.3 Additional plug-ins Additional Nagios plug-ins (listed below) are available for all the Tripp Lite Console Servers: _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual...
Page 139
Network Host to be monitored, and select New Checks. The additional check option will have been included in the updated Nagios Checks list. You can again customize the arguments _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual check_nt check_snmp check_ntp...
Pushing the Erase button on the rear panel twice. A ball point pen or bent paper clip is a suitable tool for performing this procedure. Do not use a graphite pencil. Depress the button gently twice (within a 5 second period) while the unit is powered ON. _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 140...
Save this downloaded firmware image file on to a system on the same subnet as the Console Server Also download and read the release_notes.txt for the latest information To then upload the firmware image file to your Console Server, select System: Firmware _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 141...
Enter the IP address of the remote NTP Server and click Apply Specify your local time zone so the system clock can show local time (and not UTP): Set your appropriate region/locality in the Time Zone selection box and click Apply _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 142...
The Administrator can also see the current status to identify which Users have an active session on each port: Select the Status: Active Users 12.2 Statistics The Statistics report provides a snapshot of the data traffic and other activities and operations of your Console Server _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 143...
12.3 Support Reports The Support Report provides useful status information that will assist the Tripp Lite technical support team to resolve any issues you may experience with your Console Server. If you do experience an issue and have to contact Support, ensure you include the Support Report with your email support request.
Page 145
Specify the Match Pattern that is to be searched for (e.g. the search for Mount is shown below) and click Apply. The Syslog will then be represented with only those entries that actually include the specified pattern _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 145...
Chapter 8. 13.2 Port & Host Management Administrator and Users can view logs of data transfers to connected devices. Select Manage: Port Logs and the serial Port # to be displayed _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 146...
Administrator and Users can communicate directly with the Console Server command line and with devices attached to the Console Server serial ports using SDT Connector and their local Telnet client, or using a java terminal in their browser Select Manage: Terminal _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 147...
Page 148
Select Manage: Terminal. The jcterm java applet is downloaded from the Console Server to your browser and the virtual terminal will be displayed Select File -> Open SHELL Session from the jcterm menu to access the command line using SSH _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 148...
Click Standard VNC Remote control and a VNC Java applet will be loaded into your browser to connect to the B092-016 Console Server. Then log in to the VNC applet and the Console Server (refer to Chapter 16.3 for more details) _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 149...
Page 150
_____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 150...
However, doing this will not always guarantee these changes are permanent. This chapter is not intended to teach you Linux. We assume you already have a certain level of understanding before you execute Linux kernel-level commands. _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 151...
'config.version'. The config tool is designed to perform multiple actions from one command if needed, so if necessary, options can be chained together. _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 152...
Page 153
-S --separator=char The pattern to separate fields with, default is '.'. The registered configurators are: alerts auth cascade console dhcp dialin eventlog hosts ipaccess _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual ipconfig nagios power serialconfig services Slave systemsettings time users Page 153...
You can configure the system remote authentication with the following settings: Remote Authentication Method Server IP Address Server Password LDAP Base Node By issuing the following commands: # /bin/config –-set=config.auth.type=LDAP _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual og.mydomain.com secret 192.168.0.124 og@mydomain.com LDAP 192.168.0.32 Secret...
To enable NTP using a server at pool.ntp.org, issue the following commands: # /bin/config –-set=config.ntp.enabled=on # /bin/config –-set=config.ntp.server=pool.ntp.org The following command will synchronize the live system with the new configuration. # /bin/config –-run=time _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Format is MMDDhhmm[[CC]YY][.ss] Page 155...
Please note that supported interface modes are 'dhcp' and 'static'. Static To set static configuration on the primary Network interface with the following attributes: IP Address: Network Mask: Default Gateway: _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual 192.168.1.100 255.255.255.0 192.168.1.1 Page 156...
You would need to issue the following commands from the command line to set system configuration: # /bin/config –-set=config.console.ppp.localip=172.24.1.1 # /bin/config –-set=config.console.ppp.remoteip=172.24.1.2 # /bin/config –-set=config.console.ppp.auth=MSCHAPv2 # /bin/config –-set=config.console.ppp.enabled=on # /bin/config –-set=config.console.speed=115200 _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual 192.168.1.100 192.168.1.254 10.1.0.254 172.24.1.1 172.24.1.2 MSCHAPv2 115200...
You would need to issue the following commands from the command line to set system configuration: # /bin/config –-set=config.services.http.enabled=on # /bin/config –-del=config.services.https.enabled # /bin/config –-del=config.services.Telnet.enabled # /bin/config –-set=config.services.ssh.enabled=on # /bin/config –-del=config.services.snmp.enabled _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Enabled Disabled Disabled Enabled Disabled Disabled Page 158...
Determine the total number of existing Users. If you have no existing Users, you can assume this is 0. # /bin/config –-get=config.users.total This command should display: config.users.total 1 Note that if you see: config.users.total This means you have 0 Users configured. _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Disabled Enabled Disabled Page 160...
If you want to restrict access to serial port 5 to computers from a single C class network 192.168.5.0, you need to issue the following commands (assuming you have a previous rule in place): # /bin/config –-set=config.portaccess.rule2.address=192.168.5.0 _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 161...
The following command will synchronize the live system with the new configuration. # /bin/config –-run=eventlog Note that supported remote storage server types are 'None', 'cifs', 'nfs' and 'syslog'. Supported port logging levels are '0', '1' and '2'. _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual 192.168.0.254 C:\\tripplite\logs\ cifs_user secret 2 (input/output logging as well as user connections &...
To setup the list of TCP ports for a host, you use the config command: # config -s config.sdt.hosts.host3.tcpports.tcport1 = 23 # config -s config.sdt.hosts.host3.tcpports.tcport2 = 5900 _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual alert1@domain.org when the regular expression Page 163...
Page 164
The above assumes the config below: # vi /etc/config/config.xml ~ </users> </host1> <total>3</total> <host2> <address>accounts.intranet.myco.com</address> <description>Accounts server</description> <users> <total>1</total> <user1>John</user1> </users> </host2> <host3> <address>192.168.254.191</address> <description>Tonys Win2000 Box</description> <users> <total>1</total> <user1>John</user1> </users> <tcpports><tcpport1>23</tcpport1></tcpports> </host3> </hosts> </sdt> </config> _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 164...
SSH keys is either stopped or completed before restoring configuration. If this is not done, then a mix of old and new keys may be put in place. _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 165...
(has lots of unix shell commands and tools) chat dhcpcd hwclock iproute iptables netcat ifconfig mii-tool netstat _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual and source code will provided for any of the components of the http://www.ece.ucdavis.edu/ucd-snmp/ Page 166...
Page 167
More details on the above Linux commands can found online at: http://en.tldp.org/HOWTO/HOWTO-INDEX/howtos.html http://www.faqs.org/docs/Linux-HOWTO/Remote-Serial-Console-HOWTO.html http://www.stokely.com/unix.serial.port.resources/serial.switch.html _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 167...
IP Filtering rules modifying SNMP with net-snmpd public key authenticated SSH communications SSL, configuring HTTPS and issuing certificates using the pmpower application and powerman for power device management using IPMI tools _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 168...
Set RTS to 1 run the command: # pmshell --rts=1 Show all signa # pmshell –signals DSR=1 DTR=1 CTS=1 RTS=1 DCD=0 Read a line of text from the serial port: # pmshell –getline _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 169...
Page 170
Port 8: user2 The above output indicates that a user named “user1” is actively connected to ports 1 and 2, while “user2” is connected to both ports 1 and 8. _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 170...
If the script cannot be executed, then portmanager will execute /etc/config/scripts/portXX.chat via the chat command on the serial port. When an alert occurs on a port: _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 171...
Page 172
</etc/config/pmshell-start.sh> #!/bin/sh PORT="$1" USER="$2" LABEL=$(config -g config.ports.port$PORT.label | cut -f2- -d' ') if [ "$USER" == "root" ]; then echo "Permission denied for Super User" exit 1 _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 172...
UUCP locking (so you can use the same device for dial-in and dial-out). mgetty provides very extensive logging facilities. All standard mgetty options are supported. Modem initialization strings _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 173...
Rules are added which explicitly allow network traffic to access enabled services e.g. HTTP, SNMP etc. e) Rules are added which explicitly allow traffic network traffic access to serial ports over enabled protocols e.g. Telnet, SSH and raw TCP. _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 174...
Page 175
# Explicitly accept any connections from computers on # 192.168.10.0/24 iptables –-append INPUT –-source 192.168.10.0/24 –-jump ACCEPT Good documentation about using the iptables command can be found at the linux netfilter website http://netfilter.org/documentation/index.html _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 175...
Not defined (edit /etc/default/snmpd.conf) syslocation Not defined (edit /etc/default/snmpd.conf) Simply change the values of sysdescr, syscontact, sysname and syslocation to the desired settings and restart snmpd. _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual responds to SNMP queries for management Snmpd, when Page 176...
Page 177
--set config.system.snmp.version2=1 or config --set config.system.snmp.version2=2c or config --set config.system.snmp.version2=3 To set the Community field (SNMP version 1 and 2c only) config --set config.system.snmp.community2=yourcommunityname .. replacing yourcommunityname with the community name _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 177...
Secure Shell (SSH) is a program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over unsecure channels. _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 178...
It is advisable to create a new directory to store your generated keys. It is also possible to name the files after the device they will be used for. For example: $ mkdir keys $ ssh-keygen -t rsa _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual http://www.openssh.com/ The only Page 179...
Fingerprinting as described below. Installing SSH Public Key Authentication (Linux) Alternately, the public key can be installed on the unit remotely from the Linux host with the scp utility as follows: _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 180...
Page 181
$ ls /home/user/keys control_room control_room.pub plant_entrance plant_entrance.pub $ cat /home/user/keys/control_room.pub /home/user/keys/plant_entrance.pub > /home/user/keys/authorized_keys_bridge_server _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 181...
"testuser") making sure it is a member of the "users" group. If you do not already have a public/private key pair you can generate them now using ssh- keygen, PuTTYgen or a similar tool: PuTTYgen: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 182...
Page 183
Follow the instruction to move the mouse over the blank area of the program in order to create random data used by PUTTYGEN to generate secure keys. Key generation will occur once PUTTYGEN has collected sufficient random data _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 183...
~/.ssh/known_hosts. To receive the fingerprint from the remote server, log in to the client as the required user (usually root) and establish a connection to the remote host: # ssh remhost _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 184...
If it has not changed, this indicates a serious problem that should be investigated immediately. SSH tunneled serial bridging You have the option to apply SSH tunneling when two Console Servers are configured for serial bridging. _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 185...
Page 186
It is possible to generate only one set of keys, and reuse them for every SSH session. While this is not recommended, each organization will need to balance the security of separate keys against the additional administration they bring. _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 186...
Page 187
$ mkdir keys $ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/user/.ssh/id_rsa): /home/user/keys/control_room Enter passphrase (empty for no passphrase): Enter same passphrase again: _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 187...
SDT Connector Public Key Authentication SDT Connector can authenticate against a Console Server using your SSH key pair rather than requiring your to enter your password (i.e. public key authentication). _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 188...
In the Console Server, OpenSSL is used primarily in conjunction with ‘http’ in order to have secure browser access to the GUI management console across insecure networks. More documentation on OpenSSL is available from: _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 189...
To create a 1024 bit RSA key and a self-signed certificate, send the following openssl command from the host you have openssl installed on: openssl req -x509 -nodes -days 1000 \ -newkey rsa:1024 -keyout ssl_key.pem -out ssl_cert.pem _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual http://www.rickk.com/sslwrap/ Page 190...
Page 191
Alternatively, inetd can be configured to launch the secure fnord server from the command line of the unit as follows. Edit the inetd configuration file. From the unit command line: vi /etc/config/inetd.conf Append a line: _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 191...
(see TARGET SPECIFICATION below). -q, --query Query plug status of targets. If none specified, query all targets. Status is not cached; each time this option is used, powermand queries the appropriate RPC's. _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 192...
Page 193
Some examples of powerman targets follows. Power on hosts bar,baz,foo01,foo02,...,foo05: powerman --on bar baz foo[01-05] Power on hosts bar,foo7,foo9,foo10: powerman --on bar,foo[7,9-10] _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 193...
Devices can be added in /etc/config/powerstrips.xml. If an action is attempted which has not been configured for a specific Power Device, pmpower will exit with an error. Adding new RPC devices There are two simple paths to adding support for new RPC devices. _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 194...
Page 195
The id appears on the web page in the list of available devices types to configure. The outlets describe targets that the scripts can control. For example, a power control board may control several different outlets. The port-id is the native name for identifying the outlet. _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 195...
System Event Log (SEL), print Field Replaceable Unit (FRU) inventory information, read and set LAN configuration parameters, and perform remote chassis power control. SYNOPSIS ipmitool [-c|-h|-v|-V] -I open <command> ipmitool [-c|-h|-v|-V] -I lan -H <hostname> [-p <port>] _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 196...
Page 197
See table 22-19 in the IPMIv2 specification. The default is 3 which specifies RAKP-HMAC-SHA1 authentication, HMAC-SHA1-96 integrity, and AES-CBC-128 encryption algorightms. The remote server password is specified by the environment variable IPMI_PASSWORD. _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 197...
Page 198
IPMI LAN interface. A remote station has the ability to control a system's power state as well as being able to gather certain platform information. To reduce vulnerability, it is strongly advised that the IPMI LAN interface only be enabled in 'trusted' _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 198...
Page 199
Configure IPMIv1.5 Serial-over-LAN user Configure Management Controller users channel Configure Management Controller channels session Print session information exec Run list of commands from file Set runtime variable for shell and exec _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 199...
There is a useful tutorial on creating a bash script CGI at http://www.yolinux.com/TUTORIALS/LinuxTutorialCgiShellScript.html Similarly the Master maintains a view of the status of the Slaves: _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual http://ipmitool.sourceforge.net/manpage.html where 192.168.0.1 is the IP address of the Console Page 200...
Page 201
Alternatively, you can write a custom CGI script as described above. The currently connected Slaves can be determined by running: ls /var/run/cascade and the configured Slaves can be displayed by running: config -g config.cascade.Slaves _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 201...
The B092-016 has a selection of management clients (Firefox browser, SSH, Telnet, VNC viewer, ICA, RDP) embedded as well as the Tripp Lite PowerAlert software. With these, the B092-016 provides rackside control of computers, networking, telecom, power and other managed devices via serial, USB or IP over the LAN.
Page 203
The sixteen serial ports are pre-configured by default in Console Server mode for the B096-016 / B096-048 Console Server Management Switch or in UPS (PowerAlert) mode for the B092-016 Console Server with PowerAlert product. To change these settings, select Configure, which will load the local Firefox browser and run the Management Console.
16.1.2 Connect- browser Select Connect: Browser on the control panel and click on the Host/web site you have configured to be accessed using the browser. Sites can be internal or external. _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 204...
The VNC Viewer client in your B092-016 will be started and a VNC connection window to the selected server will be opened _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Java and all Java based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc.
Select Connect: SSH on the control panel and click on the Host to be accessed An SSH connection window will be opened. Enter the SSH login password and you will be securely connected to the selected Host _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 206...
Select Connect: IPMI on the control panel and select the Serial over LAN connection to be accessed This will launch a Serial-Over-LAN session by running: # ipmitool -I lanplus -H hostname -U username -P password sol activate _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 207...
Desktop server in the selected computer will be opened, the rdesktop window will appear on your B092-016 screen and you will be prompted for a password. (If the selected computer does not have RDP access enabled, then the rdesktop window will not appear.) _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 208...
Further information on rdesktop can be found at 16.1.7 Connect- Citrix ICA Select Connect: Citrix ICA on the control panel and click on the Citrix server to be accessed _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Description http://www.rdesktop.org/ Page 209...
Selecting System: Terminal on the control panel logs you in at the command line to the B092-016 Linux kernel. As detailed in Chapters 14 and 15, this enables you to configure and customize your B092-016 using the config and portmanager commands or general Linux commands. _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 210...
16.2.5 Status These menu items give the user a snapshot of the serial port and IPMI device status. 16.2.6 Logs These menu items give the user an audit log of B092-016 activity. _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 211...
You can also run a VNC client application such as RealVNC, TightVNC or UltraVNC directly on a remote computer and configure it with the B092-016’s IP address to connect to the B092-016 VNC server _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 212...
_____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual VALUE B096-016 / B096-048: 17 x 12 x 1.75 in (43.2 x 31.3. x 4.5 cm) B092-016: 17 x 6.7 x 1.75 in (44 x 17 x 4.5 cm) B096-016 / B096-048: 11.8 lbs (5.4 kg) B092-016: 8.5 lb (3.9 kg)
PSUs have adopted their own unique pinout; so custom connectors and cables may be required to interconnect your Console Server. In an endeavor to create some move to standardization, Tripp Lite Console Server products all use the same RJ45 pinout convention as adopted by Cisco, SUN and others.
Page 215
Connectors included in Console Server The B092-016 Console Server with PowerAlert, and the B096-048/016 Console Server Management Switch ship with a “cross-over” and a “straight” RJ45-DB9 connector for connecting to other vendor’s products: DB9F-RJ45S straight connector DB9F-RJ45S cross-over connector _____________________________________________________________________...
Software, you agree to be bound by the terms of this EULA. If you do not agree to the terms of this EULA, Tripp Lite is not willing to license the Software to you. In such event, do not use or install the Software. If you have purchased the Software, promptly return the Software and all accompanying materials with proof of purchase for a refund.
Page 217
LIMITED WARRANTY Tripp Lite warrants the media containing the Software for a period of ninety (90) days from the date of original purchase from Tripp Lite or its authorized retailer. Proof of date of purchase will be required. Any updates to the Software provided by Tripp Lite (which may be provided by Tripp Lite at its sole discretion) shall be governed by the terms of this EULA.
Page 218
REGARDING THE DEVICE OR THE SOFTWARE, THOSE WARRANTIES DO NOT ORIGINATE FROM, AND ARE NOT BINDING ON, TRIPP LITE. NO LIABILITY FOR CERTAIN DAMAGES. EXCEPT AS PROHIBITED BY LAW, TRIPP LITE SHALL HAVE NO LIABILITY FOR COSTS, LOSS, DAMAGES OR LOST OPPORTUNITY OF ANY TYPE...
Page 219
3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual GNU GENERAL PUBLIC LICENSE Page 219...
Page 220
8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 220...
Page 221
Sun's rights in the Java Marks; and (c) assist Sun in protecting those rights, including assigning to Sun any rights acquired by Licensee in any Java Mark. _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual NO WARRANTY SUN Java License...
Page 222
4. Third Party Code. Additional copyright notices and license terms applicable to portions of the Software are set forth in the THIRDPARTYLICENSEREADME.txt file. _____________________________________________________________________ B096-016 B096-048 and B092-016 User Manual Page 222...
Visit www.tripplite.com/warranty today to register the warranty for your new Tripp Lite product. You’ll be automatically entered into a drawing for a chance to win a FREE Tripp Lite product!* * No purchase necessary. Void where prohibited. Some restrictions apply. See website for details.
Page 224
Tripp Lite World Headquarters 1111 W. 35th Street, Chicago, IL 60609 USA (773) 869-1234 (USA) • 773.869.1212 (International) www.tripplite.com 200903108 93-2879_EN...