Download Print this page

Black Box LES1516A User Manual

Black Box LES1516A User Manual

Les series les1500 series les1600 series les1700 series console servers

Hide thumbs Also See for LES1516A:

User manual (334 pages)

,

Quick start manual (12 pages)

Table Of Contents

page of 348

/ 348
Contents
Table of Contents
Bookmarks

Table of Contents

Advertisement

Quick Links

USER MANUAL

LES1500, LES1600, LES1700 SERIES

LES SERIES

CONSOLE

SERVERS

24/7 TECHNICAL SUPPORT AT 1.877.877.2269 OR VISIT BLACKBOX.COM

OK

BACK

WIFI (MAIN)

WIFI (AUX)

PWR

H/B SER NET

WIFI

SD CARD

USB PORTS V.92 MODEM CONSOLE ERASE

Table of Contents

Advertisement

Table of Contents

Need help?

Need help?

Do you have a question about the LES1516A and is the answer not in the manual?

Questions and answers

Summary of Contents for Black Box LES1516A

Page 1 USER MANUAL LES1500, LES1600, LES1700 SERIES LES SERIES CONSOLE SERVERS 24/7 TECHNICAL SUPPORT AT 1.877.877.2269 OR VISIT BLACKBOX.COM WIFI (MAIN) WIFI (AUX) BACK H/B SER NET WIFI SD CARD USB PORTS V.92 MODEM CONSOLE ERASE...
Page 2: Table Of Contents
1.3 LES1700 Series .......................................21 2. OVERVIEW ....................................23 2.1 Available Models Comparison Charts ..............................23 2.2 What’s Included ......................................24 2.2.1 LES1500 Series (LES1516A, LES1532A, LES1548A) ..........................24 2.2.2 LES1600 Series ........................................24 2.2.3 LES1700 Series ........................................24 2.3 Hardware Description ....................................25 2.3.1 LES1500 Series .........................................25 2.3.2 LES1600 Series ........................................26...
Page 3: Table Of Contents Live
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 TABLE OF CONTENTS TECHNICAL SUPPORT 1.877.877.2269 4. SYSTEM CONFIGURATION ................................ 33 4.1 Management Console Connection ...............................33 4.1.1 Connected Computer Setup ...................................33 4.1.2 Browser Connection ......................................35 4.2 Administrator Setup ....................................36 4.2.1 Change Default Root System Password ..............................36 4.2.2 Set Up a New Administrator ..................................37 4.2.3 Name the System ......................................37 4.3 Network Configuration ..................................38...
Page 4 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 TABLE OF CONTENTS TECHNICAL SUPPORT 1.877.877.2269 5.1.8 NMEA Streaming ......................................74 5.1.9 USB Ports ...........................................75 5.1.10 Link Layer Discovery Protocol (LLDP) ................................76 5.2 Add and Edit Users ....................................77 5.2.1 Set Up New Groups ......................................78 5.2.2 Set Up New Users ......................................78 5.3 Authentication ......................................79 5.4 Network Hosts ......................................79...
Page 5 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 TABLE OF CONTENTS TECHNICAL SUPPORT 1.877.877.2269 6.2.3 Set Up Windows XP or Later Client ................................108 6.2.4 Set Up Earlier Windows Clients ...................................109 6.2.5 Set Up Linux Clients .......................................109 6.3 Dial-out Access ....................................109 6.3.1 Always-on Dial-out ......................................109 6.3.2 Failover Dial-out ......................................111 6.4 OOB Broadband Ethernet Access ...............................
Page 6 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 TABLE OF CONTENTS TECHNICAL SUPPORT 1.877.877.2269 7.8 Setting Up SDT for Remote Desktop Access .............................154 7.8.1 Enable Remote Desktop on the Target Windows Computer to be Accessed ..................154 7.8.2 Configure the Remote Desktop Connection Client ..........................156 7.9 SDT SSH Tunnel for VNC ..................................157 7.9.1 Install and Configure the VNC Server on the Computer to be Accessed ....................157 7.9.2 Install, Configure and Connect the VNC Viewer ............................158...
Page 7 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 TABLE OF CONTENTS TECHNICAL SUPPORT 1.877.877.2269 8.6 Logging .........................................184 8.6.1 Log Storage ........................................184 8.6.2 Serial Port Logging ......................................185 8.6.3 Network TCP and UDP Port Logging .................................186 8.6.4 Auto-Response Event Logging ..................................186 8.6.5 Power Device Logging....................................186 9.
Page 8 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 TABLE OF CONTENTS TECHNICAL SUPPORT 1.877.877.2269 11. NAGIOS INTEGRATION ................................221 11.1 Nagios Overview ....................................221 11.2 Configuring Nagios Distributed Monitoring ............................ 221 11.2.1 Enable Nagios on the Console Server ..............................222 11.2.2 Enable NRPE Monitoring ...................................
Page 9 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 TABLE OF CONTENTS TECHNICAL SUPPORT 1.877.877.2269 15. CONFIGURATION FROM THE COMMAND LINE ........................254 15.1 Accessing Configuration from the Command Line ........................254 15.1.1 Serial Port Configuration .................................... 256 15.1.2 Adding and Removing Users ..................................259 15.1.3 Adding and Removing User Groups ................................
Page 10 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 TABLE OF CONTENTS TECHNICAL SUPPORT 1.877.877.2269 16.5.2 Check Firewall Rules ....................................300 16.5.3 Enable SNMP Service ....................................300 16.5.4 Adding Multiple Remote SNMP Managers ............................303 16.6 Secure Shell (SSH) Public Key Authentication ..........................304 16.6.1 SSH Overview ......................................
Page 11 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 TABLE OF CONTENTS TECHNICAL SUPPORT 1.877.877.2269 APPENDIX B: REGULATORY INFORMATION ..........................336 B.1 FCC Statement ....................................336 B.2 NOM Statement ....................................337 APPENDIX C: CONNECTIVITY, TCP PORTS AND SERIAL I/O ....................338 C.1 Serial Port Pinouts ....................................
Page 12: Revision History
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 REVISION HISTORY TECHNICAL SUPPORT 1.877.877.2269 REVISION HISTORY RELEASE: V6.38 1.877.877.2269 BLACKBOX.COM...
Page 13: Safety Precautions
Š This console server device is not approved for use as a life-support or medical system. Š Š Any changes or modifications made to this console server device without the explicit approval and consent of Black Box will void Black Š...
Page 14: About This Manual
WHO SHOULD READ THIS USER MANUAL? You should read this manual if you are responsible for evaluating, installing, operating, or managing a Black Box appliance. This manual assumes you are familiar with the internal network of your organization, and are familiar with the Internet, IP networks, HTTP, FTP and basic security operations.
Page 15: Types Of Users
MANAGEMENT CONSOLE The features of your console server are configured and monitored using the Black Box Management Console. When you first browse to the Management Console, you can use the menu displayed on the left side to configure the console server. Once you have completed the initial configuration, you can continue to use the Management Console.
Page 16: Where To Find Additional Information
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 ABOUT THIS MANUAL TECHNICAL SUPPORT 1.877.877.2269 WHERE TO FIND ADDITIONAL INFORMATION Š The Quick Start Guide that came with your console server. Š 1.877.877.2269 BLACKBOX.COM...
Page 17: Specifications
1.877.877.2269 SPECIFICATIONS: LES1500 SERIES CONSOLE SERVERS Console Specifications Console Ports LES1516A: (16) RJ-45 RS-232 serial ports with Cisco pinouts; LES1532A: (32) RJ-45 RS-232 serial ports with Cisco pinouts; LES1548A: (48) RJ-45 RS-232 serial ports with Cisco pinouts Interface Ethernet Ports...
Page 18 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 1: SPECIFICATIONS TECHNICAL SUPPORT 1.877.877.2269 SPECIFICATIONS (CONTINUED): LES1500 SERIES CONSOLE SERVERS Automation and Scalability ZTP, Virtual Central Management System (VCMS); RESTful API, programmable and extensible; Auto-Response, SNMP, LLDP, NTP Certifications Emissions FCC Part 15 Subpart B Class A;...
Page 19: Les1600 Series
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 1: SPECIFICATIONS TECHNICAL SUPPORT 1.877.877.2269 SPECIFICATIONS: LES1600 CONSOLE SERVERS Console Specifications Console Ports LES1604A, LES1604A-V, LES1604A-T, LES1604A-R: (4) RJ-45 RS-232 Cisco straight pinout console ports; LES1608A: (8) RJ-45 RS-232 Cisco straight pinout console ports Interface Ethernet Ports (2) 10-/100-/1000-Mbps Ethernet RJ-45 ports...
Page 20 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 1: SPECIFICATIONS TECHNICAL SUPPORT 1.877.877.2269 SPECIFICATIONS: LES1600 CONSOLE SERVERS (CONTINUED) Automation and Scalability ZTP, Virtual Central Management System (VCMS); RESTful API, programmable and extensible; Auto-Response, SNMP, LLDP, NTP Certifications Emissions FCC Part 15 Subpart B:2015;...
Page 21: Les1700 Series
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 1: SPECIFICATIONS TECHNICAL SUPPORT 1.877.877.2269 SPECIFICATIONS: LES1700 SERIES CONSOLE SERVERS Console Specifications Console Ports LES1708A: (8) RJ-45 RS-232 software-selectable console ports; LES1716A: (16) RJ-45 RS-232 software-selectable console ports; LES1732A: (32) RJ-45 RS-232 software-selectable console ports; LES1748A: (48) RJ-45 RS-232 software-selectable console ports Interface Ethernet Ports...
Page 22 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 1: SPECIFICATIONS TECHNICAL SUPPORT 1.877.877.2269 SPECIFICATIONS (CONTINUED): LES1700 SERIES CONSOLE SERVERS Automation and Scalability ZTP, Virtual Central Management System (VCMS); RESTful API, programmable and extensible; Auto-Response, SNMP, LLDP, NTP Cellular Modules Sierra Wireless Certifications...
Page 23: Available Models Comparison Charts
TABLE 2-1. AVAILABLE MODELS COMPARISON CHART INTERNAL SERIAL NETWORK PRODUCT CODE USB 2.0 USB 3.0 FLASH WIRELESS POWER RS-232 10/100/1000 MODEM — LES1516A — 32 MB 4 GB — Single AC — LES1532A — 32 MB 4 GB — Single AC —...
Page 24: Overview
CHAPTER 2: OVERVIEW TECHNICAL SUPPORT 1.877.877.2269 2.2 WHAT‘S INCLUDED Your package should include the following items. If anything is missing or damaged, contact Black Box Technical Support at 877-877-2269 or info@blackbox.com 2.2.1 LES1516A, LES1532A, LES1548A Š (1) Console Server Š...
Page 25: Hardware Description
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 1: HEADLINE CHAPTER 2: OVERVIEW TECHNICAL SUPPORT 1.877.877.2269 2.3 HARDWARE DESCRIPTION While we cannot illustrate every possible model of the Console Server in this manual, Sections 2.3.1 through 2.3.3 show one model from each series.
Page 26: Les1600 Series
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 1: HEADLINE CHAPTER 2: OVERVIEW TECHNICAL SUPPORT 1.877.877.2269 2.3.2 LES1600 SERIES Figures 2-3 and 2-4 show the front and back panels of the LES1604A. Table 2-4 describes its components. FIGURE 2-3. LES1604A FRONT PANEL FIGURE 2-4.
Page 27: Les1700 Series
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 1: HEADLINE CHAPTER 2: OVERVIEW TECHNICAL SUPPORT 1.877.877.2269 2.3.3 LES1700 SERIES Figures 2-5 and 2-6 show the front and back panels of the LES1716A. Table 2-5 describes its components. 4 5 6 7 8 10 11 12 13 14 FIGURE 2-5.
Page 28: Installation
All Black Box console servers ship with Ethernet ports. These ports are located on the rear panel of the rackmount LES1516A, LES1532A, LES1548A units, and on the front of the smaller LES1600 units. All physical connections are made using either industry standard CAT5 cabling and connectors or small form-factor pluggable transceivers (SFPs).
Page 29: Serial Port Connection
LES1600 models have four or eight serial ports presented as RJ-45 ports 1–x. By default, port 1 on all these models is configured in Local Console mode. Conventional CAT5 cabling with RJ-45 jacks is generally used for serial connections. Black Box supplies a range of cables and adapters that may be required to connect to the more popular servers and network appliances.
Page 30: Cisco Rolled Rj-45 Pinout
3.3.2 CISCO RJ-45 PINOUT The LES1600, LES1516A, LES1532A and LES1548A models have Cisco serial pinouts on their RJ-45 connectors. The LES1700 console servers can select this pinout (it is the default). This provides straight-through RJ-45 cable to equipment such as Cisco, Juniper, Sun and many more: TABLE 3-3.
Page 31: Usb Port Connection
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 3: INSTALLATION TECHNICAL SUPPORT 1.877.877.2269 3.4 USB PORT CONNECTION Most console servers have external USB ports. LES1700 Series Console Servers have USB 3.0 ports. On other models, these ports are mostly USB 2.0. They can be used for: Š...
Page 32: Les1700 Models
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 3: INSTALLATION TECHNICAL SUPPORT 1.877.877.2269 3.5.2 ALL LES1700 MODELS The LES1700 models have an internal 802.11 WiFi adapter and come with an external WiFi antenna. Before powering on the LES1700: Š...
Page 33: System Configuration
This chapter also discusses the communications software tools that the Administrator may use in accessing the console server, and the configuration of the additional LAN ports. NOTE: For guidance on configuring large numbers of Black Box appliances and/or automating provisioning, consult Section 4.7: Configuration over DHCP (ZTP) and Section 16.15: Bulk Provisioning.
Page 34 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 4: SYSTEM CONFIGURATION TECHNICAL SUPPORT 1.877.877.2269 If it is not convenient to change your computer’s network address, you can use the ARP-Ping command to reset the console server’s IP address. To do this from a computer running Windows: Š...
Page 35: Browser Connection
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 4: SYSTEM CONFIGURATION TECHNICAL SUPPORT 1.877.877.2269 4.1.2 BROWSER CONNECTION Launch or switch to your preferred browser on the connected computer and enter https://192.168.0.1. NOTE: Console servers ship with a self-signed SSL certificate and are factory configured with HTTPS access enabled and HTTP access disabled.
Page 36: Administrator Setup
Š Enable IP masquerading for cellular connection (System/Firewall page, see Chapter 6.) Š After completing each of the above steps, return to the configuration list by clicking the Black Box logo in the top left corner of the page. NOTE: If you are not able to connect to the Management Console at 192.168.0.1 or if the default Username and Password were not accepted, reset your console server (see Chapter 12).
Page 37: Set Up A New Administrator
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 4: SYSTEM CONFIGURATION TECHNICAL SUPPORT 1.877.877.2269 Since the root password has changed, a new log-in prompt will present. This time, use the new password. 4.2.2 SET UP A NEW ADMINISTRATOR A new Administrator user should be set up and this new user should be used for ongoing console server administration, rather than relying on the root user.
Page 38: Network Configuration
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 4: SYSTEM CONFIGURATION TECHNICAL SUPPORT 1.877.877.2269 NOTE: The System Name can contain from 1 to 64 alphanumeric characters as well as the following special characters . - _. There are no restrictions on the characters that can be used in the System Description, which can contain up to 254 characters. Š...
Page 39: Ipv6 Configuration
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 4: SYSTEM CONFIGURATION TECHNICAL SUPPORT 1.877.877.2269 For example: 192.168.1.1/24. NOTE: If you changed the console server’s IP address, you may need to reconfigure your computer so it has an IP address that is in the same network range as this new address (as detailed earlier in this chapter).
Page 40: Dynamic Dns (Ddns) Configuration
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 4: SYSTEM CONFIGURATION TECHNICAL SUPPORT 1.877.877.2269 4.3.2 DYNAMIC DNS (DDNS) CONFIGURATION With Dynamic DNS (DDNS), a console server with its IP address dynamically assigned (and that may change from time to time) can be located using a fixed host or domain name.
Page 41: Services And Service Access
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 4: SYSTEM CONFIGURATION TECHNICAL SUPPORT 1.877.877.2269 Š In DDNS Hostname, enter the fully qualified DNS hostname for your console server (for example, your-hostname.dyndns.org). Š Š •Enter the DDNS Username and DDNS Password for the DDNS service provider account. Š...
Page 42 Š TFTP/FTP: If a USB flash card or internal flash is detected on a console server (for example, an LES1200, LES1508A, LES1600, Š LES1516A, LES1532A, LES1548A, LES1700 or LES1400) then checking Enable TFTP (FTP) service will enable this service and set up the default tftp and ftp server on the USB flash.
Page 43 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 4: SYSTEM CONFIGURATION TECHNICAL SUPPORT 1.877.877.2269 A number of other services can be enabled and configured indirectly from this menu by selecting Click here to configure: Š Nagios: Access to the Nagios NRPE monitoring daemons (see Chapter 11). Š...
Page 44 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 4: SYSTEM CONFIGURATION TECHNICAL SUPPORT 1.877.877.2269 Š Wi-Fi: 802.11 wireless. Š Š VPN: IPsec or Open VPN connection over any network interface. Š Check or uncheck for each network which service access is to be enabled or disabled. In the example shown below, local administrators on the local Management LAN have telnet access direct to the console server (and attached serial ports), while remote administrators using Dial-In or Cellular have no telnet access (unless they set up a VPN).
Page 45: Brute Force Protection
60 seconds. Active Bans are also listed and may be refreshed by reloading the page. NOTE: When a Black Box device is running on an untrusted network, we recommend that you use a variety of strategies to lock down remote access.
Page 46: Sdt Connector
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 4: SYSTEM CONFIGURATION TECHNICAL SUPPORT 1.877.877.2269 4.5.1 SDT CONNECTOR SDT Connector is a lightweight tool that enables Users and Administrators to securely access the Console server, and the various computers, network devices and appliances that may be serially or network connected to the console server. SDT connector (RDP/VNC/ Telnet/HTTP client) Applications and...
Page 47: Putty
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 4: SYSTEM CONFIGURATION TECHNICAL SUPPORT 1.877.877.2269 4.5.2 PUTTY Communications packages like PuTTY can be also used to connect to the Console server command line (and to connect serially attached devices as covered in Chapter 5). PuTTY is a freeware implementation of Telnet and SSH for Win32 and UNIX platforms. It runs as an executable application without needing to be installed onto your system.
Page 48: Management Network Configuration
4.6.1 ENABLE THE MANAGEMENT LAN The LES1700, LES1516A, LES1532A, LES1548A, and LES1600 console servers can be configured so the second Ethernet port provides a management LAN gateway. The gateway has firewall, router and DHCP server features. You need to connect an external LAN switch to Network/LAN 2 to attach hosts to this management LAN.
Page 49 FIGURE 4-18. MANAGEMENT LAN ENABLED NOTE: The second ethernet port (Network/LAN2) on the LES1700, LES1516A, LES1532A, LES1548A, or LES1600 can be configured as either a Management LAN gateway port or it can be configured as an OOB/Failover port. It cannot be both. Do not allocate Network/LAN 2 as the Failover Interface when you configured the principal Network connection on the System >...
Page 50 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 4: SYSTEM CONFIGURATION TECHNICAL SUPPORT 1.877.877.2269 Console Server Eth. 1–32 or 2–4 NETWORK 1 (Management LAN) (Operations network) NETWORK 2 (OOB or Failover) Serially connected consoles FIGURE 4-19. CONFIGURE AS MANAGEMENT LAN OR OOB/FAILOVER PORT Management LAN features are disabled by default.
Page 51: Configure The Dhcp Server
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 4: SYSTEM CONFIGURATION TECHNICAL SUPPORT 1.877.877.2269 Š Click Apply. Š The management gateway function is now enabled with default firewall and router rules. By default, these rules are configured so the Management LAN can only be accessible by SSH port forwarding.
Page 52: Select Failover Or Broadband Oop
4.6.3 SELECT FAILOVER OR BROADBAND OOB The LES1700, LES1516A, LES1532A, LES1548A, and LES1600 console servers provide a failover option, so if there is a problem using the main LAN connection for accessing the console server; an alternate access path is used.
Page 53: Aggregating The Network Ports
NOTE: The failover method is not active until the external sites to be probed to trigger failover are specified and the failover ports themselves are set-up. This is covered in Chapter 6. NOTE: On the LES1700, LES1516A, LES1532A, LES1548A, and LES1600 models, the second Ethernet port can be configured as either a gateway port or as an OOB/Failover port, but not both.
Page 54: Wi-Fi Wireless Lan
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 4: SYSTEM CONFIGURATION TECHNICAL SUPPORT 1.877.877.2269 4.6.5 WI-FI WIRELESS LAN All LES1700 models have an internal 802.11 Wi-Fi adapter and come with an external Wi-Fi antenna. The Wi-Fi can be configured as a Wi-Fi Wireless Access Point (WAP) or as a Wi-Fi client.
Page 55 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 4: SYSTEM CONFIGURATION TECHNICAL SUPPORT 1.877.877.2269 The next step is to set up a DHCP server for the wireless clients. Click the link next to DHCP Server in the IP settings section, or go to System >...
Page 56: Static Routes
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 4: SYSTEM CONFIGURATION TECHNICAL SUPPORT 1.877.877.2269 4.6.6 STATIC ROUTES Firmware 3.4 and later support static routes that provide a quick way to route data from one subnet to different subnet. You can hard- code a path that specifies the console server or router to get to a certain subnet by using a certain path.
Page 57: Configuration Over Dhcp (Ztp)
Š HTTP, FTP or TFTP. NOTE: Only HTTPS can be used if the connection between the file server and a to-be-configured Black Box device travels over an untrusted network. Š Configure your DHCP server to include a vendor specific option for Black Box devices. (This will be done in a DHCP server-specific Š...
Page 58: Example Isc Dhcp (Dhcpd) Server Configuration
"https://example.com/opg/${class}.opg"; 4.7.3 SETUP WHEN THE LAN IS UNTRUSTED If the connection between the file server and a to-be-configured Black Box device includes an untrusted network, a two-handed approach can mitigate the issue. NOTE: This approach introduces two physical steps where trust can be difficult, if not impossible, to establish completely. First, the custody chain from the creation of the data-carrying USB flash drive to its deployment.
Page 59: Prepare A Usb Drive And Create The X.509 Certificate And Private Key
Š udhcpc transmits a DHCP DISCOVER request to the primary Network Interface. Š This request includes a Vendor Class Indentifier in the following form: Black Box/model-name For example: Black Box/LES1203A-M NOTE: In unconfigured console servers, the network interface mode is unset and the DHCP DISCOVER request, therefore, includes a parameter request for Vendor-Specific Information (option 43).
Page 60: Using What An Unconfigured Console Server Does On First Boot To Update Firmware
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 4: SYSTEM CONFIGURATION TECHNICAL SUPPORT 1.877.877.2269 Š the DHCP server sends a DHCP OFFER in reply. Š The console server uses the information in the DHCP OFFER to Š assign itself the supplied IPv4 address. Š...
Page 61: The Urls In Dhcp Offer, Option 43, Sub-Option 1
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 4: SYSTEM CONFIGURATION TECHNICAL SUPPORT 1.877.877.2269 Š runs etc/scripts/backup-url to restore the backed-up configuration using the file declared in option 43, sub-option 1 of the DHCP Š OFFER. (The script’s name is historical: it is based on configuration backup and restore logic.) 4.7.7 THE URLS IN DCHP OFFER, OPTION 43, SUB-OPTION 1 URLs offered in DCHP OFFER, option 43, sub-option 1 are parsed by /etc/scripts/backup-url using substrings in the configuration backup’s filename to determine the choice order.
Page 62: Running A Restore Or Update In Secure Recovery Mode
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 4: SYSTEM CONFIGURATION TECHNICAL SUPPORT 1.877.877.2269 4.7.9 RUNNING A RESTORE OR UPDATE IN SECURE RECOVERY MODE For a firmware update to run in secure mode (that is, to run over the https protocol) /etc/scripts/backup-url must find two certificate files in an attached USB storage device.
Page 63: Serial Port, Host, Device And User Configuration
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG TECHNICAL SUPPORT 1.877.877.2269 The console server enables access and control of serially-attached devices and network-attached devices (hosts). The Administrator must configure access privileges for each of these devices, and specify the services that can be used to control the devices.
Page 64: Configure Serial Ports
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 TECHNICAL CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG SUPPORT 1.877.877.2269 5.1 CONFIGURE SERIAL PORTS The first step in configuring a serial port is to set the Common Settings such as the protocols and the RS-232 parameters that are to be used for the data connection to that port (for example, baud rate).
Page 65: Common Settings
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG TECHNICAL SUPPORT 1.877.877.2269 5.1.1 COMMON SETTINGS There are a number of common settings that can be set for each serial port. These are independent of the mode in which the port is being used.
Page 66: Console Server Mode
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 TECHNICAL CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG SUPPORT 1.877.877.2269 5.1.2 CONSOLE SERVER MODE Š Select Console Server Mode to enable remote management access to the serial console that is attached to this serial port. Š...
Page 67 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG TECHNICAL SUPPORT 1.877.877.2269 FIGURE 5-5. TURN WINDOWS FEATURES ON OR OFF If you are prompted for an administrator password or confirmation, type the password or provide confirmation. Š...
Page 68 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG TECHNICAL SUPPORT 1.877.877.2269 FIGURE 5-6. PUTTY CONFIGURATION SCREEN NOTE: PuTTY supports Telnet (and SSH). Enter the console server’s IP address as the Host Name (or IP address). Select Telnet as the protocol and set the TCP port to 2000 plus the physical serial port number (that is a port between 2001 and 2048).
Page 69 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG TECHNICAL SUPPORT 1.877.877.2269 For example, if a User named fred wants to access serial port 2, when setting up SSHTerm or the PuTTY SSH client, instead of typing username = fred ssh port = 3002 type...
Page 70 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG TECHNICAL SUPPORT 1.877.877.2269 For Unauthenticated Telnet the default port address is IP Address:Port 6000 + serial port # (that is Port #s 6001 – 6048). Š...
Page 71: Sdt Mode
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG TECHNICAL SUPPORT 1.877.877.2269 FIGURE 5-7. Š Set a custom Escape Character. This enables you to change the character used for sending escape characters. The default is ~. Š...
Page 72: Device (Rpc, Ups, Emd) Mode
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG TECHNICAL SUPPORT 1.877.877.2269 5.1.4 DEVICE (RPC, UPS, EMD) MODE This mode configures the selected serial port to communicate with a serial controlled Uninterruptable Power Supply (UPS), Remote Power Controller / Power Distribution Units (RPC) or Environmental Monitoring Device (EMD).
Page 73 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG TECHNICAL SUPPORT 1.877.877.2269 With serial bridging, the serial data on a nominated serial port on one console server is encapsulated into network packets and then transported over a network to a second console server where is then represented as serial data.
Page 74: Syslog
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG TECHNICAL SUPPORT 1.877.877.2269 5.1.7 SYSLOG In addition to built-in logging and monitoring (which can be applied to serial-attached and network-attached management accesses, as covered in Chapter 8), the console server can also be configured to support the remote syslog protocol on a per serial port basis.
Page 75: Usb Ports
5.1.9 USB PORTS Black Box LES1600, LES1516A, LES1532A, LES1548A and LES1700 family console servers running firmware 3.16.5 or later support USB console connections to devices from a wide range of vendors, including Cisco, HP, Dell and Brocade. Moreover, and aside from their utility as USB connections, all the USB ports on these console servers can function as plain RS-232 serial ports when a USB-to-serial adapter is connected.
Page 76: Link Layer Discovery Protocol (Lldp)
Custom configuration files—which must have filenames ending with .conf—will be read and executed by lldpcli when the LLDP service starts. The /etc/ directory is read-only on Black Box hardware. Most default configuration files otherwise stored in /etc/ are, on Black Box hardware, in /etc/config/, which is writeable.
Page 77: Add And Edit Users
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG TECHNICAL SUPPORT 1.877.877.2269 5.2 ADD AND EDIT USERS The Administrator uses this menu selection to set up, edit and delete users and to define the access permissions for each of these users.
Page 78: Setup New Groups
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG TECHNICAL SUPPORT 1.877.877.2269 5.2.1 SETUP NEW GROUPS To set up new Groups and new users, and to classify users as members of particular Groups: Š...
Page 79: Authentication
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG TECHNICAL SUPPORT 1.877.877.2269 Š Specify which Group (or Groups) you wish the user to be a member of. Š Š Add a confirmed Password for each new user. Š...
Page 80: Trusted Networks
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG TECHNICAL SUPPORT 1.877.877.2269 All network-connected Hosts that have been enabled for access present as well as the related access TCP ports/services. Š Click Add Host to enable a new Host or select Edit to update an extant Host’s settings. Š...
Page 81 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG TECHNICAL SUPPORT 1.877.877.2269 FIGURE 5-18. SERIAL & NETWORK: TRUSTED NETWORKS SCREEN, ADD RULE NOTE: In the absence of Rules, there are no access limitations as to the IP address where Users or Administrators can be located. Š...
Page 82: Serial Port Cascading
Slave units and all the serial ports on the Slave units appear as if they are part of the Master. Black Box’s clustering connects each Slave to the Master with an SSH connection. This is done using public key authentication so the Master can access each Slave using the SSH key pair (rather than using passwords).
Page 83: Manually Generate And Upload Ssh Keys
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG TECHNICAL SUPPORT 1.877.877.2269 Generating each set of keys will require approximately two minutes and the new keys will destroy any old keys of that type that may previously been uploaded.
Page 84: Configure The Slaves And Their Serial Ports
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG TECHNICAL SUPPORT 1.877.877.2269 Browse again to the stored RSA (or DSA) Public Key and upload it to Slave’s SSH Authorized Key. Š Click Apply. Š...
Page 85: Managing The Slaves
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG TECHNICAL SUPPORT 1.877.877.2269 Once you have added all the slave console servers, the slave serial ports and the connected devices are configurable and accessible from the master’s Management Console menu and accessible through the Master’s IP address.
Page 86: Serial Port Redirection (Portshare)
PortShare for Linux The PortShare driver for Linux maps the console server serial port to a host tty port. Black Box has released the portshare-serial-client as an open source utility for Linux, AIX, HPUX, SCO, Solaris and UnixWare. This utility can be freely downloaded from the ftp site.
Page 87 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 TECHNICAL CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG SUPPORT 1.877.877.2269 FIGURE 5-24. EDIT AN EXISTING DEVICE SCREEN To add a new network connected Managed Device: Š The Administrator adds a new network connected Managed Device using Add Host on the Serial & Network > Network Host menu. Š...
Page 88: Ipsec Vpn
(https://shrew.net/) to remotely access the advanced console server and every machine on the Management LAN subnet at the remote location. Configuration of IPsec is quite complex so Black Box provides a simple GUI interface for basic set up as described below. ENABLE THE VPN GATEWAY Š...
Page 89 1.877.877.2269 FIGURE 5-25. ADD IPSEC TUNNEL SCREEN Enter the public IP or DNS address of this Black Box VPN gateway as the Left Address. You can leave this blank to use the interface of the default route. Š In Right Address, if the remote end has a static or dyndns address, enter the public IP or DNS address of the remote end of the tunnel.
Page 90: Openvpn
OpenVPN tunnel may be established between a roaming windows client and an Black Box advanced console server within a data center. Configuration of OpenVPN can be complex so Black Box provides a simple GUI interface for basic set up as described next. 5.10.1 ENABLE THE OPENVPN Select Serial &...
Page 91 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG TECHNICAL SUPPORT 1.877.877.2269 Š a Private Key for the server and each client. Š This Private Key File will be a *.key file type. Š...
Page 92: Configure As Server Or Client
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG TECHNICAL SUPPORT 1.877.877.2269 5.10.2 CONFIGURE AS SERVER OR CLIENT Š Complete the Client Details or Server Details depending on the Tunnel Mode selected. Š...
Page 93: Windows Openvpn Client And Server Setup
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG TECHNICAL SUPPORT 1.877.877.2269 FIGURE 5-30. SAVED FILES DISPLAYED ON SCREEN Š To enable OpenVPN, Edit the OpenVPN tunnel. Š Š Check the Enabled checkbox. Š...
Page 94 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG TECHNICAL SUPPORT 1.877.877.2269 FIGURE 5-32. OPENVPN GUI ICON So once the OpenVPN client is installed, a configuration file will need to be created. Š...
Page 95 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG TECHNICAL SUPPORT 1.877.877.2269 dev tun ca c:\\openvpnkeys\\ca.crt cert c:\\openvpnkeys\\server.crt key c:\\openvpnkeys\\server.key dh c:\\openvpnkeys\\dh.pem comp-lzo verb 1 syslog LES1416A_OpenVPN_Server The Windows client/server configuration file options are listed in the next table: TABLE 5-5.
Page 96 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG TECHNICAL SUPPORT 1.877.877.2269 TABLE 5-5 (CONTINUED). WINDOWS CLIENT/SERVER CONFIGURATION FILE OPTIONS OPTION DESCRIPTION Enter the client’s or server’s certificate file name and location cert file-name Each client should have its own certificate and key files.
Page 97: Pptp Vpn
DSL links to their local ISP. To set up a PPTP connection from a remote Windows client to your Black Box appliance and local network: Š Enable and configure the PPTP VPN server on your Black Box appliance.
Page 98: Enable The Pptp Vpn Server
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG TECHNICAL SUPPORT 1.877.877.2269 5.11.1 ENABLE THE PPTP VPN SERVER Š Select PPTP VPN on the Serial & Networks menu. Š Š Click the Enable check box to enable the PPTP Server. Š...
Page 99: Add A Pptp User
Ensure the remote VPN client PC has Internet connectivity. To create a VPN connection across the Internet, you must set up two networking connections. One connection is for the ISP, and the other connection is for the VPN tunnel to the Black Box appliance.
Page 100: Call Home
NOTE: To connect remote VPN clients to the local network, you need to know the user name and password for the PPTP account you added, as well as the Internet IP address of the Black Box appliance. If your ISP has not allocated you a static IP address, consider using a dynamic DNS service.
Page 101 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG TECHNICAL SUPPORT 1.877.877.2269 FIGURE 5-38. EDIT CONNECTION SCREEN Š Enter the IP address or DNS name (for example, the dynamic DNS address) of the VCMS. Š...
Page 102: Accept Call Home Candidates As Managed Consoles
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG TECHNICAL SUPPORT 1.877.877.2269 5.12.2 ACCEPT CALL HOME CANDIDATES AS MANAGED CONSOLES This section gives an overview on configuring a VCMS to monitor console servers that Call Home. For more details, refer to the Virtual Central Management System (VCMS) User Manual.
Page 103: Calling Home To A Generic Central Ssh Server
5.13 IP PASSTHROUGH IP Passthrough is used to make a modem connection (for example, the Black Box’s internal cellular modem) appear like a regular Ethernet connection to a third-party downstream router, allowing the downstream router to use the Black Box’s modem connection as a primary or backup WAN interface.
Page 104: Ip Passthrough Pre-Requisite Pre-Configuration Steps
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 TECHNICAL CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG SUPPORT 1.877.877.2269 5.13.2 IP PASSTHROUGH PRE-REQUISITE PRE-CONFIGURATION STEPS Configure the Network Interface and, where applicable, Management LAN interfaces with static network settings. Š...
Page 105: Service Intercepts
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 5: SERIAL PORT, HOST DEVICE AND USER CONFIG TECHNICAL SUPPORT 1.877.877.2269 5.13.4 SERVICE INTERCEPTS These allow the console server to continue to provide services for out-of-band management when in IP Passthrough mode. Connections to the modem address on the specified intercept port(s) will be handled by the console server, rather than being passed through to the downstream router.
Page 106: Firewall, Failover And Oob Access
Port tab under System > Dial as well as the Serial DB9 Port tab. The LES1516A, LES1532A, LES1548A, and LES1600 models also support external USB modems. The USB modem will be auto- detected and an External USB Modem Port tab will come up under System > Dial in addition to the Serial DB9 Port tab. All console server models support an external modem (any brand) attached via a serial cable to the console/modem port for OOB dial-in access.
Page 107: Configure Dial-In Ppp
By default, the modem port on all console servers is set with software flow control and the baud rate is set at: 115200 baud for external modems connected to the local console port on LES1516A, LES1532A, LES1548A, and LES1700 console servers.
Page 108: Using Sdt Connector Client
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 TECHNICAL CHAPTER 6: FIREWALL, FAILOVER AND OOB ACCESS SUPPORT 1.877.877.2269 Š Select the Authentication Type required. Š Access is denied to remote users attempting to connect using an authentication scheme weaker than the selected scheme. The schemes, from strongest to weakest, are: - Encrypted Authentication (MS-CHAP v2).
Page 109: Set Up Earlier Windows Clients
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 6: FIREWALL, FAILOVER AND OOB ACCESS TECHNICAL SUPPORT 1.877.877.2269 6.2.4 SET UP EARLIER WINDOWS CLIENTS For Windows 2000, the PPP client set up procedure is the same as above, except you get to the Dial-Up Networking Folder by clicking Start and selecting Settings.
Page 110 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 6: FIREWALL, FAILOVER AND OOB ACCESS TECHNICAL SUPPORT 1.877.877.2269 FIGURE 6-2. SYSTEM: DIAL SCREEN Š Check the Enable Dial-Out to allow outgoing modem communications. Š Š Select the Baud Rate and Flow Control that will communicate with the modem. Š...
Page 111: Failover Dial-Out
1.877.877.2269 6.3.2 FAILOVER DIAL-OUT The LES1600, LES1516A, LES1532A, LES1548A, and LES1700 series of advanced console servers can be configured so a dial-out PPP connection is automatically set up in the event of a disruption in the principal management network. FIGURE 6-3.SET UP DIAL-OUT PPP CONNECTION SCREEN NOTE: With firmware v3.0.1 and earlier, only SSH access is enabled on the failover connection.
Page 112 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 6: FIREWALL, FAILOVER AND OOB ACCESS TECHNICAL SUPPORT 1.877.877.2269 FIGURE 6-4. Š Select the Baud Rate and Flow Control that will communicate with the modem. Š Š Check the Enable Dial-Out Access checkbox. Š...
Page 113: Oob Broadband Ethernet Access
1.877.877.2269 6.4 OOB BROADBAND ETHERNET ACCESS The LES1600, LES1516A, LES1532A, LES1548A, and LES1700 family of advanced console servers have a second ethernet port that can be configured for alternate and OOB (out-of-band) broadband access. TABLE 6-1. SECOND ETHERNET PORT TO CONFIGURE FOR OOB BROADBAND ACCESS...
Page 114: Broadband Ethernet Failover
1.877.877.2269 6.5 BROADBAND ETHERNET FAILOVER The second Ethernet port on the LES1600, LES1516A, LES1532A, LES1548A, and LES1700 family of advanced console servers can also be configured for failover to ensure transparent high availability. Š Navigate to System > IP > Network Interface.
Page 115 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 6: FIREWALL, FAILOVER AND OOB ACCESS TECHNICAL SUPPORT 1.877.877.2269 FIGURE 6-7. SYSTEM IP: FAILOVER INTERFACE TAB In this mode, the Management LAN Interface is available as the transparent back-up port to Network Interface for accessing the management network.
Page 116: Cellular Modem Connection
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 6: FIREWALL, FAILOVER AND OOB ACCESS TECHNICAL SUPPORT 1.877.877.2269 6.6 CELLULAR MODEM CONNECTION The LES1600 family of advanced console servers support internal cellular modems. These modems first need to be installed (as documented in Sections 6.6.1 through 6.6.3) and then set up to validate they can connect to the carrier network (as documented in Sections 6.6.4 and 6.6.5).
Page 117 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 6: FIREWALL, FAILOVER AND OOB ACCESS TECHNICAL SUPPORT 1.877.877.2269 FIGURE 6-8. INTERNAL CELLULAR MODEM TAB Š Check the Enable Dial-Out radio button in the Internal Cellular Modem Dial Settings section. Š...
Page 118 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 6: FIREWALL, FAILOVER AND OOB ACCESS TECHNICAL SUPPORT 1.877.877.2269 Your carrier may have provided details for configuring the connection: TABLE 6-2. CONFIGURATION DETAILS FROM CARRIER VALUE DESCRIPTION Access Point name PIN Code If the carrier-provided SIM card is locked, a PIN Code may be required to unlock it.
Page 119: Connecting To A Cdma Ev-Do Carrier Network
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 6: FIREWALL, FAILOVER AND OOB ACCESS TECHNICAL SUPPORT 1.877.877.2269 6.6.2 CONNECTING TO A CDMA EV-DO CARRIER NETWORK Console server models denoted with -V have an internal CDMA modem and will connect to the Verizon network in North America. After creating an account with the CDMA carrier, some carriers require an additional step to provision the Internal Cellular Modem, known as Provisioning.
Page 120 These values are specific to your carrier and for manual activation, you will have to learn what values your carrier uses in each field. Verizon, for example, has been known to use an MSL of 000000 and the phone number assigned to the Black Box device as both the MDN and MSID with no spaces or hyphens.
Page 121: Connecting To A 4G Lte Carrier Network
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 6: FIREWALL, FAILOVER AND OOB ACCESS TECHNICAL SUPPORT 1.877.877.2269 Š If required by your account plan, enter the supplied Username and Password. Š Š Check the Enable check-box. Š Š Click Apply. Š...
Page 122: Verifying The Cellular Connection
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 TECHNICAL CHAPTER 6: FIREWALL, FAILOVER AND OOB ACCESS SUPPORT 1.877.877.2269 Š Enter the carrier’s APN. Š Example APNs include: TABLE 6-5. EXAMPLE APNS CARRIER AT&T (USA) i2gold T-Mobile (USA) epc.tmobile.com Internode (Australia) internode Telstra (Australia) telstra.internet...
Page 123 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 6: FIREWALL, FAILOVER AND OOB ACCESS TECHNICAL SUPPORT 1.877.877.2269 Š Verify the Connection Status reads as Connected. Š To measure the received signal strength: Š Navigate to Status > Statistics. Š...
Page 124: Cellular Modem Watchdog
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 6: FIREWALL, FAILOVER AND OOB ACCESS TECHNICAL SUPPORT 1.877.877.2269 6.6.5 CELLULAR MODEM WATCHDOG As of with firmware V3.5.2u13 and later, when you check the Enable Dial-Out check-box at System > Dial, you will be given the option to configure a cellar modem watchdog service.
Page 125: Multi-Carrier Cellular Support
Multi-carrier capable models ship with cellular modem firmware for each supported carrier pre-loaded onto internal non-volatile or USB storage. Periodically, new cellular modem firmware becomes available and is published on the Black Box downloads site. NOTE: If your unit’s cellular connection is operating correctly, there is typically no need to upgrade its cellular firmware.
Page 126: Cellular Operation
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 6: FIREWALL, FAILOVER AND OOB ACCESS TECHNICAL SUPPORT 1.877.877.2269 Š Optionally, expand the Advanced section. Š This section shows a full list of files to be downloaded or deleted, along with their SHA1 hashes. (Temporary files downloaded during the initial Check for Updates may be listed as simple files to copy into place, as they do not have to be re-downloaded.) Š...
Page 127: Oob Access Setup
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 6: FIREWALL, FAILOVER AND OOB ACCESS TECHNICAL SUPPORT 1.877.877.2269 6.7.1 OOB ACCESS SETUP In this mode, the dial-out connection to the carrier cellular network is always on, awaiting any incoming traffic. By default, the only traffic enabled is incoming SSH access to the console server and its serial ports, and incoming HTTPS access to the console server.
Page 128: Cellular Failover
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 TECHNICAL CHAPTER 6: FIREWALL, FAILOVER AND OOB ACCESS SUPPORT 1.877.877.2269 6.7.2 CELLULAR FAILOVER In this mode, a dial-out cellular connection is only established if the main network is disrupted. The cellular connection normally remains idle and in a low power state.
Page 129: Cellular Routing
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 6: FIREWALL, FAILOVER AND OOB ACCESS TECHNICAL SUPPORT 1.877.877.2269 FIGURE 6-17. Š Note the Active Connection value. Š If the Main Connection is good, the Active Connection value will be Main. If the Main Connection is down, the Out-of-Band/Failover section displays information relating to a configured Out-of-Band/Failover interface and the status of that connection.
Page 130: Firewalls And Forwarding
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 TECHNICAL CHAPTER 6: FIREWALL, FAILOVER AND OOB ACCESS SUPPORT 1.877.877.2269 6.8 FIREWALLS AND FORWARDING Console servers with firmware v3.3 and later have basic routing, NAT (Network Address Translation), packet filtering and port forwarding support on all network interfaces.
Page 131: Configuring Network Forwarding And Ip Masquerading
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 6: FIREWALL, FAILOVER AND OOB ACCESS TECHNICAL SUPPORT 1.877.877.2269 6.8.1 CONFIGURING NETWORK FORWARDING AND IP MASQUERADING To use a console server as an Internet or external network gateway requires establishing an external network connection and then setting up forwarding and masquerading.
Page 132: Configuring Client Devices
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 6: FIREWALL, FAILOVER AND OOB ACCESS TECHNICAL SUPPORT 1.877.877.2269 By default, IP Masquerading is disabled for all networks. To enable masquerading: Š Navigate to System > Firewall. Š Š Select the Forwarding & Masquerading tab. Š...
Page 133 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 6: FIREWALL, FAILOVER AND OOB ACCESS TECHNICAL SUPPORT 1.877.877.2269 Š Enter the Default Lease time in seconds. Š Š Enter the Maximum Lease time in seconds. Š FIGURE 6-21. Lease times are the number of seconds a dynamically assigned IP address is valid before the client must request it again. Š...
Page 134: Port And Protocol Forwarding
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 6: FIREWALL, FAILOVER AND OOB ACCESS TECHNICAL SUPPORT 1.877.877.2269 6.8.3 PORT AND PROTOCOL FORWARDING When using IP Masquerading, devices on the external network cannot initiate connections to devices on the internal network. To work around this, Port Forwards can be set up to allow external users to connect to a specific port, or range of ports on the external interface of the console server or cellular router.
Page 135: Firewall Rules
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 6: FIREWALL, FAILOVER AND OOB ACCESS TECHNICAL SUPPORT 1.877.877.2269 For example, to forward port 8443 to an internal HTTPS server on 192.168.10.2, use the following settings: TABLE 6-8. PORT/PROTOCOL FORWARDING EXAMPLE FIELD DESCRIPTION Name...
Page 136 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 6: FIREWALL, FAILOVER AND OOB ACCESS TECHNICAL SUPPORT 1.877.877.2269 TABLE 6-9 (CONTINUED). FIREWALL RULE FIELDS FIELD PURPOSE Specify the destination IP address/address range to match. IP address ranges use the format ip/netmask Destination Range (where netmask is in bits 1-32).
Page 137: Packet State Matching In Firewall Rules
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 6: FIREWALL, FAILOVER AND OOB ACCESS TECHNICAL SUPPORT 1.877.877.2269 6.8.5 PACKET STATE MATCHING IN FIREWALL RULES As of firmware 4.0.0, Firewall rules can include packet state matching. This is implemented using an iptables extension module and can be set as follows: Š...
Page 138 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 TECHNICAL CHAPTER 6: FIREWALL, FAILOVER AND OOB ACCESS SUPPORT 1.877.877.2269 For example: # iptables -I INPUT -p tcp --dport 23 -m state --state \ ESTABLISHED,RELATED -j ACCEPT This tells the firewall to accept incoming Telnet traffic for previously established Telnet sessions. If the rule is created in IPv6 >...
Page 139: Ssh Tunnels And Sdt Connector
1.877.877.2269 Each Black Box console server has an embedded SSH server and uses SSH tunneling so remote users can securely connect through the console server to Managed Devices using text-based console tools (such as SSH, telnet, SoL) or graphical tools (such VNC, RDP, HTTPS, HTTP, X11, VMware, DRAC, iLO).
Page 140: Configuring For Ssh Tunneling To Hosts
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 7: SSH TUNNELS AND SDT CONNECTOR TECHNICAL SUPPORT 1.877.877.2269 The chapter then covers more advanced SDT Connector and SSH tunneling topics: Š Using SDT Connector for out-of-band access. Š Š Automatic importing and exporting of configurations. Š...
Page 141: Sdt Connector Client Configuration
7.2 SDT CONNECTOR CLIENT CONFIGURATION The SDT Connector client works with all Black Box console servers. Each remote console server has an embedded OpenSSH based server which can be configured to port forward connections from the SDT Connector client to hosts on their local network (see Chapter 6).
Page 142: Configuring A New Gateway In The Sdt Connector Client
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 7: SSH TUNNELS AND SDT CONNECTOR TECHNICAL SUPPORT 1.877.877.2269 NOTE: SDT Connector is a Java application. It must have a Java Runtime Environment (JRE) installed. It will install on Windows 2000 and later and on most Linux platforms.
Page 143: Auto-Configure Sdt Connector Client With The User's Access Privileges
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 7: SSH TUNNELS AND SDT CONNECTOR TECHNICAL SUPPORT 1.877.877.2269 Š Click OK. Š The new gateway will appear in the SDT Connector home page. NOTE: For an SDT Connector user to access a console server and then access specific hosts or serial devices connected to that console server, that user must first be set up on the console server, and must be authorized to access the specific ports on the specific hosts (see Chapter 6).
Page 144: Make An Sdt Connection Through The Gateway To A Host
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 7: SSH TUNNELS AND SDT CONNECTOR TECHNICAL SUPPORT 1.877.877.2269 FIGURE 7-7. SERVICES SCREEN NOTE: Retrieve Hosts auto-configures all classes of user whether they are members of user, admin, some other group, or no group. SDT Connector will not auto-configure the root.
Page 145: Manually Add A Host The The Sdt Connector Gateway
LES1200 and LES1508A models each support at least 50 such concurrent connections. For a site with a LES1400 gateway you can have, at any time up to 50 users securely controlling an unlimited number of network attached computers and appliances (servers, routers, etc.) at that site. LES1600, LES1700 and LES1516A, LES1532A, LES1548A support many hundreds of simultaneous client tunnels.
Page 146: Manually Add New Services To The New Hosts
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 7: SSH TUNNELS AND SDT CONNECTOR TECHNICAL SUPPORT 1.877.877.2269 7.2.6 MANUALLY ADDING NEW SERVICES TO THE NEW HOSTS To extend the range of services that can be used when accessing hosts with SDT Connector: Š...
Page 147 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 7: SSH TUNNELS AND SDT CONNECTOR TECHNICAL SUPPORT 1.877.877.2269 A service typically consists of a single SSH port redirection and a local client to access it. It may consist of several redirections, some or all of which may have clients associated with them.
Page 148: Add A Client Program To Be Started For The New Service
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 7: SSH TUNNELS AND SDT CONNECTOR TECHNICAL SUPPORT 1.877.877.2269 7.2.7 ADDING A CLIENT PROGRAM TO BE STARTED FOR THE NEW SERVICE Clients are local applications that may be launched when a related service is clicked. To add to the pool of client programs: Š...
Page 149: Dial-In Configuration
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 7: SSH TUNNELS AND SDT CONNECTOR TECHNICAL SUPPORT 1.877.877.2269 FIGURE 7-14. EDIT CLIENT SCREEN Some clients are launched in a command line or terminal window. The Telnet client, for example. In this case, Path to client executable file is telnet and the Command line format for client executable is cmd /c start %path% %host% %port%.
Page 150 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 7: SSH TUNNELS AND SDT CONNECTOR TECHNICAL SUPPORT 1.877.877.2269 FIGURE 7-15. EDIT SDT HOST SCREEN Click SSH or Telnet to access the gateway’s command line console. To enable SDT access to the gateway console, you must configure the console server to allow port forwarded network access to itself.
Page 151: Sdt Connector: Telnet Or Ssh Connect To Serially-Attached Devices
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 7: SSH TUNNELS AND SDT CONNECTOR TECHNICAL SUPPORT 1.877.877.2269 7.4 SDT CONNECTOR: TELNET OR SSH CONNECT TO SERIALLY-ATTACHED DEVICES SDT Connector can also be used to access text consoles on devices that are attached to the console server’s serial ports. For these connections, configure the SDT Connector client software with a Service that will access the target gateway serial port, and then set the gateway up as a host.
Page 152: Using Sdt Connector For Out-Of-Band Connection To The Gateway
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 7: SSH TUNNELS AND SDT CONNECTOR TECHNICAL SUPPORT 1.877.877.2269 Š Click Add. Š Š Click Apply. Š By default, Administrators have gateway and serial port access privileges. For Users to access the gateway Management Console and the serial port, the required access privileges must be granted.
Page 153: Importing And Exporting Preferences
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 7: SSH TUNNELS AND SDT CONNECTOR TECHNICAL SUPPORT 1.877.877.2269 Š To stop a pre-configured dial-up connection under Windows, use the following Stop Command string: Š cmd /c start "Stopping Out of Band Connection" /wait /min rasdial network_connection /disconnect where network_connection is the name of the network connection as displayed in Control Panel >...
Page 154: Setting Up Sdt For Remote Desktop Access
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 7: SSH TUNNELS AND SDT CONNECTOR TECHNICAL SUPPORT 1.877.877.2269 See Section 16.6 for details on generating and installing public/private key pairs. NOTE: You can use RSA or DSA. In this case, leave the passphrase field blank. Š...
Page 155 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 7: SSH TUNNELS AND SDT CONNECTOR TECHNICAL SUPPORT 1.877.877.2269 Š Click the Remote tab. Š FIGURE 7-17. REMOTE TAB Š Check the Allow users to connect remotely to this computer checkbox. Š...
Page 156: Configure The Remote Desktop Connection Client
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 TECHNICAL CHAPTER 7: SSH TUNNELS AND SDT CONNECTOR SUPPORT 1.877.877.2269 Š Double-click the User Accounts icon. Š Š Create new users as required. Š NOTE: When a remote user connects to the accessed computer via the root console, Remote Desktop automatically locks that computer (so no other user can access the applications and files).
Page 157: Sdt Ssh Tunnel For Vnc
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 TECHNICAL CHAPTER 7: SSH TUNNELS AND SDT CONNECTOR SUPPORT 1.877.877.2269 Š Click Connect. Š On a Linux or UNIX client: Š Launch the open source rdesktop client from a shell. For example: Š...
Page 158: Install, Configure And Connect The Vnc Viewer
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 7: SSH TUNNELS AND SDT CONNECTOR TECHNICAL SUPPORT 1.877.877.2269 For example, to turn the VNC server on in Centos 7: Š Navigate to Applications > System Tools > Settings. Š Š...
Page 159 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 7: SSH TUNNELS AND SDT CONNECTOR TECHNICAL SUPPORT 1.877.877.2269 FIGURE 7-20. VNC SERVER SCREEN 1 When the VNC viewer is connected directly to the console server (that is locally or remotely through a VPN or dial in connection) and the VNC server is serially connected to the console server, enter the IP address of the console server unit with the TCP port that the SDT tunnel will use.
Page 160: Using Sdt To Ip Connect To Hosts That Are Serially Attached To The Gateway
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 7: SSH TUNNELS AND SDT CONNECTOR TECHNICAL SUPPORT 1.877.877.2269 FIGURE 7-22. ENTER PASSWORD For background reading on Remote Desktop and VNC access, we recommend the following: Š The Microsoft Remote Desktop How-To: http://www.microsoft.com/windowsxp/using/mobility/getstarted/remoteintro.mspx. Š...
Page 161 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 7: SSH TUNNELS AND SDT CONNECTOR TECHNICAL SUPPORT 1.877.877.2269 FIGURE 7-23. NEW CONNECTION WIZARD SCREEN Š Select the Set up an advanced connection radio button. Š Š Select Accept Incoming Connections in the Advanced Connection Options window. Š...
Page 162: Set Up Sdt Serial Ports On The Console Server
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 7: SSH TUNNELS AND SDT CONNECTOR TECHNICAL SUPPORT 1.877.877.2269 Š Click OK. Š Another option is to use the console server’s default username and password to setup the Remote Desktop user and give this user permission to use the advanced connection to access the computer running Windows.
Page 163: Set Up Sdt Connector To Ssh Port Forward Over The Console Server Serial Port
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 7: SSH TUNNELS AND SDT CONNECTOR TECHNICAL SUPPORT 1.877.877.2269 FIGURE 7-25. SDT SETTINGS SCREEN NOTE: Enabling SDT overrides all other configuration protocols on this port. Š Enter a Username and User Password. Š...
Page 164: Ssh Tunneling Using Other Ssh Clients (For Example, Putty)
7.11 SSH TUNNELING USING OTHER SSH CLIENTS (FOR EXAMPLE, PUTTY) SDT Connector, which is supplied with console servers, is Black Box‘s recommended SSH client. There are other SSH client programs that can provide secure SSH connections to console servers and connected devices.
Page 165: Vnc Security
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 7: SSH TUNNELS AND SDT CONNECTOR TECHNICAL SUPPORT 1.877.877.2269 For example, if the Label you specified on the serial port on the console server is win2k3, then specify the remote host as: win2k3:3389 Alternatively, set the Destination as: portXX:3389...
Page 166: Alerts, Auto-Response And Logging
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 TECHNICAL CHAPTER 8: ALERTS, AUTO-RESPONSE AND LOGGING SUPPORT 1.877.877.2269 This chapter describes the automated response, alert generation and logging features of the console server. The Auto-Response facility extends on the basic Alert facility available in earlier (pre V3.5) firmware revisions. With Auto- Response, the console server monitors selected serial ports, logins, the power status and environmental monitors and probes for Check Condition triggers.
Page 167 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 8: ALERTS, AUTO-RESPONSE AND LOGGING TECHNICAL SUPPORT 1.877.877.2269 FIGURE 8-2. AUTO RESPONSE SETTINGS PAGE Š Enter a unique Name for the new Auto-Response. Š Š Specify the Reset Timeout for the time in seconds after resolution to delay before this Auto-Response can be triggered again. Š...
Page 168: Check Conditions
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 8: ALERTS, AUTO-RESPONSE AND LOGGING TECHNICAL SUPPORT 1.877.877.2269 8.2 CHECK CONDITIONS To configure the condition that will trigger the Auto-Response: Š Click on the Check Condition type (for example, Environmental, UPS Status or ICMP ping) to be configured as the trigger for this Š...
Page 169: Alarms And Digital Inputs
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 8: ALERTS, AUTO-RESPONSE AND LOGGING TECHNICAL SUPPORT 1.877.877.2269 8.2.2 ALARMS AND DIGITAL INPUTS To set the status of any attached Smoke or Water sensors or digital inputs as the trigger event: Š...
Page 170: Ups Status
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 TECHNICAL CHAPTER 8: ALERTS, AUTO-RESPONSE AND LOGGING SUPPORT 1.877.877.2269 Š Check Save Auto-Response. Š NOTE: Before configuring UPS checks in Auto-Response you first must configure the attached UPS. 8.2.4 UPS STATUS To use the alert state of any attached UPS as the Auto-Response trigger event: Š...
Page 171: Usb Console Status
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 8: ALERTS, AUTO-RESPONSE AND LOGGING TECHNICAL SUPPORT 1.877.877.2269 FIGURE 8-6. NOTE: With Serial Pattern checks, you can nominate to Disconnect Immediately all users from the serial port being monitored in the event of a successful pattern match.
Page 172: Icmp Ping
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 TECHNICAL CHAPTER 8: ALERTS, AUTO-RESPONSE AND LOGGING SUPPORT 1.877.877.2269 Š Set an Action Delay Time. Š By default, this is 0 seconds. Š Enter the specific details of the selected action. For example, the Send Email action requires a Recipient Email Address and allows Š...
Page 173 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 8: ALERTS, AUTO-RESPONSE AND LOGGING TECHNICAL SUPPORT 1.877.877.2269 rm /etc/config/customscript.0 exit 7 touch /etc/config/customscript.0 exit 1 FIGURE 8-7. Š Enter the Script Executable file name. For example /etc/config/test.sh. Š Š Set the Check Frequency. This is the time, in seconds, between re-running the script. Š...
Page 174: Cli Session Event
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 8: ALERTS, AUTO-RESPONSE AND LOGGING TECHNICAL SUPPORT 1.877.877.2269 8.2.10 CLI SESSION EVENT When the Check Condition is set to CLI Session Event, the triggers that cause the Auto-Response to run can be any or all of the following: Š...
Page 175: Login And Logout Check
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 8: ALERTS, AUTO-RESPONSE AND LOGGING TECHNICAL SUPPORT 1.877.877.2269 8.2.12 LOGIN AND LOGOUT CHECK To configure Web Log In/Out as the trigger event: Š Select Web UI Authentication as the Check Condition. Š...
Page 176: Route Data Usage Check
This check may be configured with these parameters: Š The Black Box’s incoming Interface to monitor. Š Š An optional Source MAC address or source IP Address, to monitor traffic from a specific host (for example, the downstream router).
Page 177: Send Email
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 8: ALERTS, AUTO-RESPONSE AND LOGGING TECHNICAL SUPPORT 1.877.877.2269 A message text can be sent with Email, SMS and Nagios actions. This configurable message can include selected values: TABLE 8-1. MESSAGE TEXT VALUE DESCRIPTION The trigger value for the check.
Page 178: Perform Rpc Action
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 8: ALERTS, AUTO-RESPONSE AND LOGGING TECHNICAL SUPPORT 1.877.877.2269 8.3.3 PERFORM RPC ACTION Š Select Perform RPC Action as the Add Trigger Action. Š Š Enter a unique Action Name. Š Š...
Page 179: Perform Interface Action
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 8: ALERTS, AUTO-RESPONSE AND LOGGING TECHNICAL SUPPORT 1.877.877.2269 8.3.7 PERFORM INTERFACE ACTION Š Select Perform Interface Action as the Add Trigger Action. Š Š Enter a unique Action Name. Š Š...
Page 180: Send Sms Alerts
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 8: ALERTS, AUTO-RESPONSE AND LOGGING TECHNICAL SUPPORT 1.877.877.2269 NOTE: Some SMTP servers require a non-blank Subject field. Š Click Apply. SMTP is activated. Š 8.5.2 SEND SMS ALERTS With any model console server, you can use email-to-SMS services to send SMS alert notifications to mobile devices. Almost all mobile phone carriers provide an SMS gateway service that forwards email to mobile phones on their networks.
Page 181 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 8: ALERTS, AUTO-RESPONSE AND LOGGING TECHNICAL SUPPORT 1.877.877.2269 FIGURE 8-12. SMS SETTINGS SCREEN Select a Secure Connection (if applicable). Š Specify the SMTP port to be used. The default SMTP Port is 25. Š...
Page 182: Send Snmp Trap Alerts
TECHNICAL SUPPORT 1.877.877.2269 You may need to enter the phone number of the carrier’s SMS Message Center. Only enter this if advised by your carrier or by Black Box Technical Support. Š Click Apply Settings. The SMS-SMTP connection is activated.
Page 183 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 8: ALERTS, AUTO-RESPONSE AND LOGGING TECHNICAL SUPPORT 1.877.877.2269 Š If required, configure SNMP v3. For SNMP v3 messages, the user’s details and security level must match what the receiving SNMP Š...
Page 184: Send Nagios Event Alerts
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 TECHNICAL CHAPTER 8: ALERTS, AUTO-RESPONSE AND LOGGING SUPPORT 1.877.877.2269 If the SNMP service was enabled and an SNMP manager was configured before upgrading the firmware, the console server will be configured to use the legacy traps after upgrading. If the SNMP service was not enabled or no SNMP manger was configured before the upgrade, the console server will be configured to use the new SNMP traps after the upgrade.
Page 185: Serial Port Logging
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 8: ALERTS, AUTO-RESPONSE AND LOGGING TECHNICAL SUPPORT 1.877.877.2269 Š Specify the Server Type to be used. Š Š Add the required server details to enable log server access. Š The Administrator can view serial, network, and power device logs stored in the console reserve memory (or on a USB-connected flash device) in Manage >...
Page 186: Network Tcp And Udp Port Logging
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 8: ALERTS, AUTO-RESPONSE AND LOGGING TECHNICAL SUPPORT 1.877.877.2269 FIGURE 8-17. CONSOLE SERVER SETTINGS SCREEN 8.6.3 IP SUBNET-BASED VLAN The console server supports optional logging of access to and communications with network attached Hosts. For each Host, when you set up the Permitted Services that are authorized to be used, you also must set up the level of logging that is to be maintained for each service.
Page 187 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 8: ALERTS, AUTO-RESPONSE AND LOGGING TECHNICAL SUPPORT 1.877.877.2269 FIGURE 8-18. To activate and set the desired levels of logging for UPS and PDU devices see Chapter 9. 1.877.877.2269 BLACKBOX.COM...
Page 188: Power, Environment And Digital I/O
SUPPORT 1.877.877.2269 Black Box console servers manage Remote Power Control devices (RPCs including PDUs and IPMI devices) and Uninterruptible Power Supplies (UPSes). They also monitor remote operating environments using Environmental Monitoring Devices (EMDs) and sensors, and can provide digital I/O control.
Page 189 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 9: POWER, ENVIRONMENT AND DIGITAL I/O TECHNICAL SUPPORT 1.877.877.2269 FIGURE 9-1. See Section 6.4 for more on Network Hosts. Š Navigate to Serial & Network > RPC Connections. The RPC connections that have already been configured will present. Š...
Page 190 If you are connecting to the RPC by a serial port you will be presented with all the serial RPC types currently supported by the embedded PowerMan and Black Box’s power manager. Š Enter the Username and Password used to login into the RPC.
Page 191 NOTE: Black Box’s console servers support the majority of the popular network and serial PDUs. If your PDU is not on the default list then support can be added directly (see Chapter 16) or by having the PDU supported added to either the Network UPS Tools or PowerMan open source projects.
Page 192: Rpc Access Privileges And Alerts
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 9: POWER, ENVIRONMENT AND DIGITAL I/O TECHNICAL SUPPORT 1.877.877.2269 9.1.2 RPC ACCESS PRIVILEGES AND ALERTS Set PDU and IPMI alerts using Alerts & Logging > Alerts (see Chapter 8). Assign users to access and control outlets on each RPC via Serial &...
Page 193: Rpc Status
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 9: POWER, ENVIRONMENT AND DIGITAL I/O TECHNICAL SUPPORT 1.877.877.2269 NOTE: Icons will present only for operations that are supported by the Target you have selected. Turn ON Turn OFF Cycle Status FIGURE 9-8.
Page 194: Uninterruptible Power Supply (Ups) Control
9.2 UNINTERRUPTIBLE POWER SUPPLY (UPS) CONTROL Black Box console servers can be configured to manage locally and remotely connected UPS hardware using Network UPS Tools. Network UPS Tools (NUT) is a group of open source programs that provide a common interface for monitoring and administering UPS hardware and ensuring safe shutdowns of the systems that are connected.
Page 195 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 9: POWER, ENVIRONMENT AND DIGITAL I/O TECHNICAL SUPPORT 1.877.877.2269 Master Serial USB or network connections Managed FIGURE 9-12. Serial and network connected UPSes must first be connected to, and configured to communicate with the console server. For serial UPSes attach the UPS to the selected serial port on the console server: Š...
Page 196 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 9: POWER, ENVIRONMENT AND DIGITAL I/O TECHNICAL SUPPORT 1.877.877.2269 For each network connected UPS: Š Navigate to Serial & Network > Network Hosts. Š Š Configure the UPS as a connected Host by specifying its Device Type as UPS. Š...
Page 197 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 9: POWER, ENVIRONMENT AND DIGITAL I/O TECHNICAL SUPPORT 1.877.877.2269 FIGURE 9-15. The shutdown script /etc/scripts/ups-shutdown can be customized so, in the event of a critical power failure (when the UPS battery runs out) you can program the console server to perform last gasp actions before power is lost.
Page 198: Remote Ups Management
The upsc and upslog clients in the console server can configured to monitor remote servers that are running Network UPS Tools managing their locally connected UPSes. These remote servers might be other Black Box console servers or generic Linux servers running NUT.
Page 199 Š Optionally enter a Description. Š Š Enter the IP Address or DNS name of the remote console server that is managing the remote UPS. This may be another Black Box Š console server or it may be a generic Linux server running Network UPS Tools.
Page 200: Controlling Ups-Powered Computers
UPSMON.CONF PORTION DESCRIPTION manageup The UPS Name of the managed UPS. 192.168.0.1 The IP address of the Black Box console server. Indicates the server has a single power supply attached to this UPS. username The username of the managed UPS. password The password of the managed UPS..
Page 201: Ups Status
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 9: POWER, ENVIRONMENT AND DIGITAL I/O TECHNICAL SUPPORT 1.877.877.2269 9.2.5 UPS STATUS You can monitor the current status of your network-connected, serially-connected or USB-connected Managed UPSes and any configured Remote UPSes. Š...
Page 202: Overview Of Nework Ups Tools (Nut)
(open source software from Livermore Labs that is also embedded in Black Box console servers). These NUT clients and servers are all embedded in each Black Box console server (with a Management Console presentation layer added). They also run remotely on distributed console servers and other remote NUT monitoring systems. This layered distributed NUT architecture enables: Š...
Page 203: Digital I/O Ports
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 9: POWER, ENVIRONMENT AND DIGITAL I/O TECHNICAL SUPPORT 1.877.877.2269 Š Multiple architecture support. NUT can manage serial- and USB-connected UPS models with the same common interface. Š Network-connected USB and PDU equipment can also be monitored using SNMP. Š...
Page 204: Digital I/O Input Configuration
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 9: POWER, ENVIRONMENT AND DIGITAL I/O TECHNICAL SUPPORT 1.877.877.2269 9.3.2 DIGITAL I/O INPUT CONFIGURATION When either of the two digital I/O (DIO1 & DIO2) outlets is configured as an Input on the System > I/O Ports, it can be used to monitor the current status of any attached sensor.
Page 205 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 9: POWER, ENVIRONMENT AND DIGITAL I/O TECHNICAL SUPPORT 1.877.877.2269 OG-STATUS-MIB::ogDioStatusState.3 = INTEGER: high(1) OG-STATUS-MIB::ogDioStatusState.4 = INTEGER: high(1) OG-STATUS-MIB::ogDioStatusCounter.1 = Counter64: 0 OG-STATUS-MIB::ogDioStatusCounter.2 = Counter64: 0 OG-STATUS-MIB::ogDioStatusCounter.3 = Counter64: 0 OG-STATUS-MIB::ogDioStatusCounter.4 = Counter64: 0 OG-STATUS-MIB::ogDioStatusTriggerMode.1 = INTEGER: risingFallingEdge(3) OG-STATUS-MIB::ogDioStatusTriggerMode.2 = INTEGER: risingFallingEdge(3) OG-STATUS-MIB::ogDioStatusTriggerMode.3 = INTEGER: risingFallingEdge(3)
Page 206: Authentication
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 10: AUTHENTICATION TECHNICAL SUPPORT 1.877.877.2269 The console server platform is a dedicated Linux computer, and it embodies a myriad of popular and proven Linux software modules for networking, secure access (OpenSSH), secure communications (OpenSSL) and sophisticated user authentication (PAM, RADIUS, TACACS+, Kerberos and LDAP).
Page 207: Local Authentication
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 10: AUTHENTICATION TECHNICAL SUPPORT 1.877.877.2269 10.1.1 LOCAL AUTHENTICATION Š Navigate to Serial and Network > Authentication. Š Š Check Local. Š Š Click Apply. Š 10.1.2 TACACS AUTHENTICATION Perform the following procedure to configure the TACACS+ authentication method to be used whenever the console server or any of its serial ports or hosts is accessed.
Page 208: Radius Authentication
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 10: AUTHENTICATION TECHNICAL SUPPORT 1.877.877.2269 Š If required, enter the TACACS Group Membership Attribute to be used to indicate group memberships (defaults to groupname#n). Š Š If required, specify TACACS Service to authenticate with. Š...
Page 209: Ldap Authentication
On an Black Box device, we may be configured to look at group information from an LDAP server for authentication and authorization. This group information is potentially stored in a number of different ways. Active Directory has one method; OpenLDAP has two others.
Page 210 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 10: AUTHENTICATION TECHNICAL SUPPORT 1.877.877.2269 OpenLDAP/POSIX method 2 Each group entry in the group tree of objectClass posixGroup may have multiple memberUid attributes. These represent secondary groups (for example, mapping to the /etc/groups file). Each attribute would contain a username. To cater for all these possibilities, the pam_ldap module has been modified to do group lookups for each of these three styles.
Page 211: Radius And Tacacs User Configuration
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 10: AUTHENTICATION TECHNICAL SUPPORT 1.877.877.2269 Š Enter the Server Address (IP or host name) of the remote Authentication server. Multiple remote servers may be specified in a Š comma separated list. Each server is tried in succession. Š...
Page 212: Group Support With Remote Authentication
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 10: AUTHENTICATION TECHNICAL SUPPORT 1.877.877.2269 EXAMPLE 2 User Ben is only defined on the TACACS server, which says he has access to ports 5 and 6. When he attempts to log in a new user will be created for him, and he will be able to access ports 5 and 6.
Page 213: Remote Groups With Radius Authentication
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 10: AUTHENTICATION TECHNICAL SUPPORT 1.877.877.2269 FIGURE 10-5. Š Select the relevant Authentication Method. Š Š Check the Use Remote Groups checkbox. Š 10.1.7 REMOTE GROUPS WITH RADIUS AUTHENTICATION Š Enter the RADIUS Authentication and Authorization Server Address and Server Password. Š...
Page 214: Remote Groups With Ldap Authentication
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 10: AUTHENTICATION TECHNICAL SUPPORT 1.877.877.2269 FIGURE 10-6. When setting the Framed-Filter-Id, the system may also remove the leading colon for an empty field. To work around this, add some dummy text to the start of the string. For example: dummy:group_name=testgroup1,users: If no group is specified for a user—for example AmandaJones—then the user will have limited console access, with no user interface or serial port access.
Page 215 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 10: AUTHENTICATION TECHNICAL SUPPORT 1.877.877.2269 For example, in an existing Active Directory setup, a group of users may be part of the UPS Admin and Router Admin groups. On the console server, these users will be required to have access to a group Router_Admin, with access to port 1 (connected to the router), and another group, UPS_Admin, with access to port 2 (connected to the UPS).
Page 216: Remote Groups With Tacacs+ Authentication
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 10: AUTHENTICATION TECHNICAL SUPPORT 1.877.877.2269 NOTE: When you are using remote groups with LDAP remote auth, you need to have corresponding local groups on the console server. Where the LDAP group names can contain upper case and space characters, the local group name on the console server must be all lower case and the spaces replaced with underscrores.
Page 217: Kerberos Authentication
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 10: AUTHENTICATION TECHNICAL SUPPORT 1.877.877.2269 Š Set a CLI Management Session Timeout in minutes. This specifies the ssh console session idle timeout. The default setting is to Š never expire. Š...
Page 218: Pluggable Authentication Modules
Š account will be created. This account will have no rights, and no password set. They will not appear in the Black Box configuration tools. Automatically added accounts will not be able to log in if the remote servers are unavailable.
Page 219: Ssl Certificate
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 10: AUTHENTICATION TECHNICAL SUPPORT 1.877.877.2269 Service-Type = Framed-User, Fall-Through = No, Framed-Filter-Id =":group_name=admin:" The list of groups may include any number of entries separated by a comma. If the admin group is included, the user will be made an Administrator.
Page 220 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 10: AUTHENTICATION TECHNICAL SUPPORT 1.877.877.2269 Confirm Challenge Password: confirmation of the Challenge Password. Key length: this is the length of the generated key in bits. 1024 Bits are supposed to be sufficient for most cases. Longer keys may result in slower response time of the console server during connection establishment.
Page 221: Nagios Integration
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 11: NAGIOS INTEGRATION TECHNICAL SUPPORT 1.877.877.2269 Nagios is a powerful, highly extensible open source tool for monitoring network hosts and services. The core Nagios software package will typically be installed on a server or virtual server, the central Nagios server. Console servers operate in conjunction with a central/upstream Nagios server to provide distributing monitoring of attached network hosts and serial devices.
Page 222: Enable Nagios On The Console Server
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 11: NAGIOS INTEGRATION TECHNICAL SUPPORT 1.877.877.2269 11.2.1 ENABLE NAGIOS ON THE CONSOLE SERVER Š Navigate to System > Nagios. Š FIGURE 11-1. Š Check Enabled. Š Š Enter the Nagios Host Name the console server will be referred to in the Nagios server. Š...
Page 223: Enable Nsca Monitoring
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 11: NAGIOS INTEGRATION TECHNICAL SUPPORT 1.877.877.2269 FIGURE 11-2. Š Check NRPE Enabled. Š Š Enter the details of the user connection to the upstream Nagios monitoring server. Š Refer to the sample Nagios configuration example for details of configuring specific NRPE checks. By default, the console server will accept a connection between the upstream Nagios monitoring server and the NRPE server with SSL encryption, without SSL, or tunneled through SSH.
Page 224: Configure Selected Serial Ports For Nagios Monitoring
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 11: NAGIOS INTEGRATION TECHNICAL SUPPORT 1.877.877.2269 FIGURE 11-4. For more on configuring specific NSCA checks, see the sample Nagios configuration described next. 11.2.4 CONFIGURE SELECTED SERIAL PORTS FOR NAGIOS MONITORING The individual serial ports connected to the console server to be monitored must be configured for Nagios checks.
Page 225: Configure Seleced Network Ports For Nagios Monitoring
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 11: NAGIOS INTEGRATION TECHNICAL SUPPORT 1.877.877.2269 11.2.5 CONFIGURE SELECTED NETWORK PORTS FOR NAGIOS MONITORING The individual network hosts connected to the console server to be monitored must also be configured for Nagios checks. Š...
Page 226: Configure The Upstream Nagios Monitoring Host
In practice, these would be combined into a single check which used NSCA as a primary method, falling back to NRPE if a check was late. For details, see the Nagios documentation —at https://nagios.org/documentation/—on Service and Host Freshness Checks. ; Host definitions ; Black Box console server define host { generic-host host_name...
Page 227 CHAPTER 11: NAGIOS INTEGRATION TECHNICAL SUPPORT 1.877.877.2269 command_line $USER1$/check_nrpe -H \ 192.168.254.147 -p 5666 define service { service_description NRPE Daemon host_name Black Box generic-service check_command check_nrpe_daemon ; Serial Status define command { command_name check_serial_status command_line $USER1$/check_nrpe -H \ 192.168.254.147 -p 5666 -c \...
Page 228 { name Black Box_nrpe_daemon_dep host_name Black Box dependent_host_name server dependent_service_description Port Log service_description NRPE Daemon execution_failure_criteria w,u,c ; Ping define command { command_name check_ping_via_Black Box command_line $USER1$/check_nrpe -H \ 192.168.254.147 -p 5666 -c \...
Page 229 Box active_checks_enabled passive_checks_enabled define servicedependency { name Black Box_nrpe_daemon_dep host_name Black Box dependent_host_name server dependent_service_description Host Ping service_description NRPE Daemon execution_failure_criteria w,u,c ; SSH Port define command { command_name check_conn_via_Black Box command_line $USER1$/check_nrpe -H \ 192.168.254.147 -p 5666 -c \...
Page 230: Basic Nagios Plug-Ins
Used to check network host availability. check_nrpe Used to execute arbitrary plug-ins in other devices. check_serial_signals Used to monitor handshaking lines on serial ports. Black Box-specific. check_port_log Used to monitor the data logged for a serial port. Black Box-specific. 1.877.877.2269 BLACKBOX.COM...
Page 231: Additional Plug-Ins
To get these plug-ins from the Nagios plug-ins package, contact Black Box Technical Support at 877-877-2269 or info@blackbox.com To configure additional checks, the downloaded plug-in program must be saved in the tftp addins directory on the USB flash drive and the downloaded text plug-in file saved in /etc/config/.
Page 232: Number Of Supported Devices
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 11: NAGIOS INTEGRATION TECHNICAL SUPPORT 1.877.877.2269 11.3.4 NUMBER OF SUPPORTED DEVICES Ultimately the number of devices that can be supported by any particular console server is a function of the number of checks being made, and how often they are performed.
Page 233: Distributed Monitoring Usage Scenarios
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 11: NAGIOS INTEGRATION TECHNICAL SUPPORT 1.877.877.2269 11.3.5 DISTRIBUTED MONITORING USAGE SCENARIOS Below are a number of distributed Nagios monitoring scenarios. LOCAL OFFICE In this scenario, the console server is set up to monitor the console of each managed device. It can be configured to make a number of checks, either actively at the Nagios server’s request, or passively at preset intervals, and submit the results to the Nagios server in a batch.
Page 234 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 11: NAGIOS INTEGRATION TECHNICAL SUPPORT 1.877.877.2269 REMOTE SITE WITH RESTRICTIVE FIREWALL In this scenario, the role of the console server will vary. One aspect may be to upload check results through NSCA. NAGIOS SSH travel initiated for remote site NRPE Server at branch server's request...
Page 235: System Management
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 12: SYSTEM MANAGEMENT TECHNICAL SUPPORT 1.877.877.2269 This chapter documents how the Administrator can perform a range of general console server system administration and configuration tasks such as: Š Applying Soft and Hard Resets to the console server. Š...
Page 236: Firmware Upgrades
The Black Box device will undertake a soft reboot and commence upgrading the firmware. This process will take several minutes. Š After the firmware upgrade has completed, click here to return to the Management Console. Your Black Box device will have retained Š...
Page 237: Date And Time Configuration
12.3 DATE AND TIME CONFIGURATION Set the local Date and Time in your Black Box appliance as soon as it is configured. Features such as Syslog and NFS logging use the system time for time-stamping log entries, while certificate generation depends on a correct Timestamp to check the validity period of the certificate.
Page 238: Backup Configuration
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 12: SYSTEM MANAGEMENT TECHNICAL SUPPORT 1.877.877.2269 With the NTP peering model, console servers can share time information with other connected devices, so all devices can be time synchronized. To do this, tick Enable NTP on the Time and Date page, and ensure the appropriate networks are selected on the Service Access page.
Page 239 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 12: SYSTEM MANAGEMENT TECHNICAL SUPPORT 1.877.877.2269 Š Click Save Backup in the Remote Backup section. Š The config backup file—system-name_date_config.opg—will be downloaded to your PC and saved in the location you select. To restore a remote backup: Š...
Page 240: Delayed Configuration Commit
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 12: SYSTEM MANAGEMENT TECHNICAL SUPPORT 1.877.877.2269 To set an alternate default configuration: Š Check Load On Erase Š Š Click Apply. Š NOTE: Before selecting Load On Erase, ensure you have tested your alternate default configuration by clicking Restore. If your alternate default configuration causes the console server to become unbootable, recover your unit to factory settings.
Page 241 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 12: SYSTEM MANAGEMENT TECHNICAL SUPPORT 1.877.877.2269 The Commit Config icon will present in top right-hand corner of the screen between the Backup and Log Out icons. FIGURE 12-9. To queue, then run, configuration changes: Š...
Page 242: Fips Mode
12.6 FIPS MODE The LES1600, LES1508A, LES1200, LES1516A, LES1532A, LES1548A, LES1700 and LES1400 family of advanced console servers all use a FIPS 140-2 validated embedded cryptographic module. NOTE: The US National Institute of Standards and Technology (NIST) publishes the FIPS (Federal Information Processing Standard) standards.
Page 243 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 12: SYSTEM MANAGEMENT TECHNICAL SUPPORT 1.877.877.2269 To enable FIPS mode from the command line, login and run these commands: config -s config.system.fips=on touch /etc/config/FIPS chmod 444 /etc/config/FIPS flatfsd -b The final command saves to flash and reboots the unit. The unit will take a few minutes to boot into FIPS mode. To disable FIPS mode from the shell, run these commands: config -d config.system.fips rm /etc/config/FIPS...
Page 244: Status Reports
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 13: STATUS REPORTS TECHNICAL SUPPORT 1.877.877.2269 This chapter documents the Dashboard feature and the status reports that are available: Š Port Access and Active Users Š Š Statistics. Š Š Support Reports. Š...
Page 245: Statistics
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 13: STATUS REPORTS TECHNICAL SUPPORT 1.877.877.2269 After the buttons have been pressed, the selected sessions will be disconnected, and the number of disconnect sessions will be displayed to the user. To allow more detailed control of who to disconnect, there is a table at the bottom of the page with drop-down lists for all connected users and all connected ports that allow the user to choose who do disconnect.
Page 246: Support Reports
13.3 SUPPORT REPORTS The Support Report provides status information that assists the Black Box technical support team to solve any problems you may experience with your console server. With email support requests, generate a Support Report when the issue is occurring, and attach it as text.
Page 247: Dashboard
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 13: STATUS REPORTS TECHNICAL SUPPORT 1.877.877.2269 FIGURE 13-5. To find specific information in the local Syslog file, a pattern matching filter tool is provided. Š Specify the Match Pattern that is to be searched for Š...
Page 248: Creating Custom Widgets For The Dashboard
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 13: STATUS REPORTS TECHNICAL SUPPORT 1.877.877.2269 You can configure a custom dashboard for any admin user or for the admin group or you can reconfigure the default dashboard. The Status > Dashboard screen is the first screen displayed when admin users (other than root) log into the console manager. If you log in as john, and john is member of the admin group and there is a dashboard layout configured for john, then you will see the dashboard for john on log-in and each time you click on the Status >...
Page 249: Management
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 14: MANAGEMENT TECHNICAL SUPPORT 1.877.877.2269 The console server has a small number of Manage reports and tools that are available to both Administrators and Users to: Š Access and control authorized devices. Š...
Page 250: Port And Host Logs
NOTE: Any communication using the Web Terminal service using HTTP is unencrypted and not secure. The Web Terminal connects to the command line or serial device using the same protocol that is being used to browse to the Black Box Management Console.
Page 251 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 14: MANAGEMENT TECHNICAL SUPPORT 1.877.877.2269 To enable the Web Terminal service for the console server: Š Select System > Firewall. Š Š Check Enable Web Terminal. Š FIGURE 14-3. Š Click Apply. Š...
Page 252: Sdt Connector Access
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 14: MANAGEMENT TECHNICAL SUPPORT 1.877.877.2269 Administrator and Users can communicate directly with serial port attached devices from their browser: Š Select Manage > Devices. Š Š Select the Serial tab. Š...
Page 253: Power Management
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 14: MANAGEMENT TECHNICAL SUPPORT 1.877.877.2269 This activates the SDT Connector client on the computer you are browsing and loads your local telnet client to connect to the command line or serial port using SSH. NOTE: SDT Connector must be installed on the computer you are browsing from and the console server must be added as a gateway, as detailed in Chapter 7.
Page 254: Configuration From The Command Line
Without care, these configurations may not withstand a power-cycle-reset or reconfigure. Black Box provides a number of custom command line utilities and scripts to make it simple to configure the console server and ensure the changes are stored in the console server's flash memory etc.
Page 255 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 15: CONFIGURATION FROM THE COMMAND LINE TECHNICAL SUPPORT 1.877.877.2269 The custom user configuration is saved in the /etc/config/config.xml file. This file is transparently accessed and edited when configuring the device using the Management Console browser GUI. Only the root user can configure from the shell. By default, the config elements are separated by a .
Page 256: Serial Port Configuration
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 15: CONFIGURATION FROM THE COMMAND LINE TECHNICAL SUPPORT 1.877.877.2269 There are three ways to delete a config element value. The simplest way is use the delete-node script detailed later in Chapter 16. You can also assign the config element to ""...
Page 257 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 15: CONFIGURATION FROM THE COMMAND LINE TECHNICAL SUPPORT 1.877.877.2269 TABLE 15-2. SUPPORTED PROPERTIES PROPERTY SUPPORTED VALUES baud rate 50. 75, 110, 124, 200, 300, 600, 1200, 1800, 2400, 4800, 9600, 19200, 38400, 57600, 115200, 230400 parity values None, Odd, Even, Mark, Space data bits...
Page 258 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 15: CONFIGURATION FROM THE COMMAND LINE TECHNICAL SUPPORT 1.877.877.2269 # config -s config.ports.port5.ssh=on # config -s config.ports.port5.tcp=on # config -d config.ports.port5.telnet # config -d config.ports.port5.unauthtel DEVICE MODE For a device mode port, set the port type to either ups, rpc, or enviro: # config -s config.ports.port5.device.type=[ups | rpc | enviro] For port 5 as a UPS port: # config -s config.ports.port5.mode=reserved...
Page 259: Adding And Removing Users
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 15: CONFIGURATION FROM THE COMMAND LINE TECHNICAL SUPPORT 1.877.877.2269 To enable RFC-2217 access: # config -s config.ports.port5.bridge.rfc2217=on To redirect the serial bridge over an SSH tunnel to the server: #config -s config.ports.port5.bridge.ssh.enabled=on SYSLOG SETTINGS Additionally, the global system log settings can be set for any specific port, in any mode: # config -s config.ports.port#.syslog.facility='facility'...
Page 260: Adding And Removing User Groups
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 15: CONFIGURATION FROM THE COMMAND LINE TECHNICAL SUPPORT 1.877.877.2269 To give this user access to a specific port: # config -s config.users.user2.port1=on # config -s config.users.user2.port2=on # config -s config.users.user2.port5=on # [etc...] To remove port access: # config -s config.users.user2.port1=''...
Page 261: Authentication
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 15: CONFIGURATION FROM THE COMMAND LINE TECHNICAL SUPPORT 1.877.877.2269 # config -s config.groups.group7.description=MyGroup # config -s config.groups.total=7 # config -s config.groups.group7.port1=on # config -s config.groups.group7.port5=on Assume we have an RPC device connected to port 1 on the console server, and the RPC is configured. To give this group access to RPC outlet number 3 on the RPC device, run the two commands below: # config -s config.ports.port1.power.outlet3.groups.group1=Group7 # config -s config.ports.port1.power.outlet3.groups.total=1...
Page 262: Network Hosts
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 15: CONFIGURATION FROM THE COMMAND LINE TECHNICAL SUPPORT 1.877.877.2269 RADIUSDownLocal LocalLDAP LDAP LDAPLocal LDAPDownLocal To configure TACACS authentication: # config -s config.auth.tacacs.auth_server='comma-separated-list' comma-separated-list is a list of remote authentiction and authorization servers. # config -s config.auth.tacacs.acct_server='comma-separated-list' # config -s config.auth.tacacs.password='password' comma-separated-list is a list of remote accounting servers.
Page 263 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 15: CONFIGURATION FROM THE COMMAND LINE TECHNICAL SUPPORT 1.877.877.2269 ADD POWER DEVICE HOST To add a UPS/RPC network host with the following details: TABLE 15-4. UPS/RPC NETWORK HOST DETAILS SETTING VALUE IP address or DNS name 192.168.2.5...
Page 264: Trusted Networks
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 15: CONFIGURATION FROM THE COMMAND LINE TECHNICAL SUPPORT 1.877.877.2269 Issue the commands below. If the Host is not a PDU or UPS power device or a server with IPMI power control then leave the device type blank: # config -s config.sdt.hosts.host4.address=192.168.3.10 # config -s config.sdt.hosts.host4.description=MyPC...
Page 265: Cascaded Ports
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 15: CONFIGURATION FROM THE COMMAND LINE TECHNICAL SUPPORT 1.877.877.2269 # config -s config.portaccess.rule2.netmask=255.255.255.0 # config -s config.portaccess.rule2.port5=on # config -s config.portaccess.total=2 The following command will synchronize the live system with the new configuration: # config -r serialconfig 15.1.7 CASCADED PORTS To add a new slave device with the following settings:...
Page 266 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 15: CONFIGURATION FROM THE COMMAND LINE TECHNICAL SUPPORT 1.877.877.2269 To add a managed UPS with the following values: TABLE 15-7. MANAGED UPSES SETTING VALUE Connected via Port 1 UPS name My UPS Description Room 5 UPS...
Page 267 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 15: CONFIGURATION FROM THE COMMAND LINE TECHNICAL SUPPORT 1.877.877.2269 Assuming there are already 2 managed devices configured, the 5 commands below will add the UPS to Managed Devices. # config -s \ "config.devices.device3.connections.connection1.name=My UPS"...
Page 268: Rpc Connections
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 15: CONFIGURATION FROM THE COMMAND LINE TECHNICAL SUPPORT 1.877.877.2269 15.1.9 RPC CONNECTIONS You can add an RPC connection from the command line but it is not recommended because of dependency issues. Before adding an RPC, the Management Console GUI code makes sure that at least 1 port has been configured to run in device mode, and that the device is set to rpc.
Page 269: Managed Devices
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 15: CONFIGURATION FROM THE COMMAND LINE TECHNICAL SUPPORT 1.877.877.2269 # config -s "config.devices.device3.description=Room 5 RPC" # config -s config.devices.total=3 The following command will synchronize the live system with the new configuration: # config -a 15.1.10 MANAGED DEVICES To add a managed device: (see Chapter 9 for more information):...
Page 270: Alerts
You can add an email, SNMP or NAGIOS alert by following the steps below. THE GENERAL SETTING FOR ALL ALERTS Assume this is our second alert, and we want to send email alerts to john@Black Box.com and sms alerts to peter@Black Box. com: # config -s config.alerts.alert2.description=MySecondAlert...
Page 271 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 15: CONFIGURATION FROM THE COMMAND LINE TECHNICAL SUPPORT 1.877.877.2269 SIGNAL ALERT To trigger an alert when a signal changes state on port 1: # config -s config.alerts.alert2.port1=on # config -s config.alerts.alert2.sensor=temp # config -s config.alerts.alert2.signal=[DSR | DCD | CTS] # config -s config.alerts.alert2.type=signal PATTERN MATCH ALERT...
Page 272: Smtp And Sms
15.1.13 SMTP AND SMS To set-up an SMTP mail or SMS server with the following details: TABLE 15-11. SMTP OR SMS SETTINGS SMTP OR SMS SERVER SETTING VALUE Outgoing server address mail.Black Box.com Secure connection type Sender john@Black Box.com Server username john Server password A-little-secret-for-2.
Page 273: Snmp
CHAPTER 15: CONFIGURATION FROM THE COMMAND LINE TECHNICAL SUPPORT 1.877.877.2269 Run the following commands: # config -s config.system.smtp.server=mail.Black Box.com # config -s config.system.smtp.encryption=SSL # config -s config.system.smtp.sender=John@Black Box.com # config -s config.system.smtp.username=john # config -s config.system.smtp.password=A-little-secret-for-2. # config -s config.system.smtp.subject=SMTP alerts To set-up an SMTP SMS server with the same details as above: # config -s config.system.smtp.server2=mail.Black Box.com...
Page 274: Administration
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 15: CONFIGURATION FROM THE COMMAND LINE TECHNICAL SUPPORT 1.877.877.2269 15.1.15 ADMINISTRATION To change the administration settings to: TABLE 15-12. ADMINISTRATION SETTINGS SYSTEM SETTING VALUE System name og.example.com System password (root account password) A-simple-little-secret-for-2.
Page 275: Date And Time Settings
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 15: CONFIGURATION FROM THE COMMAND LINE TECHNICAL SUPPORT 1.877.877.2269 # config -s config.interfaces.wan.address=192.168.0.23 # config -s config.interfaces.wan.netmask=255.255.255.0 # config -s config.interfaces.wan.gateway=192.168.0.1 # config -s config.interfaces.wan.dns1=192.168.0.1 # config -s config.interfaces.wan.dns2=192.168.0.2 # config -s config.interfaces.wan.mode=static # config -s config.interfaces.wan.media=<value>...
Page 276 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 15: CONFIGURATION FROM THE COMMAND LINE TECHNICAL SUPPORT 1.877.877.2269 The first command sets a new system time. NOTE: The date command uses a US-style order with month (MM) listed before day (DD). Also, although the thousands and hundreds column in the Gregorian Year are theoretically optional, it is strongly recommended that these values be set explicitly.
Page 277: Dial-In Settings
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 15: CONFIGURATION FROM THE COMMAND LINE TECHNICAL SUPPORT 1.877.877.2269 15.1.18 DIAL-IN SETTINGS To enable dial-in access on the DB9 serial port from the command line with the following attributes: TABLE 15-14. DIAL-IN SETTINGS SETTING VALUE Local IP address...
Page 278: Dhcp Server
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 15: CONFIGURATION FROM THE COMMAND LINE TECHNICAL SUPPORT 1.877.877.2269 Supported values for settings that are not fixed or user-created are as follows: TABLE 15-15. SUPPORTED VALUES SETTING SUPPORTED VALUE Authentication type None, PAP, CHAP, and MSCHAPv2.
Page 279: Services
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 15: CONFIGURATION FROM THE COMMAND LINE TECHNICAL SUPPORT 1.877.877.2269 Run the following commands: # config -s config.interfaces.lan.dhcpd.enabled=on # config -s config.interfaces.lan.dhcpd.defaultlease=200000 # config -s config.interfaces.lan.dhcpd.maxlease=300000 # config -s config.interfaces.lan.dhcpd.dns1=192.168.2.3 # config -s config.interfaces.lan.dhcpd.dns2=192.168.2.4 # config -s config.interfaces.lan.dhcpd.domain=company.com # config -s config.interfaces.lan.dhcpd.gateway=192.168.0.1 # config -s \...
Page 280 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 15: CONFIGURATION FROM THE COMMAND LINE TECHNICAL SUPPORT 1.877.877.2269 Run the following commands: # config -s config.services.http.enabled=on # config -d config.services.https.enabled # config -d config.services.telnet.enabled # config -s config.services.ssh.enabled=on # config -d config.services.snmp.enabled # config -d config.services.pingreply.enabled # config -s config.services.tftp.enabled=on These services run on default port numbers as follows:...
Page 281: Nagios
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 15: CONFIGURATION FROM THE COMMAND LINE TECHNICAL SUPPORT 1.877.877.2269 15.1.21 NAGIOS To configure NAGIOS with the following settings: TABLE 15-19. NAGIOS SETTINGS SETTING VALUE NOTES NAGIOS host name LES1716A Name of this system NAGIOS host address 192.168.0.1 Address of this system...
Page 282 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 15: CONFIGURATION FROM THE COMMAND LINE TECHNICAL SUPPORT 1.877.877.2269 To configure NSCA with the following settings: TABLE 15-21. NCSA SETTINGS SETTING VALUE NOTES can be None, XOR, DES, TRPLEDES, CAST-256, BLOWFISH, TWOFISH, NSCA encryption BLOWFISH RIJNDAEL-256, SERPENT, GOST...
Page 283: Advanced Configuration
SUPPORT 1.877.877.2269 Black Box console servers run the embedded Linux operating system. Administrator class users can configure the console server and monitor and manage attached serial console and host devices from the command line using Linux commands and the config utility (as described in Chapter 15).
Page 284: Running Custom Scripts When Alerts Are Triggered
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 16: ADVANCED CONFIGURATION TECHNICAL SUPPORT 1.877.877.2269 16.1.2 RUNNING CUSTOM SCRIPTS WHEN ALERTS ARE TRIGGERED Whenever an alert gets triggered, specific scripts get called. These scripts all reside in /etc/scripts/. Below is a list of the default scripts that get run for each applicable alert.
Page 285: Example Script: Power Cycling On Pattern Match
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 16: ADVANCED CONFIGURATION TECHNICAL SUPPORT 1.877.877.2269 The next step is to edit the new script file. Š Open the file /etc/config/scripts/portmanager-pattern-alert using vi (or other text editor). Š Š Remove the lines that check for a custom script (the code from above). Š...
Page 286: Deleting Configuration Values From The Cli
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 16: ADVANCED CONFIGURATION TECHNICAL SUPPORT 1.877.877.2269 These two lines assign a new email address to TOADDR and invoke the alert-email script in the background. 16.1.5 DELETING CONFIGURATION VALUES FROM THE CLI The delete-node script is provided to help with deleting nodes from the command line.
Page 287 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 16: ADVANCED CONFIGURATION TECHNICAL SUPPORT 1.877.877.2269 exit 0 # LASTFIELD: last field in the node path. eg "user1" # ROOTNODE: upper level of the node. eg "config.users" # NUMBER: integer value extracted from LASTFIELD e.g. "1" # TOTALNODE: node name for the total e.g.
Page 288 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 16: ADVANCED CONFIGURATION TECHNICAL SUPPORT 1.877.877.2269 # by shifting the users into the gap one at a time... echo "Deleting $1" LASTFIELDTEXT=`echo $LASTFIELD | sed 's/[0-9]//g'` CHECKTOTAL=`config -g $ROOTNODE.$LASTFIELDTEXT$TOTAL` if [ -z "$CHECKTOTAL" ] then echo "WARNING: "$TOTALNODE"...
Page 289: Power Cycle Any Device Upon A Ping Request Failure
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 16: ADVANCED CONFIGURATION TECHNICAL SUPPORT 1.877.877.2269 16.1.6 POWER CYCLE ANY DEVICE UPON A PING REQUEST FAILURE The ping-detect script is designed to run specified commands when a monitored host stops responding to ping requests. The first parameter taken by the ping-detect script is the hostname or IP address of the device to ping.
Page 290: Running Custom Scripts When A Configurator Is Invoked
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 16: ADVANCED CONFIGURATION TECHNICAL SUPPORT 1.877.877.2269 # loop indefinitely: while true # ping the device 10 times PINGREP=`ping -c 10 -i 1 "$TARGET" ` # get the packet loss percentage LOSS=`echo "$PINGREP"...
Page 291: Backing Up The Configuration And Restoring Using A Local Usb Stick
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 16: ADVANCED CONFIGURATION TECHNICAL SUPPORT 1.877.877.2269 To create an alerts custom script: # cd /etc/config/scripts # touch config-post-alerts # vi config-post-alerts This script could be used to recover a specific backup config or overwrite a config or make copies of config files etc. 16.1.8 BACKING-UP THE CONFIGURATION AND RESTORING USING A LOCAL USB STICK The /etc/scripts/backup-usb script has been written to save and load custom configuration using a USB flash disk.
Page 292: Backing Up The Configuration Off-Box
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 16: ADVANCED CONFIGURATION TECHNICAL SUPPORT 1.877.877.2269 To load this default: # /etc/scripts/backup-usb load-default To load any other config file: # /etc/scripts/backup-usb load {filename} The /etc/scripts/backup-usb script can be executed directly with various commands or called from other custom scripts you may create.
Page 293: Advanced Portmanager
TECHNICAL SUPPORT 1.877.877.2269 16.2 ADVANCED PORTMANAGER Black Box’s portmanager manages console server serial ports. It routes network connections to serial ports, checks permissions, and monitors and logs all data flowing to and from ports. 16.2.1 PORTMANAGER COMMANDS pmshell The pmshell command behaves similarly to standard tip or cu commands, but all serial port access is directed via the portmanager.
Page 294 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 16: ADVANCED CONFIGURATION TECHNICAL SUPPORT 1.877.877.2269 TABLE 16-3. HELPER SCRIPT PER PORT CONTROL COMMAND CONFIG PARAMETERS NOTES config.ports.portX.ctrlcode.break Generates a BREAK. config.ports.portX.ctrlcode.portlog View history config.ports.portX.ctrlcode.power open power menu config.ports.portX.ctrlcode.chooser connect to port menu config.ports.portX.ctrlcode.quit exit pmshell config.ports.portX.ctrlcode.help...
Page 295 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 16: ADVANCED CONFIGURATION TECHNICAL SUPPORT 1.877.877.2269 pmchat The pmchat command is similar to the standard chat command, but all serial port access is directed via the portmanager. For example, to run a chat script via the portmanager: # pmchat -v -f /etc/config/scripts/port08.chat <...
Page 296 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 16: ADVANCED CONFIGURATION TECHNICAL SUPPORT 1.877.877.2269 # pmusers --disconnect -u robertw Disconnect user robertw from all ports? (y/n) 1 session was disconnected # pmusers --disconnect -u robertw -n 5 Disconnect user robertw from port 5 (BranchRouter01)? (y/n) No sessions were disconnected # pmusers --disconnect -n 5 Disconnect all users from port 5 (BranchRouter01)? (y/n)
Page 297: External Scripts And Alerts
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 16: ADVANCED CONFIGURATION TECHNICAL SUPPORT 1.877.877.2269 16.2.2 EXTERNAL SCRIPTS AND ALERTS The portmanager has the ability to execute external scripts on certain events. When a port is opened by the portmanager When portmanager opens a port, it attempts to execute /etc/config/scripts/portXX.init (where XX is the number of the port, for example 08).
Page 298: Raw Access To Serial Ports
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 16: ADVANCED CONFIGURATION TECHNICAL SUPPORT 1.877.877.2269 else echo "Welcome $USER, you are connected to Port $PORT ($LABEL)" </etc/config/pmshell-start.sh> 16.3 RAW ACCESS TO SERIAL PORTS 16.3.1 ACCESS TO SERIAL PORTS You can use tip and stty to completely bypass the portmanager and have raw access to the serial ports. When you run tip on a portmanager-controlled port, portmanager closes that port, and stops monitoring it until tip releases control of it.
Page 299: Ip Filtering
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 16: ADVANCED CONFIGURATION TECHNICAL SUPPORT 1.877.877.2269 16.4 IP FILTERING The console server uses the iptables utility to provide a stateful firewall of LAN traffic. By default, rules are automatically inserted to allow access to enabled services, and serial port access via enabled protocols. The commands which add these rules are in configuration files: /etc/config/fw.rules This is an executable shell script which is run whenever the LAN interface is brought up and whenever modifications are made to...
Page 300: Check Firewall Rules
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 16: ADVANCED CONFIGURATION TECHNICAL SUPPORT 1.877.877.2269 The MIBs in your console server are located in /etc/snmp/mibs. They include: TABLE 16-6. MIBS NOTES OG-STATUS-MIB Contains serial and connected device status information for snmpstatusd and snmpalertd. OG-STATUSv2-MIB This MIB contains extended status and alerts.
Page 301 Š Complete the Location and Contact fields. Š The Location field should describe the physical location of the Black Box and will be used in response to requests for the SNMPv2- MIB::sysLocation.0 of the device. The Contact field refers to the person responsible for the Black Box such as the System Administrator and will be used in response to requests as follows: SNMPv2-MIB::sysContact.0.
Page 302 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 16: ADVANCED CONFIGURATION TECHNICAL SUPPORT 1.877.877.2269 Š Enter an Engine ID if required. Š Engine ID is used to localize the SNMPv3 user. It will be automatically generated from a Network Interface (eth0) hardware address, if left blank, or must be entered as a hex value (for example, 0x01020304).
Page 303: Adding Multiple Remote Snmp Managers
DES or AES privacy password A mib browser can explore the Black Box enterprise MIB structure. 16.5.4 ADDING MULTIPLE REMOTE SNMP MANAGERS You can add multiple SNMP servers for alert traps. Add the first and second SNMP servers using the Management Console (see Chapter 8) or the command line config tool.
Page 304: Secure Shell (Ssh) Public Key Authentication
Tatu Ylonen’s sample implementation with all patent-encumbered algorithms removed (to external libraries), all known security bugs fixed, new features reintroduced and many other clean-ups. The only changes in the Black Box SSH implementation are: Š PAM support. Š...
Page 305: Generating Public Keys (Linux)
The key fingerprint is: 28:aa:29:38:ba:40:f4:11:5e:3f:d4:fa:e5:36:14:d6 user@server There must be no password associated with the keys. If there is a password, Black Box devices will have no way to supply it at runtime. Full documentation for the ssh-keygen command can be found at http://man.openbsd.org/OpenBSD-current/man1/ssh-keygen.1.
Page 306: Installing The Ssh Public And Private Keys (Clustering)
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 16: ADVANCED CONFIGURATION TECHNICAL SUPPORT 1.877.877.2269 16.6.3 INSTALLING THE SSH PUBLIC & PRIVATE KEYS (CLUSTERING) For console servers the keys can be uploaded through the web interface, on the System > Administration page. FIGURE 16-3.
Page 307: Generating Public And Private Keys For Ssh (Windows)
This procedure also requires the current version of WinSCP — a Windows-equivalent to the scp utliltiy — be installed. WinSCP is available for download from https://winscp.net/. Š Create a new user from the Black Box Management Console. Š The following example uses a user called testuser. This user must be a member of the users group.
Page 308: Fingerprinting
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 16: ADVANCED CONFIGURATION TECHNICAL SUPPORT 1.877.877.2269 Š Copy authorized_keys to the user’s home directory on the console server which will be the SSH server. Š For example, if the user’s username is testuser, copy the file to /etc/config/users/testuser/.ssh/authorized_keys Š...
Page 309: Ssh Tunneled Serial Bridging
16.6.7 INSTALLING THE SSH PUBLIC & PRIVATE KEYS (CLUSTERING) You can apply SSH tunneling when two Black Box console servers are configured for serial bridging. Local Ethernet LAN Serially connected device (e.g., security appliance)
Page 310 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 16: ADVANCED CONFIGURATION TECHNICAL SUPPORT 1.877.877.2269 FIGURE 16-5. Š Set up SSH keys for each end of the tunnel and upload these keys to the Server and Client console servers. Š...
Page 311 Your public key has been saved in ~/keys/control_room.pub. The key fingerprint is: 28:aa:29:38:ba:40:f4:11:5e:3f:d4:fa:e5:36:14:d6 user@server There must be no password associated with the keys. If there is a password, Black Box devices will have no way to supply it at runtime. Authorized keys If the console server selected to be the server has only one client device, the authorized_keys file is simply a copy of the public key for that device.
Page 312: Sdt Connector Public Key Authentication
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 16: ADVANCED CONFIGURATION TECHNICAL SUPPORT 1.877.877.2269 plant_entrance.pub $ cat ~/keys/control_room.pub ~/keys/plant_entrance.pub > ~/keys/authorized_keys_bridge_server Uploading keys The keys for the server can be uploaded through the web interface, on the System > Administration page as detailed earlier. If only one client will be connecting, then simply upload the appropriate public key as the authorized keys file.
Page 313: Https
You will be prompted to enter a lot of information. Most of it doesn't matter, but the Common Name should be the domain name of your computer (for example, test.Black Box.com). When you have entered everything, the certificate will be created in a file called ssl_cert.pem.
Page 314: Launching The Https Server
PowerMan provides power management in a data center or compute cluster environment. It performs operations such as power on, power off, and power cycle via remote power controller (RPC) devices. The powerman man page is not shipped with Black Box hardware. It is reproduced below. Synopsis powerman | pm [-options][targets] 1.877.877.2269...
Page 315 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 16: ADVANCED CONFIGURATION TECHNICAL SUPPORT 1.877.877.2269 TABLE 16-9. POWERMAN OPTIONS OPTION NOTES ABOUT TARGETS -1 --on power on targets -0 --off power off targets -c --cycle Power cycle targets -r --reset Assert hardware reset for targets (if implemented by RPC) -f --flash Turn beacon on for targets (if implemented by RPC)
Page 316: The Pmpower Tool
The PDU UPS and IPMI power devices are variously controlled using the open source PowerMan, IPMItool or Network UPS Tools and Black Box’s pmpower utility arches over these tools so the devices can be controlled through the...
Page 317: Adding New Rpc Devices
Network UPS Tools (NUT) project has moved on from its UPS management origins to also cover SNMP PDUs (and embrace PowerMan). Black Box progressively includes the updated PowerMan and NUT build into the console server firmware releases. The second path is to directly add support for the new RPC devices (or to customize the existing RPC device support) on your particular console server.
Page 318: Ipmtool
(SDR) and print sensor values, display the contents of the System Event Log (SEL), print Field Replaceable Unit (FRU) inventory information, read and set LAN configuration parameters, and perform remote chassis power control. The ipmitools man page is not shipped with Black Box hardware. It is reproduced below. Synopsis ipmitool [-c|-h|-v|-V] -I open <command>...
Page 319 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 16: ADVANCED CONFIGURATION TECHNICAL SUPPORT 1.877.877.2269 Options TABLE 16-11. IPMTOOL OPTIONS OPTION VARIABLE NOTES Prompt for the remote server password <authtype> Present output in CSV (comma separated variable) format. This is not available with all commands. The remote server authentication, integrity, and encryption algorithms to use for IPMIv2 lanplus connections.
Page 320 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 16: ADVANCED CONFIGURATION TECHNICAL SUPPORT 1.877.877.2269 When an IPMI password is changed on a remote machine with the IPMIv1.5 lan interface the new password is sent across the network as clear text. This could be observed and then used to attack the remote system. It is thus recommended that IPMI password management only be done over IPMIv2.0 lanplus interface or the system interface on the local station.
Page 321: Custom Development Kit (Cdk)
As detailed in this manual, customers can copy scripts, binaries and configuration files directly to the console server. Black Box also freely provides a development kit which allows changes to be made to the software in console server firmware image. The customer can use the CDK to: Š...
Page 322: Sms Server Tools
For more information see http://smstools3.kekekasvi.com/ 16.14 MULTICAST By default, all Black Box console servers come with Multicasting enabled. Multicasting provides Black Box products with the ability to simultaneously transmit information from a single device to a select group of hosts.
Page 323: Bulk Provisioning
Š configuration) and/or prepare the configuration for automated VCMS enrollment. See Section 16.15. Š Save the configuration as an Black Box backup (.opg) file under System > Configuration Backup in the web UI, or via config -e in the Š...
Page 324: Example Isc Dhcp Server Configuration
16.16.3 SETUP FOR AN UNTRUSTED LAN If network security is a concern and a user can insert a trusted USB flash drive into the Black Box device during provisioning, then follow the steps listed next for deploying configuration in an untrusted network: Š...
Page 325 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 16: ADVANCED CONFIGURATION TECHNICAL SUPPORT 1.877.877.2269 Š On receipt of a DHCP OFFER, the device will use the information in the offer to assign an IPv4 address to its primary Network Š...
Page 326: Internal Storage
16.17.1 FILESYSTEM LOCATION OF FTP AND TFTP DIRECTORY TABLE 16-15. FTP AND TFTP DIRECTORY PRODUCT PREFERRED STORAGE DIRECTORY LES1600 internal flash /var/mnt/storage.nvlog/tftpboot/ LES1516A, LES1532A, LES1548A internal USB flash /var/mnt/storage.usb/tftpboot/ LES1700 internal USB flash /var/mnt/storage.usb/tftpboot/ Other products with USB first-attached USB storage /var/mnt/storage.usb/tftpboot/...
Page 327: Configuring Ftp And Tftp Directory
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 CHAPTER 16: ADVANCED CONFIGURATION TECHNICAL SUPPORT 1.877.877.2269 16.17.3 CONFIGURING FTP AND TFTP DIRECTORY The FTP or TFTP services can be configured to serve different directories via the command line. For example: config -s config.services.ftp.directory=/var/mnt/storage.usb/\ my-ftp-dir config -r services...
Page 328: Appendix A: Commands And Source Code
Black Box console servers are built on the uCLinux distribution as developed by the uCLinux project. This is GPL code and the source can be found at http://uclinux.org/pub/uClinux/dist/.
Page 329 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 APPENDIX A: COMMANDS AND SOURCE CODE TECHNICAL SUPPORT 1.877.877.2269 TABLE A-1 (CONTINUED). COMMANDS COMMAND DESCRIPTION dmesg Print or control the kernel ring buffer echo Print the specified ARGs to stdout erase Tool for erasing MTD partitions eraseall Tool for erasing entire MTD partitions...
Page 330 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 APPENDIX A: COMMANDS AND SOURCE CODE TECHNICAL SUPPORT 1.877.877.2269 TABLE A-1 (CONTINUED). COMMANDS COMMAND DESCRIPTION loopback16 Loopback diagnostic command loopback48 Loopback diagnostic command List directory contents mail Send and receive mail mkdir Make directories mkfs.jffs2...
Page 331 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 APPENDIX A: COMMANDS AND SOURCE CODE TECHNICAL SUPPORT 1.877.877.2269 TABLE A-1 (CONTINUED). COMMANDS COMMAND DESCRIPTION rtacct network statistics tool rtmon RTnetlink listener Secure copy (remote file copy program) Stream text editor setmac Sets the MAC address setserial...
Page 332 Š Nagios is a popular, enterprise-class management tool that provides central monitoring of the hosts and services in distributed Š networks. For CLI details see http://nagios.org/. The console server also supports GNU bash shell scripts, enabling the Administrator to run custom scripts. GNU bash, version 2.05.0(1)-release (arm-Black Box-linux-gnu) offers the following shell commands. 1.877.877.2269 BLACKBOX.COM...
Page 333 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 APPENDIX A: COMMANDS AND SOURCE CODE TECHNICAL SUPPORT 1.877.877.2269 TABLE A-2. SHELL COMMANDS COMMAND ARGUMENTS alias [-p] [name[=value] …] [jobspec …] bind [-lpvsPVS] [-m keymap] [-f fi break [n] case word in [ [(] pattern [| pattern]…) command-list ;;]… esac [-L|[-P [-e]] [-@] [directory] command [-pVv] command [arguments …]...
Page 334: Source Code
General Public License is included in Appendix 6: End-user license agreements. A copy is also available at http://gnu.org/licenses/ old-licenses/gpl-2.0.html. Black Box will provide source code for any of the components of the software licensed under the GNU General Public License upon request.
Page 335 The console server BIOS (boot loader code) is a port of uboot which is also a GPL package with source code openly available from http://denx.de/wiki/U-Boot/. The console server CGIs (the html code, xml code and web config tools for the Management Console) are proprietary to Black Box. The code will be provided to customers, under NDA.
Page 336: Appendix B: Regulatory Information
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 APPENDIX B: REGULATORY INFORMATION TECHNICAL SUPPORT 1.877.877.2269 B.1 FCC STATEMENT This equipment has been found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment.
Page 337: Nom Statement
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 APPENDIX B: REGULATORY INFORMATION TECHNICAL SUPPORT 1.877.877.2269 B.2 NOM STATEMENT 1. Todas las instrucciones de seguridad y operación deberán ser leídas antes de que el aparato eléctrico sea operado. 2. Las instrucciones de seguridad y operación deberán ser guardadas para referencia futura. 3.
Page 338: Appendix C: Connectivity, Tcp Ports And Serial I/O
Console servers come with one to ninety-six serial connectors (notated SERIAL or SERIAL PORTS) for the RS-232 serial ports. Š The RJ-45 serial ports are located on the rear panel of the rack-mount LES1700 series and LES1516A, LES1532A, LES1548A series).
Page 339: Local Console Port
To connect to the LOCAL modem/console port on the console servers using a computer or terminal device using adapters with standard UTP CAT5 cable. Contact Black Box Technical Support at 877-877-2269 or info@blackbox.com for compatible adapters. To connect the LOCAL console ports to modems (for out of band access) use an adapter with standard UTP CAT5 cable. Contact Black Box Technical Support at 877-877-2269 or info@blackbox.com for compatible adapters.
Page 340: Console Server Connector Wiring
SUPPORT 1.877.877.2269 C.4 CONSOLE SERVER CONNECTOR WIRING The LES1516A, LES1532A, LES1548A and LES1700 families have the Cisco pinout by default and ship with cross-over/straight RJ-45-DB9 connectors. DB9 TO RJ-45 STRAIGHT CONNECTOR Straight through RJ-45 cable to equipment such as Cisco, Juniper, SUN, and more.
Page 341 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 APPENDIX C: CONNECTIVITY, TCP PORTS AND SERIAL I/O TECHNICAL SUPPORT 1.877.877.2269 TABLE C-5 (CONTINUED). TCP AND UDP PORT NUMBERS PORT NUMBER PROTOCOL TCP/UDP BootP server BootP client TFTP Gopher TCP. Finger HTTP POP3 NNTP (Network News Transfer Protocol)
Page 342: Appendix D. Glossary
NEED HELP? LEAVE THE TECH TO US LIVE 24/7 APPENDIX D: GLOSSARY TECHNICAL SUPPORT 1.877.877.2269 TABLE D-1. TERMINOLOGY TERM MEANING Third-generation cellular technology. The standards that determine 3G call for greater bandwidth and higher speeds for cellular networks. The Advanced Encryption Standard (AES) is a new block cipher standard to replace DES, developed by NIST, the US National Institute of Standards and Technology.
Page 343 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 APPENDIX D: GLOSSARY TECHNICAL SUPPORT 1.877.877.2269 TABLE D-1 (CONTINUED). TERMINOLOGY TERM MEANING Gateway A machine that provides a route (or pathway) to the outside world. A network device that allows more than one computer to be connected as a LAN, usually using UTP cabling. A worldwide system of computer networks - a public, cooperative, and self-sustaining network of networks Internet accessible to hundreds of millions of people worldwide.
Page 344 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 APPENDIX D: GLOSSARY TECHNICAL SUPPORT 1.877.877.2269 TABLE D-1 (CONTINUED). TERMINOLOGY TERM MEANING The Remote Authentication Dial-In User Service (RADIUS) protocol was developed by Livingston Enterprises as an access server authentication and accounting protocol. The RADIUS server can support a variety of RADIUS methods to authenticate a user.
Page 345: Appendix E: Disclaimer/Trademarks
E.1 DISCLAIMER Black Box Corporation shall not be liable for damages of any kind, including, but not limited to, punitive, consequential or cost of cover damages, resulting from any errors in the product information or specifications set forth in this document and Black Box Corporation may revise this document at any time without notice.
Page 346 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 NOTES TECHNICAL SUPPORT 1.877.877.2269 __________________________________________________________________________________________________ __________________________________________________________________________________________________ __________________________________________________________________________________________________ __________________________________________________________________________________________________ __________________________________________________________________________________________________ _________________________________________________________________________________________________ __________________________________________________________________________________________________ __________________________________________________________________________________________________\ __________________________________________________________________________________________________ __________________________________________________________________________________________________ __________________________________________________________________________________________________ __________________________________________________________________________________________________ _________________________________________________________________________________________________ __________________________________________________________________________________________________ __________________________________________________________________________________________________ __________________________________________________________________________________________________ __________________________________________________________________________________________________ __________________________________________________________________________________________________ 1.877.877.2269 BLACKBOX.COM...
Page 347 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 NOTES TECHNICAL SUPPORT 1.877.877.2269 __________________________________________________________________________________________________ __________________________________________________________________________________________________ __________________________________________________________________________________________________ __________________________________________________________________________________________________ _________________________________________________________________________________________________ __________________________________________________________________________________________________ __________________________________________________________________________________________________\ __________________________________________________________________________________________________ __________________________________________________________________________________________________ __________________________________________________________________________________________________ __________________________________________________________________________________________________ _________________________________________________________________________________________________ __________________________________________________________________________________________________ __________________________________________________________________________________________________ __________________________________________________________________________________________________ __________________________________________________________________________________________________ __________________________________________________________________________________________________ 1.877.877.2269 BLACKBOX.COM...
Page 348 NEED HELP? LEAVE THE TECH TO US LIVE 24/7 TECHNICAL SUPPORT 1.877.877.2269 © COPYRIGHT 2016 BLACK BOX CORPORATION. ALL RIGHTS RESERVED.

This manual is also suitable for:

Les1532a Les1604a-t Les1548a Les1604a-r Les1608a Les1708a ... Show all