ADDERLink Digital ipeps Manual

							





40
Serial port configuration
This page allows you to configure the baud rate of the Digital iPEPS s\
erial port 
that is used to control power switch devices. A full range of standard b\
aud rates 
are available.
To get here
1 Using VNC viewer or a browser, log on as the ‘admin’ user.
2 Click the ‘Configure’ button in the top right corner.
3 Click the ‘Serial port Configuration’ option.
Baud Rate
Determines the communication speed of the OPTIONS port when the above 
setting is configured to ‘Power Control’. The other communicatio\
n settings are 
fixed as: No parity, 8 bit word, 1 stop bit.   
						

							





41
Host configuration
This page provides the opportunity to configure various details for ea\
ch of the 
host systems that may be connected to the Digital iPEPS. Each entry can \
be 
configured with a name, the permitted users, the hot key combinations \
required 
to switch to it and, if required, appropriate power control commands.
To create a new host entry
1 Click one of the host entries to reveal a Host configuration dialogue.\
 
 Name
  Enter the name that will be displayed in the viewer window when you 
click the Host button.
Users
 Select the users that will be permitted to connect to this host. Either \
enter * to allow all users or a list of users separated by commas.
KVM Switch Macro
 Declare the hot key sequence, or Adder Port Direct address that will 
cause the KVM switch to link with the required host system. Adder Port 
Direct addresses must be entered within square brackets. See Appendix 
10 - Hotkey sequences and Adder Port Direct for details.
Hotkey Host Number 
 Declare the numeric sequence that is pressed together with the VNC 
viewer hotkeys (usually Ctrl + Alt) to select this host system, which \
is the 
same value as the KVM port number. 
Power On
 Enter the code required to make an attached power control unit apply 
power to the host. See Power switching configuration for details.
Power Off
 Enter the code required to make an attached power control unit remove 
power from the selected host. 
Reboot
 Enter the code required to make an attached power control unit remove 
power and then re-apply it a few seconds later. 
2 Enter the required information in each field.
3 Click the OK button.
To get here
1 Using VNC viewer or a browser, log on as the ‘admin’ user.
2 Click the ‘Configure’ button in the top right corner.
3 Click the ‘Host Configuration’ option.
Add entry for unrecognised host
 When selected, any systems visited that are not specified in the Hosts\
 list, will 
be added to the list. 
Sort
 Allows you to reorder the list of hosts either alphabetically or by entr\
y number. 
Erase Host Configuration
 Removes all hosts from the list.    
						

							





42
Power switching configuration
Power switch configuration comprises two main steps:
•	 Configure	the	OPTIONS serial port to the same speed as used by the power 
switch box(es), using the Serial port configuration menu. 
•	 Configure	power	ON	and	OFF	strings	for	each	relevant	host	computer.
For each power port there needs to be a valid ‘Power ON string’ an\
d similarly an 
appropriate ‘Power OFF string’. In each case, the strings are a sh\
ort sequence of 
characters that combine a port address and a power on or off value. 
If a particular computer has more than one power input (and thus requir\
es an 
equivalent number of power ports to control them), collections of strin\
gs can be 
combined to switch all of the required ports together as a group.
To configure the power sequences for each host computer
1 Using VNC viewer or a browser, log on as the ‘admin’ user.
2 Click the ‘Configure’ button in the top right corner.
3 Click the ‘Host configuration’ option.
4 Click a host entry to display a Host configuration dialogue:
5 If necessary, configure other parameters (Name, Users, Hot Keys - MORE).
Power control sequences
Notes: The settings given below are for Adder power switches model numbe\
rs 
PSU-8SLAVE and PSU-1GUARD - other power switches may require different 
settings. Please refer to your power switch documentation for details ab\
out 
codes required by other power switches. 
The structure of each power sequence (OFF, ON or Reboot) is as follows\
:
/Pxy=z\0D 
 Where: 
x is the switch box number,
y is the power port number,  
z is ‘0’ for OFF or ‘1’ for ON
r is for Reboot, and
\0D represents Enter (or Carriage return).
Example 1 
To switch ON port 5 of switch box 2, the code would be as follows:
•	 Power	sequence:		 P25=1\0D
Example 2 
To switch OFF port 8 of switch box 3, the code would be as follows:
•	 Power	sequence:		 P38=0\0D
For details about operating this feature, see Power switching control within 
the Operation chapter.
To control two or more ports simultaneously
You	can	control	up	to	four	power	ports	using	a	single	sequence.	This	is	done	
using the same command structure as shown above, plus a delay command, 
for each port. Immediately following a port command, insert the characte\
rs ‘\*’ 
before the next port command, and so on up to four ports. For instance, \
to 
switch on ports 1 and 2 in the first power switch, the command line wo\
uld be:
 P11=1\0D\*P12=1\0D
6  Enter the Power control sequences in the Power On, Power Off and Reboot 
fields 
7  Click OK to close the dialogue and then click the Save button in the mai\
n 
Host Configuration window to store the details.   
						

							





43
Logging and status
This screen provides various details about the user activity on the Digi\
tal iPEPS 
unit. 
To get here
1 Using VNC viewer or a browser, log on as the ‘admin’ user.
2 Click the ‘Configure’ button in the top right corner.
3 Click the ‘Logging and Status’ option.
To copy and paste the log
You	can	copy	the	information	listed	within	the	log	and	paste	it	into	another	
application.
1 While viewing the log screen, press Ctrl and C, to copy the data into th\
e 
clipboard.
2 In a text application (i.e. Word, WordPad, Notepad) press Ctrl and V, \
or right 
mouse click and ‘Paste’.
Date and time the event occurred
Type of event, user name and access method or remote IP address
Click to clear all log entriesClick to refresh the list
Click to return to the main menu
Optionally enter an IP address to which the status log should be sent
Syslog Server IP Address 
Logging information can optionally be sent, as it occurs, to a separate \
system 
using the standard Syslog protocol. Enter the IP address of a suitable s\
ystem in 
the field provided.
For further details
•	 For	details	of	the	Syslog	protocol	(RFC	number:	3164) 
http://www.ietf.org/rfc.html   
						

							





44
LDAP configuration
The Digital iPEPS can optionally use the industry standard LDAP (Lightw\
eight 
Directory Access Protocol) to allow user authentication to occur in con\
junction 
with an externally held database. This screen allows you to configure \
details 
related to the creation of an LDAP link to an external directory service\
, such as 
an Active Directory server.
To get here
1 Using VNC viewer or a browser, log on as the ‘admin’ user.
2 Click the ‘Configure’ button in the top right corner.
3 Click the ‘LDAP Configuration’ option.
Use LDAP 
Tick this option to enable the Lightweight Directory Access Protocol fea\
tures of 
the unit.
Host Address 
Enter the IP address of the LDAP server that holds the required director\
y service.
Host Port 
The standard port address for LDAP links is 389 and this should not need\
 to be 
changed unless special circumstances exist.
Base DN 
This field allows you to enter the top level of the LDAP directory tre\
e at 
which to start an LDAP search. An example Base DN value might be: 
“dc=catxip1000,dc=com” 
User field 
Enter the LDAP database field that will be used to match each user nam\
e 
against. The details entered here will depend on the specific LDAP dat\
abase 
being used - ‘uid’ or ‘cn’ are commonly used values.  
Anonymous Bind 
If left unchecked then bind requests are sent with username (Base DN) \
and 
password (more suitable for Active Directory applications).
If checked, bind requests are anonymous (more suitable for Linux LDAP 
implementations).
Admin Password and LDAP Support
Even if LDAP authentication is enabled, the ‘admin’ user is still \
authenticated 
locally, using the traditional authentication technique of matching to a\
 locally 
sorted password.
Active Directory authentication process
Typically, Active Directory deployments are not configured for anonymo\
us 
binding. Hence, in our implementation of LDAP and Active Directory suppo\
rt for 
the Digital iPEPS we have opted have a single username and password to b\
ind to 
the directory and authenticate.
In order to use the ARQ3 LDAP with Active Directory ensure that “Anon\
ymous 
bind” is not checked in the LDAP configuration menu.
The process of authentication and associated LDAP transactions are as fo\
llows. 
A user enters the username and password in the VNC viewer  authenticatio\
n 
dialogue. This username and password is used as the “binddn” and “\
bindpw” 
in the “simple bind request” sent to the Active Directory server. \
Upon binding 
to the directory successfully, a LDAP search is performed  for the same \
username 
under the specified User Field in the specified Base DN . If the the\
 search is 
successful then the authentication is performed  using the password ente\
red 
by the user. If the password is accepted by the Active Directory server,\
 then 
the process of authentication is completed and the user is unbound from \
the 
directory.
Linux LDAP authentication process
In order to use the Digital iPEPS LDAP with Linux LDAP ensure that “A\
nonymous 
bind” is checked in the LDAP configuration menu.
The process of authentication and associated LDAP transactions are as fo\
llows. 
A user enters the username and password in the VNC viewer  authenticatio\
n 
dialogue. An anonymous “simple bind request” is then sent to the L\
DAP server. 
No username or password is sent at this stage. On binding to the directo\
ry 
successfully, a LDAP search is performed  for the username, under the sp\
ecified 
User Field and in the specified Base DN. If the the search is successf\
ul then the 
authentication is performed using the password entered by the user. If t\
he 
password is accepted by the LDAP server, then the process of authenticat\
ion is 
completed and the user is unbound from the directory.   
						

							





45
Appendix 5 - Networking issues
Thanks to its robust security the Digital iPEPS offers you great flexi\
bility in how 
it integrates into an existing network structure. The Digital iPEPS is d\
esigned to 
reside either on an internal network, behind a firewall/router or alte\
rnatively 
with its own direct Internet connection. 
Positioning Digital iPEPS in the network
Every network setup is different and great care needs to be taken when 
introducing a powerful device such as the Digital iPEPS into an existing\
 
configuration. A common cause of potential problems can be in clashes \
with 
firewall configurations. For this reason the Digital iPEPS is design\
ed to be 
intelligent, flexible and secure. With the minimum of effort the Digit\
al iPEPS 
can reside either behind the firewall or alongside with its own separa\
te Internet 
connection.
Placing Digital iPEPS behind a router or firewall
A possible point of contention between the Digital iPEPS and a firewal\
l can 
occasionally arise over the use of IP ports. Every port through the fi\
rewall represents 
a potential point of attack from outside and so it is advisable to minim\
ise the 
number of open ports. The Digital iPEPS usually uses two separate port n\
umbers, 
however, these are easily changeable and can even be combined into a sin\
gle port.
IMPORTANT: The correct configuration of routers and firewalls requires advanced 
networking skills and intimate knowledge of the particular network. Adde\
r Technology 
cannot provide specific advice on how to configure your network devi\
ces and strongly 
recommend that such tasks are carried out by a qualified professional.\
Port settings
As standard, the Digital iPEPS uses two ports to support its two types o\
f viewer: 
•	Port 80 for users making contact with a web browser, and 
•	Port 5900 for those using the VNC viewer.
When these port numbers are used, VNC viewers and web browsers will loca\
te 
the Digital iPEPS correctly using only its network address. The firewa\
ll/router 
must be informed to transfer traffic, requesting these port numbers, t\
hrough to 
the Digital iPEPS. 
When a web server is also on the local network
Port 80 is the standard port used by web (HTTP) servers. If the Digita\
l iPEPS is situated 
within a local network that also includes a web server or any other devi\
ce serving port 
80 then, if you want to use the web browser interface from outside the local netw\
ork 
environment, the HTTP port number of the Digital iPEPS must be changed.
When you change the HTTP port to anything other than 80, then each remote 
browser user will need to specify the port address as well as the IP add\
ress. For 
instance, if you set the HTTP port to ‘8000’ and the IP address is\
 ‘192.168.47.10’ 
then browser users will need to enter: 
http://192.168.47.10:8000 
(Note the single colon that separates the IP address and the port numbe\
r). 
The firewall/router would also need to be informed to transfer all tra\
ffic to the 
new port number through to the Digital iPEPS.
If you need to change the VNC port number
If you change the VNC port to anything other than 5900, then each VNC viewer 
user will need to specify the port address as well as the IP address. Fo\
r instance, 
if you set the VNC port to ‘11590’ and the IP address is ‘192.1\
68.47.10’ then 
VNC viewer users will need to enter: 
192.168.47.10::11590
(Note the double colons that separate the IP address and port number). 
The firewall/router would also need to be informed to transfer all tra\
ffic to the 
new port number through to the Digital iPEPS.
Internet
ADDERLINK
ADDER®
Internet
ADDERLINK
ADDER®
Digital iPEPS situated behind the firewall
KVM link to host system
KVM link to host system
Firewall/router
Digital iPEPS situated alongside the firewall
Firewall/router
Local network connection
Local network connection
IMPORTANT: When the Digital iPEPS is accessible from the public Internet\
 or dial 
up connection, you must ensure that sufficient security measures are employed.   
						

							





46
Internet
ADDERLINK
ADDER®
Addressing
When the Digital iPEPS is situated within the local network, you will ne\
ed to give 
it an appropriate local IP address and IP network mask. This is achieved\
 most 
easily using the DHCP server option which will apply these details autom\
atically. 
If a DHCP server is not available on the network, then these details nee\
d to be 
applied manually in accordance with the network administrator.
The firewall/router must then be informed to route incoming requests t\
o port 
5900 or port 80 (if available) through to the local address being used\
 by the 
Digital iPEPS.  
To discover a DHCP-allocated IP address
Once a DHCP server has allocated an IP address, you will need to know it\
 in 
order to access the Digital iPEPS via a network connection. To discover \
the 
allocated IP address:
1 Within Network configuration,	set	the	‘Use	DHCP’	option	to	‘Yes’	and	
select ‘Save’. Once the page is saved, the Digital iPEPS will cont\
act the DHCP 
server and obtain a new address.
2 Re-enter the same ‘Network configuration’ screen where the new I\
P address 
and network mask should be displayed. 
DNS addressing
As with any other network device, you can arrange for your Digital iPEPS\
 to be 
accessible using a name, rather than an IP address. This can be achieved\
 in two 
main ways:
•	 For	small	networks	that	do	not	have	a	DNS	(Domain	Name	System)	server,	
edit the ‘hosts’ files on the appropriate remote systems. Using \
the hosts file, 
you can manually link the Digital iPEPS address to the required name.
•	 For	larger	networks,	declare	the	IP	address	and	required	name	to	the	DNS	
server of your local network. 
The actual steps required to achieve either of these options are beyond \
the 
scope of this document.       
Digital iPEPS has a local address and net mask, i.e. 
IP address: 192.168.0.3
Net mask: 255.255.255.0
Remote user with VNC viewer accesses IP address: 129.7.1.10 and automatically uses port 5900. 
Firewall/router address:129.7.1.10The firewall routes the request from the VNC viewer on port 5900 through to the Digital iPEPS at local address 192.168.0.3
    
						

							





47
Placing Digital iPEPS alongside the firewall
Digital iPEPS is built from the ground-up to be secure. It employs a sop\
histicated 
128bit public/private key system that has been rigorously analysed and f\
ound 
to be highly secure (a security white paper is available upon request f\
rom 
Adder Technology Ltd). Therefore, you can position the Digital iPEPS alongside\
 
the firewall and control a computer that is also IP connected within t\
he local 
network.
IMPORTANT: If you make the Digital iPEPS accessible from the public Inte\
rnet, 
care should be taken to ensure that the maximum security available is ac\
tivated. 
You are strongly advised to enable encryption and use a strong password.\
 
Security may be further improved by restricting client IP addresses, usi\
ng a non-
standard port number for access.  
Ensuring sufficient security
The security capabilities offered by the Digital iPEPS are only truly ef\
fective when 
they are correctly used. An open or weak password or unencrypted link ca\
n 
cause security loopholes and opportunities for potential intruders. For \
network 
links in general and direct Internet connections in particular, you shou\
ld carefully 
consider and implement the following:
•	 Ensure	that	encryption is enabled. 
•	 Ensure	that	you	have	selected	secure passwords with at least 8 characters 
and a mixture of upper and lower case and numeric characters.
•	 Reserve	the	admin	password	for	administration	use	only	and	use	a	non-
admin user profile for day-to-day access.  
•	 Use	the	latest	Secure	VNC	viewer	(this	has	more	in-built	security	than	is	
available	with	the	Java	viewer).	
•	 Use	non-standard	port numbers. 
•	 Restrict	the	range	of	IP	addresses	that	are	allowed	to	access	the	Digital	iPEPS	
to only those that you will need to use. To restrict IP access.
•	 Do	NOT	Force	VNC	protocol	3.3.
•	 Ensure	that	the	computer	accessing	the	Digital	iPEPS	is	clean	of	viruses	and	
spyware and has up-to-date firewall and anti-virus software loaded tha\
t is 
appropriately configured. 
•	 Avoid	accessing	the	Digital	iPEPS	from	public	computers.
Security can be further improved by using the following suggestions:
•	 Place	the	Digital	iPEPS	behind	a	firewall	and	use	port	the	numbers	to	route	
the VNC network traffic to an internal IP address.
•	 Review	the	activity	log	from	time	to	time	to	check	for	unauthorised	use.	
•	 Lock	your	server	consoles	after	they	have	been	used.		
A security white paper that gives further details is available upon requ\
est from 
Adder Technology Limited. 
Ports 
In this configuration there should be no constraints on the port numbe\
rs 
because the Digital iPEPS will probably be the only device at that IP ad\
dress. 
Therefore, maintain the HTTP port as 80 and the VNC port as 5900.
Addressing
When the Digital iPEPS is situated alongside the firewall, it will req\
uire a public 
static IP address (i.e. one provided by your Internet service provider)\
.
More addressing information:
Discover DHCP-allocated addresses
DNS addressing    
						

							





48
Appendix 6 - An introduction to IPv6 
During the initial design of the Internet, 4.3 billion seemed like an im\
possibly 
large number of device addresses, possibly more than would ever be neede\
d. 
It took nearly forty years, but finally the last remaining vacant addr\
ess blocks 
within the current Internet Protocol scheme (called IPv4) were assigned in 
February 2011.
The Internet Protocol is a crucial element of Internet operation and the\
 eventual 
exhaustion of unique addresses was predicted and acted upon many years 
ago. The replacement for IPv4 is known as IPv6 and was defined in December 
1998. Since then its uptake has been slow (reportedly used for less tha\
n 1% of 
Internet traffic in 2008) although this will increase rapidly as plac\
es within the 
incumbent system are exhausted.
Vastly increased address space
The most notable feature of IPv6 is the size of its address space, put s\
imply: It’s 
massive. By using 128 bits to define each IPv6 address (rather than t\
he 32 bits 
used in IPv4), there are now 340 x 1036 unique addresses (that’s 340 trillion 
trillion trillion or as it is correctly known, 340 undecillion).
The larger address size of IPv6 requires a different manner of notation.\
 Instead 
of the four decimal numbers separated by dots used for IPv4 (e.g. 192.1\
68.0.1), 
IPv6 addresses consist of eight groups of four hexadecimal digits that a\
re 
separated by colons (e.g. 2002:00a2:67be:0000:0000:0e82:8723:a144) – 
each group of four digits represents 16 bits of the address. By necessit\
y, IPv6 
addresses are quite long and so there are a couple of techniques to help\
 reduce 
this in certain cases:
•	 Where	a	group	has	one	or	more	leading	zeroes,	these	can	be	omitted.	In	the	
above example 00a2 and 0e82 can be written a2 and e82, respectively.
•	 Where	one	or	more	consecutive	groups	consist	solely	of	zeroes,	they	can	
be replaced with a double colon (::). In the above example, the fourth and 
fifth groups could be replaced with the double colon, so that the whol\
e line 
could be reduced to: 2002:a2:67be::e82:8723:a144. It is easy to return any 
such shortened address to the full version by replacing the double colon\
s 
with sufficient groups of zeroes until the total number of groups is r\
eturned 
to eight. For this to work it is essential that only one set of consecut\
ive zero 
groups within an address are replaced with a double colon.
Standard subnet size
Thanks to the new huge address space, IPv6 does not need to wring every \
last drop out of each address range and so it handles address allocation\
 in a 
different manner than its predecessor. Whereas IPv4 uses subnets of vary\
ing 
sizes (using the Subnet Mask entry to define the size of each subnet)\
, IPv6 
subnets are (almost) all set to a standard size. A full 64 bits are us\
ed to define 
each subnet, which means that every standard IPv6 subnet has use of an a\
ddress 
space that is the square of the entire IPv4 address space (that’s 1.\
8 x 1019 
addresses per subnet). In those subnets, all addresses are valid host l\
ocations; 
gone are special address formats for particular uses, such as broadcast \
traffic. 
Also, now that all standard subnets are the same size, the subnet mask i\
s 
another item that is made redundant under IPv6.
Address allocation
Every device attached to an IPv6 network usually has more than one addre\
ss 
type. The two most common types are called a link-local address and a global 
address and these can be assigned in a number of ways. 
In IPv4, device addresses are most commonly assigned either manually or \
by 
using a Dynamic Host Configuration Protocol server (DHCP). IPv6 also\
 offers 
manual addressing and DHCP (now called DHCPv6 and fully supported by th\
e 
Digital iPEPS unit), but also allows devices to automatically configu\
re their own 
addresses using a series of steps defined as StateLess Address AutoConfiguration 
(or SLAAC). The key parts of the SLAAC procedure occur roughly as follows:
•	 The	IPv6	compliant	device	creates	a	tentative local identifier which is usually 
derived from its fixed unique hardware identifier (or MAC address)\
. The 
local identifier is 64 bits in length (the lower half of the full 128\
 bit address) 
and this is one of the advantages of having a fixed subnet size; it is\
 very 
straightforward to automatically figure out the boundaries and content\
s of 
the local network. This is exactly what the device does next with its te\
ntative 
local identifier. 
•	 The	device	uses	the	Neighbor Discovery Protocol (part of the Internet Control 
Message Protocol suite – IMCPv6) to check within the local network whether 
its tentative local identifier is being used by any other device. If i\
t is, then 
the device will create a new one and start the process again. If the loc\
al 
identifier is unique within the local network, it is then combined wit\
h the 
standard link-local prefix (fe80::) to form a valid link-local address. At this 
stage the address is valid only for communication within the local netwo\
rk. 
The next stage is to replace the link-local prefix with a global prefi\
x and 
then carry out a similar procedure in order to prevent address duplicati\
on, 
resulting in a validated global address.
continued   
						

							





49
Mixing IPv4 and IPv6  
Although IPv6 is based upon, and shares a number of similarities with IP\
v4, 
there are great differences in their address spaces and other key detail\
s which 
mean that they are not directly compatible. This means that while comput\
ers 
and their operating systems can support both types, IPv4 and IPv6 networ\
ks exist 
essentially as two parallel, independent entities with numerous cross ov\
er points 
(known as relay routers). For the foreseeable future, while both versions coexist, 
exchanging traffic between them will require many relay routers and va\
rious 
transition techniques. 
One such technique involves IPv4-mapped IPv6 addresses. These are used in 
operating systems and applications that transparently support both IP fo\
rmats. 
In such cases IPv6 will be the native format with IPv4 fully supported w\
henever 
necessary. When an IPv4 address must be incorporated, it is placed into \
a special 
IPv6 address that has its first 80 bits set to zero and the next 16 bi\
ts set to one. 
The remaining 32 bits are where the IPv4 address is embedded. When writt\
en, 
the address is an amalgam of the two network types - ::ffff:192.0.2.128 \