Tripp Lite 0 Idades Manual
Have a look at the manual Tripp Lite 0 Idades Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 7 Tripp Lite manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
91 Chapter 6: Secure SSH Tunneling & SDT Connector 6.1 Configuring for SDT Tunneling to Hosts To set up the Console Server to SDT access a network attached host, the host and the permitted services that are to be used in accessing that host need to be configured on the gateway, and User access privileges need to be specified: • Add the new host and the permitted services using the Serial & Network: Network Hosts menu as detailed in Network Hosts (Chapter 4.4). Only these permitted services will be forwarded by SDT to the host. All other services (TCP/UDP ports) will be blocked. Note: Following are some of the TCP Ports used by SDT in the Console Server: 22 SSH (All SDT Tunneled connections) 23 Telnet on local LAN (forwarded inside tunnel) 80 HTTP on local LAN (forwarded inside tunnel) 3389 RDP on local LAN (forwarded inside tunnel) 5900 VNC on local LAN (forwarded inside tunnel) 73XX RDP over serial from local LAN – where XX is the serial port number (\ i.e. 7301to 7348) 79XX VNC over serial from local LAN – where XX is the serial port number • Add the new Users using Serial & Network: Users & Groups menu as detailed in Network Hosts (Chapter 4.4). Users can be authorized to access the Console Server ports and specified net\ work-attached hosts. To simplify configuration, the Administrator can first set up Groups with group access permissions, then Users can be classified as member\ s of particular Groups.
92 Chapter 6: Secure SSH Tunneling & SDT Connector 6.2 SDT Connector Configuration The SDT Connector client works with all Console Servers. Each of these remote Console Ser\ vers has an embedded OpenSSH based server. This server can be configured to port forward connections from the SDT Connector client to hosts on their local network, as detailed in the previous chapter. The SDT Connector can also be pre-configured with the access tools and applications that will be available when access to a particular host has\ been established. SDT Connector can connect to the Console Server using an alternate OoB access. It can\ also be configured to access the Console Server itself and to access devices connected to serial ports on\ the Console Server. 6.2.1 SDT Connector client installation • The SDT Connector set up program (SDTConnector Setup-1.n.exe or sdtcon-1.n.tar.gz) is included on the CD supplied with your Console Server • Run the set-up program: Note: For Windows clients, the SDTConnectorSetup-1.n.exe application will install the SDT Connector 1.n.exe and the config file defaults.xml. If a config file already exists on the Windows computer, then it will not be overwritten. To remove an earlier config file, run the regedit command, search for “SDT Connector” and then remove the directory\ with this name. For Linux and other Unix clients, SDTConnector.tar.gz application will install the sdtcon-1.n.jar and the config file defaults.xml Once the installer completes, you will have a working SDT Connector clie\ nt installed on your machine and an icon on your desktop: • Click the SDT Connector icon on your desktop to start the client Note: SDT Connector is a Java application so it must have a Java Runtime Env\ ironment (JRE) installed. This can be freely downloaded from http://java.sun.com/j2se/ . It will install on Windows 2000, XP, 2003, Vista computers and on most Linux platforms. Solaris platforms are also supported however they must have F\ irefox installed. SDT Connector can run on any system with Java 1.4.2 and above installed, but it assumes the web brows\ er is Firefox, and that xterm -e Telnet opens a Telnet window To operate SDT Connector, add the new gateways to the client software by entering the access det\ ails for each Console Server (refer to Section 6.2.2). Then let the client auto-configure with al\ l host and serial port connections from each Console Server (refer Section 6.2.3). Now point-and-click to connect to the Hosts and serial devices (ref\ er to Section 6.2.4) Alternately you can manually add network connected hosts (refer Section 6.2.5) as well as manually configure new services to be used when accessing the Console Server and the hosts (refer Section 6.2.6). Manually configure clients to run on the computer that will use the service to connect to the hosts and serial po\ rt devices (refer to Section 6.2.7 and 6.2.9). SDT Connector can also be set up to make an out-of-band connection to the Console Server (refer to Section 6.2.9)
93 6.2.2 Configuring a new gateway in the SDT Connector client To create a secure SSH tunnel to a new Console Server: • Click the New Gateway icon or select the File: New Gateway menu option • Enter the IP or DNS Address of the Console Server and the SSH port that will be used (typically 22) Note: If SDT Connector is connecting to a remote Console Server through the public Internet or\ routed network, you will need to: • Determine the public IP address of the Console Server (or of the router/ firewall that connects the \ Console Server to the Internet) as assigned by the ISP. One way to find the public IP address is to access http://checkip.dy\ ndns.org/ or http:// www.whatismyip.com/ from a computer on the same network as the Console Serv\ er and note the reported IP address • Set port forwarding for TCP port 22 through any firewall/NAT/router that is located between SDT Connector and the Console Server so that it points to the Console Server. http://www.portforward.com has port forwarding instructions for a range of routers. Also you can use the Open Port Check tool from http://\ www.canyouseeme.org to check if port forwarding through local firewall/NAT/router devices has been properly configured • Enter the Username and Password of a user on the gateway that has been enabled to connect via SSH and/or create SSH port redirections • Optionally, you can enter a Descriptive Name to display instead of the IP or DNS address, and any Notes or a Description of this gateway (such as its firmware version, site location or anyt\ hing special about its network configuration). • Click OK and an icon for the new gateway will now appear in the SDT Connector home page Note: For an SDT Connector user to access a Console Server (and then access specific hosts or s\ erial devices connected to that Console Server), that user must first be set up on the Console S\ erver, and must be authorized to access the specific ports / hosts (refer to Chapter 5). Only these permitted services will be forwarded through by SDT to the Host. All other services (TCP/UDP ports) will be blocked. Chapter 6: Secure SSH Tunneling & SDT Connector
94 6.2.3 Auto-configure SDT Connector client with the user’s access privileges Each user on the Console Server has an access profile. This has been c\ onfigured with the specific connected hosts and serial port devices the user has authority to access, and a specific set of t\ he enabled services for each of them. This configuration can be auto-uploaded into the SDT Connector client: • Click on the new gateway icon and select Retrieve Hosts. This will: o configure access to network-connected Hosts that the user is authorize\ d to access and set up (for each of these Hosts) the services (e.g. HTTPS, IPMI2.0) and the related IP ports being redirected o configure access to the Console Server itself (this is shown as a Local Services host) o configure access with the enabled services for the serial port devices\ connected to the Console Server Note: The Retrieve Hosts function will auto-configure all classes of user \ (i.e. they can be members of user or admin or some other group or no group). SDT Connector will, however, not auto-configure the root (and it is recommended that this account is only used for initial config and for adding an initial admin account to the Console Server) Chapter 6: Secure SSH Tunneling & SDT Connector
95 6.2.4 Make an SDT connection through the gateway to a host • Simply point at the host to be accessed and click on the service to be used in accessing that host. The SSH tunnel to the gateway is then automatically established, the appropriate ports red\ irected through to the host, and the appropriate local client application is launched pointing at the local endpoint of t\ he redirection: Note: The SDT Connector client can be configured with an unlimited number \ of Gateways. Each Gateway can be configured to port forward to an unlimited number of locally networked Hosts. Simil\ arly there is no limit on the number of SDT Connector clients who can be configured to access the one Gateway. There are also no limits on the number of Host connections that an SDT Connector client can concurrently have open through the one Gateway \ tunnel. However, there is a limit on the number of SDT Connector SSH tunnels that can be open at one time on a particular Gateway. The B096-016 / B096-032 / B096-048 Console Server Management Switch and \ B092-016 Console Server with PowerAlert each support at least 50 such concurrent connections. So for a site with\ a B096-016 gateway you can have, at any time, up to 50 users securely controlling an unlimited number of network attac\ hed computers, power devices and other appliances (routers, etc) at that site. Chapter 6: Secure SSH Tunneling & SDT Connector
96 6.2.5 Manually adding hosts to the SDT Connector gateway For each gateway, you can manually specify the network connected hosts that will be acce\ ssed through that Console Server; and for each host, specify the services that will used in communicating \ with the host • Select the newly added gateway and click the Host icon to create a host that will be accessible via this gateway. (Alternatively select File: New Host) Chapter 6: Secure SSH Tunneling & SDT Connector • Enter the IP or DNS Host Address of the host (if this is a DNS address, it must be resolvable by the ga\ teway) • Select which Services are to be used when accessing the new host. A range of service options \ are pre-configured in the default SDT Connector client (RDP, VNC, HTTP, HTTPS, Dell RAC, VMWare etc). However if you wish to add new services to the range then proceed to the next section (Adding a new service) then return here • Optionally, you can enter a Descriptive Name for the host to be displayed instead of the IP or DNS address, as well \ as any Notes or a Description of this host (such as its operating system/release, or anything specia\ l about its configuration) • Click OK
97 6.2.6 Manually adding new services to the new hosts To extend the range of services that can be used when accessing hosts wit\ h SDT Connector: • Select Edit: Preferences and click the Services tab. Click Add • Enter a Service Name and click Add • Under the General tab, enter the TCP Port that this service runs on (e.g. 80 for HTTP). Optionally, select the client to be used to access the local endpoint of the redirection • Select which Client application is associated with the new service. A range of client appli\ cation options are pre-configured in the default SDT Connector (RDP client, VNC client, HTTP browser, HTTPS browser, Telnet client etc). However if you wish to add new client applications to this range, then proceed to the next s\ ection (Adding a new client) and then return here Chapter 6: Secure SSH Tunneling & SDT Connector • Click OK, then Close A service typically consists of a single SSH port redirection and a local client to access it. However it may cons\ ist of several redirections; some or all of which may have clients associated with them\ . An example is the Dell RAC service. The first redirection is for the H\ TTPS connection to the RAC server: it has a client associated with it (web browser) that is launched immediately upon cli\ cking the button for this service. The second redirection is for the VNC service that the user may choose t\ o launch later from the RAC web console. It automatically loads in a Java client served through the web browser, so it does not need a local client associated with it.
98 • On the Add Service screen, you can click Add as many times as needed to add multiple new port redirections and associated clients You may also specify Advanced port redirection options: • Enter the local address to bind to when creating the local endpoint of t\ he redirection. It is not usually necessary to change this from "localhost". • Enter a local TCP port to bind to when creating the local endpoint of the redirection. \ If this is left blank, a random port will be selected. Chapter 6: Secure SSH Tunneling & SDT Connector Note: SDT Connector can also tunnel UDP services. SDT Connector tunnels the UDP traffic through the TCP SSH redirection, so in effect it is a tunnel within a tunnel. Enter the UDP port on which the service is running on the host. This wil\ l also be the local UDP port that SDT Connector binds as the local endpoint of the tunnel. Note that for UDP services, you still need to specify a TCP port under General. This will be an arbitrary TCP port that is not in use on the gateway. An example of this is the SOL Proxy service. It redirects local UDP po\ rt 623 to remote UDP port 623 over the arbitrary TCP port 6667
99 6.2.7 Adding a client program to be started for the new service Clients are local applications that may be launched when a related servi\ ce is clicked. To add to the pool of client programs: • Select Edit: Preferences and click the Client tab. Click Add Chapter 6: Secure SSH Tunneling & SDT Connector • Enter a Name for the client. Enter the Path to the executable file for the client (or click Browse to locate the executable) • Enter a Command Line associated with launching the client application. SDT Connector typically launches a client using command line arguments to point it to the local endpoint of the re\ direction. There are three special keywords for specifying the command line format. When launching the client, SDT Connector substitutes these keywords with the appropriate values: %path% is path to the executable file, i.e. the previous field. %host% is the local address to which the local endpoint of the redirection is \ bound, i.e. the Local Address field for the Service redirection Advanced options. %port% is the local port to which the local endpoint of the redirection is bou\ nd, i.e. the Local TCP Port field for the Service redirection Advanced options. If this port is unspecified (i.\ e. "Any"), the appropriate randomly selected port will be substituted. For example, SDT Connector is preconfigured for Windows installations with a HTTP service client that will connect with whichever local browser the local Windows user has configured as the default. Otherwise the default brows\ er used is Firefox:
100 Chapter 6: Secure SSH Tunneling & SDT Connector Also some clients are launched in a command line or terminal window. The Telnet client is an example of this: • Click OK 6.2.8 Dial-in configuration If the client computer is dialing into Local/Console port on the Console\ Server, you will need to set up a dial-in PPP link: • Configure the Console Server for dial-in access (following the steps \ in the Configuring for Dial-In PPP Access section in Chapter 5, Configuring Dial In Access) • Set up the PPP client software at the remote User computer (following t\ he Set up the remote Client section in Chapter 5) Once you have a dial-in PPP connection established, you can then set up \ the secure SSH tunnel from the remote Client computer to the Console Server.