Tripp Lite 0 Idades Manual

							101
Chapter 6: Secure SSH Tunneling & SDT Connector
6.3 SDT Connector to Management Console 
SDT Connector can also be configured for browser access to the gateway’s Manageme\
nt Console – and for Telnet or SSH 
access to the gateway command line. For these connections to the gateway itself, you must configure SDT Connector to 
access the gateway (itself) by setting the Console Server up as a host, and then configuring the appropriate services:
• Launch SDT Connector on your computer. Assuming you have already set up the Console Server as a Gateway in your SDT 
Connector client (with username/ password etc), select this newly added Gateway and click the Host icon to create a host. 
Alternatively, select File: New Host
•  Enter 127.0.0.1 as the Host Address and give some details in Descriptive Name/Notes. Click OK
 
•  Click the HTTP or HTTPS Services icon to access the gateway's Management Console, and/or click \
SSH or Telnet to access 
the gateway command line console
Note: To enable SDT access to the gateway console, you must now configure the\
 Console Server to allow port forwarded 
network access to itself:  
• Browse to the Console Server and select Network Hosts from Serial & Network. Click Add Host and in the IP Address/
DNS Name field enter 127.0.0.1 (this is the Console Server's network loopback\
 address). Then enter Loopback in 
Description  
• Remove all entries under Permitted Services except for those that will be used in accessing the Management Console (\
80/
http or 443/https) or the command line (22/ssh or 23/Telnet). Scroll to the bottom and click Apply
• Administrators by default have gateway access privileges. However for Us\
ers to access the gateway Management Console, 
you will need to give those Users the required access privileges. Select\
 Users & Groups from Serial & Network. Click Add 
User. Enter a Username, Description and Password/Confirm. Select 127.0.0.1 from Accessible Host(s) and click Apply  
						

							102
6.4 SDT Connector - Telnet or SSH Serial Device Connection
SDT Connector can also be used to access text consoles on devices that are attached t\
o the Console Server’s serial ports. For 
these connections, you must configure the SDT Connector client software with a Service that will access the target gateway 
serial port, and then set the gateway up as a host: 
• Launch SDT Connector on your computer. Select Edit: Preferences and click the Services tab. Click Add  
• Enter “Serial Port 2” in Service Name and click Add  
• Select Telnet client as the Client. Enter 2002 in TCP Port. Click OK, then Close and Close again
 
Chapter 6: Secure SSH Tunneling & SDT Connector
•  Assuming you have already set up the target Console Server as a gateway \
in your SDT Connector client (with username/ 
password etc), select this gateway and click the Host icon to create a host. Alternatively, select File: New Host. 
•  Enter 127.0.0.1 as the Host Address and select Serial Port 2 for Service. In Descriptive Name, enter something along 
the lines of Loopback ports, or Local serial ports. Click OK.
• Click Serial Port 2 icon for Telnet access to the serial console on the device attached to serial port\
 #2 on the gateway 
To enable SDT Connector to access to devices connected to the gateway’s serial ports, you mu\
st also configure the Console 
Server itself to allow port forwarded network access to itself, and enable access to the nominated serial port:  
•  Browse to the Console Server and select Serial Port from Serial & Network
• Click Edit to selected Port # (e.g. Port 2 if the target device is attached to the second serial port). Ensu\
re the port’s serial 
configuration is appropriate for the attached device
•  Scroll down to Console Server Setting and select Console Server Mode. Check Telnet (or SSH) and scroll to the bottom 
and click Apply
• Select Network Hosts from Serial & Network and click Add Host
•  In the IP Address/DNS Name field, enter 127.0.0.1 (this is the Console Server’s network loopback address) and enter 
Loopback in Description 
•  Remove all entries under Permitted Services and select TCP and enter 200n in Port. (This configures the Telnet port 
enabled in the previous step, so for Port 2 you would enter 2002)
• Click Add then scroll to the bottom and click Apply
•  Administrators by default have gateway and serial port access privileges\
; however for Users to access the gateway and the 
serial port, you will need to give those Users the required access privi\
leges. Select Users & Groups from Serial & Network. 
Click Add User. Enter a Username, Description and Password/Confirm. Select 127.0.0.1 from Accessible Host(s) and 
select Port 2 from Accessible Port(s). Click Apply.  
						

							103
Chapter 6: Secure SSH Tunneling & SDT Connector
6.5 SDT Connector OoB Connection 
SDT Connector can also be set up to connect to the Console Server via out-of-band (OoB). OoB access uses an alternate path 
for connecting to the Console Server (i.e. not the one used for regular\
 data traffic). OoB access is useful when the primary link 
into the gateway is unavailable or unreliable.
Typically a Console Server's primary link is a broadband Internet connect\
ion or Internet connection via a LAN or VPN, and the 
secondary out-of-band connectivity is provided by a dial-up or wireless modem directly a\
ttached to the gateway. So out-of-
band access enables you to access the hosts and serial devices on the ne\
twork, diagnose any connectivity issues, and restore 
the gateway's primary link.
In SDT Connector, OoB access is configured by providing the secondary IP address of th\
e gateway, and telling SDT Connector 
how to start and stop the OoB connection. Starting an OoB connection may\
 be achieved by initiating a dial-up connection, or 
adding an alternate route to the gateway. SDT Connector allows for maximum flexibility by allowing you to provide your own 
scripts or commands for starting and stopping the OoB connection.
 
To configure SDT Connector for OoB access:
•  When adding a new gateway or editing an existing gateway, select the Out Of Band tab  
•  Enter the secondary OoB IP address for the gateway (e.g. the IP address\
 to be used when dialing in directly). You may also 
modify the gateway's SSH port if it's not using the default of 22
•  Enter the command or path to a script to start the OoB connection in Start Command
  o To initiate a pre-configured dial-up connection under Windows, use the following Start Command:
  cmd /c start "Starting Out of Band Connection" /wait /min rasdial networ\
k_connection login password
   The network_connection in the above is the name of the network connection as displayed in Control Panel ->  
    Network Connections. Login is the dial-in username, and password is the dial-in password for the connection.
 o To initiate a pre-configured dial-up connection under Linux, use the fo\
llowing Start Command:
    pon network_connection
   The network_connection in the above is the name of the connection. 
•  Enter the command or path to a script to stop the OoB connection in Stop Command  
  o To stop a pre-configured dial-up connection under Windows, use the following Stop Command:
  cmd /c start "Stopping Out of Band Connection" /wait /min rasdial networ\
k_connection /disconnect
  The network_connection in the above is the name of the network connection as displayed in Control Panel ->    
    Network Connections.
 o To stop a pre-configured dial-up connection under Linux, use the follow\
ing Stop Command:
  poff network_connection  
						

							104
Chapter 6: Secure SSH Tunneling & SDT Connector
To make the OoB connection using SDT Connector:
• Select the gateway and click Out Of Band. The status bar will change col\
or to indicate this gateway is now being access using 
the OoB link rather than the primary link
 
When you connect to a service on a host behind the gateway, or to the Console Server gateway itself, SDT Connector will 
initiate the OoB connection using the provided Start Command. The OoB co\
nnection isn't stopped (using the provided Stop 
Command) until Out Of Band under Gateway Actions is clicked off, at which point the status bar will return to its normal color.
6.6  Importing (and Exporting) Preferences 
To enable the distribution of pre-configured client config files, SDT Connector has an Export/Import facility:
 
•  To save a configuration .xml file (for backup or for importing into \
other SDT Connector clients), select File: Export 
Preferences and select the location to save the configuration file
•  To import a configuration, select File: Import Preferences and select the .xml configuration file to be installed   
						

							105
Chapter 6: Secure SSH Tunneling & SDT Connector
6.7 SDT Connector Public Key Authentication
SDT Connector can authenticate against an SSH gateway using your SSH key pair rather than requiring your to enter your 
password. This is known as public key authentication.
To use public key authentication with SDT Connector, you must first add the public part of your SSH key pair to your SSH 
gateway:
•  Ensure the SSH gateway allows public key authentication. This is typically the defau\
lt behavior
•  If you do not already have a public/private key pair for your client com\
puter (the one which the  SDT Connector is running) 
generate them now using ssh-keygen, PuTTYgen or a similar tool. You may use RSA or DSA, however it is important that 
you leave the passphrase field blank:
  o PuTTYgen: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
 o OpenSSH:   http://www.openssh.org/
  o OpenSSH (Windows):  http://sshwindows.sourceforge.net/download/
•  Upload the public part of your SSH key pair (this file is typically named id_rsa.pub or id_dsa.pub) to the SSH gateway, or 
add it to the .ssh/authorized keys in your home directory on the SSH gateway
•  Next, add the private part of your SSH key pair (this file is typically named id_rsa or id_dsa) to SDT Connector. 
Click Edit: Preferences: Private Keys: Add, locate the private key file and click OK
You do not have to add the public part of your SSH key pair; it is calculated using the private key.
SDT Connector will now use public key authentication when connecting thr\
ough the SSH gateway (Console Server). You may 
have to restart SDT Connector to shut down any existing tunnels that wer\
e established using password authentication.
If you have a host behind the Console Server that you connect to by clic\
king the SSH button in SDT Connector, you may also 
wish to configure access to it for public key authentication as well. \
This configuration is entirely independent of SDT Connector 
and the SSH gateway. You must configure the SSH client that SDT Connector launches (e.g. Putty, OpenSSH) and the host's 
SSH server for public key authentication. Essentially, what you are using is SSH over SSH, and the two SSH connections are 
entirely separate.  
						

							106
Chapter 6: Secure SSH Tunneling & SDT Connector
6.8 Setting up SDT for Remote Desktop Access
Microsoft’s Remote Desktop Protocol (RDP) enables the system manage\
r securely to access and manage remote Windows 
computers: to reconfigure applications and user profiles, upgrade th\
e server’s operating system, reboot the machine, etc. 
Secure Tunneling uses SSH tunneling, so this RDP traffic is securely transferred through an a\
uthenticated and encrypted 
tunnel. 
SDT with RDP also allows remote Users to connect to Windows XP, Vista, Windows 2003 computers and to Windows 2000 
Terminal Servers, and to have access to all of the applications, files,\
 and network resources (with full graphical interface just 
as though they were in front of the computer screen itself). To set up a secure Remote Desktop connection, you must enable 
Remote Desktop on the target Windows computer that is to be accessed and configure the RPD client so\
ftware on the client 
computer.
6.8.1   Enable Remote Desktop on the target Windows computer to be accessed
To enable Remote Desktop on the Windows computer being accessed:
• Open System in the Control Panel and click the Remote tab
 
• Check Allow users to connect remotely to this computer 
• Click Select Remote Users   
						

							107
Chapter 6: Secure SSH Tunneling & SDT Connector
 
•  To set the user(s) who can remotely access the system with RDP, click Add on the Remote Desktop Users dialog box 
Note: If you need to set up new users for Remote Desktop access, open User Accounts in the Control Panel and proceed 
through the steps to nominate the new user’s name, password and accou\
nt type (Administrator or Limited)
Note: With Windows XP Professional and Vista, you have only one Remote Desktop sessi\
on and it connects directly to the 
Windows root console. With Windows Server 2008 you can have multiple sessions, and with Server 2003 \
you have three 
sessions (the console session and two other general sessions). Therefo\
re, more than one user can have an active session on 
a single computer. 
When the remote user connects to the accessed computer on the console se\
ssion, Remote Desktop automatically locks that 
computer (so no other user can access the applications and files). W\
hen you come back to the computer, you can unlock it by 
typing CTRL+ALT+DEL.
6.8.2   Configure the Remote Desktop Connection client 
Now that you have the Client computer securely connected to the Console \
Server (either locally, or remotely, thru the 
enterprise VPN, or a secure SSH internet tunnel or a dial-in SSH tunnel), you are ready to establish the Remote Desktop 
connection from the Client. To do this you simply enable the Remote Desktop Connection on the remote \
client computer then 
point it to the SDT Secure Tunnel port in the Console Server:
A. On a Windows client computer
• Click Start. Point to Programs, then to Accessories, then Communications, and click Remote Desktop Connection 
 
• In Computer, enter the appropriate IP Address and Port Number: 
  o Where there is a direct local or enterprise VPN connection, enter the IP\
 Address of the Console Server, and  
    the Port Number of the SDT Secure Tunnel for the Console Server’s serial port (the one that is attached\
 to the  
   Windows computer to be controlled). For example, if the Windows computer is connected to serial Port 3 on a  
   Console Server located at 192.168.0.50 then you would enter 192.168.0.50:7303.
 o Where there is an SSH tunnel (over a dial-up PPP connection or over a public internet conn\
ection or private  
    network connection), simply enter the localhost as the IP address, i.e. 127.0.0.1. For Port Number, enter the  
  source port you created when setting SSH tunneling/port forwarding (in Section 6.1.6) e.g.:1234.
• Click Option. In the Display section, specify an appropriate color depth (e.g. for a modem connecti\
on it is recommended 
you not use over 256 colors). In Local Resources, specify the peripherals on the remote Windows computer that are to 
be controlled (printer, serial port, etc.)  
						

							108
Chapter 6: Secure SSH Tunneling & SDT ConnectorChapter 6: Secure SSH Tunneling & SDT Connector
 
•  Click Connect 
Note: The Remote Desktop Connection software is pre-installed on Windows XP. However, for earlier Windows computers, you 
will need to download the RDP client:
•  Go to the Microsoft Download Center site   http://www.microsoft.com/downloads/details.aspx?familyid=80111F21-D48D-
426E-96C2-08AA2BD23A49&displaylang=en and click the Download button
This software package will install the client portion of Remote Desktop \
on Windows 95, Windows 98 and 98 Second Edition, 
Windows Me, Windows NT 4.0, Windows 2000, and Windows 2003. When run, this software allows these older Windows 
platforms to remotely connect to a computer running Windows XP Professional or Windows 2003 Server
B. On a Linux or UNIX client computer:
•  Launch the open source rdesktop client: 
rdesktop -u windows-user-id -p windows-password -g 1200x950 ms-windows-terminal-server-host-name
optiondescription
-aColor depth: 8, 16, 24
-rDevice redirection. i.e. Redirect sound on remote machine to local devic\
e  i.e. -0 -r sound (MS/Windows 2003)
-gGeometry: widthxheight or 70% screen percentage.
-pUse -p - to receive password prompt.
•  You can use GUI front end tools like the GNOME Terminal Services Client  tsclient to configure and launch the rdesktop 
client. (Using tsclient also enables you to store multiple configurations of rdesktop for connection to many servers.)  
						

							109
Chapter 6: Secure SSH Tunneling & SDT ConnectorChapter 6: Secure SSH Tunneling & SDT Connector
 
Note: The rdesktop client is supplied with Red Hat 9.0:
•  rpm -ivh rdesktop-1.2.0-1.i386.rpm 
For Red Hat 8.0 or other distributions of Linux; download source, untar, configure, make, make then install.
rdesktop currently runs on most UNIX based platforms with the X Window System and can be downloaded from http://www.
rdesktop.org/  
C. On a Macintosh client:
•  Download Microsoft's free Remote Desktop Connection client for Mac OS X \
http://www.microsoft.com/mac/otherproducts/
otherproducts.aspx?pid=remotedesktopclient  
						

							110
Chapter 6: Secure SSH Tunneling & SDT Connector
6.9 SDT SSH Tunnel for VNC 
Alternately, with SDT and Virtual Network Computing (VNC), Users and Administrato\
rs can securely access and control 
Windows 98/NT/2000/XP/2003, Linux, Macintosh, Solaris and UNIX computers.\
 There’s a range of popular VNC software 
available (UltraVNC, RealVNC, TightVNC) freely and commercially. To set up a secure VNC connection, install and configure 
the VNC Server software on the computer to be accessed. Then install and\
 configure the VNC Viewer software on the Viewer 
computer. 
6.9.1  Install and configure the VNC Server on the computer to be accessed
Virtual Network Computing (VNC) software enables users to remotely acc\
ess computers running Linux, Macintosh, Solaris, 
UNIX, all versions of Windows and most other operating systems.
A. For Microsoft Windows servers (and clients):
Windows does not include VNC software, so you will need to download, inst\
all and activate a third party VNC Server software 
package: 
RealVNC http://www.realvnc.com is fully cross-platform, so a desktop running on a Linux ma\
chine may 
be displayed on a Windows computer, on a Solaris machine, or on any number of other architectures. 
There is a Windows server, allowing you to view the desktop of a remote Windows machine on any of 
these platforms using exactly the same viewer. RealVNC was founded by members of the AT&T team who 
originally developed VNC. 
 
TightVNC http://www.tightvnc.com is an enhanced version of VNC. It has added features such \
as file 
transfer, performance improvements and read-only password support. They have jus\
t recently included 
a video drive much like UltraVNC. TightVNC is still free, cross-platform\
 (Windows Unix and Linux) and 
compatible with the standard (Real) VNC.
 
UltraVNC http://ultravnc.com is easy to use, fast and free VNC software \
that has pioneered and perfected 
features that the other flavors have consistently refused or been very\
 slow to implement for cross platform 
and minimalist reasons. UltraVNC runs under Windows operating systems (95, 98, Me, NT4, 2000, XP, 
2003) Download UltraVNC from Sourceforge's UltraVNC file list 
B. For Linux servers (and clients):
Most Linux distributions now include VNC Servers and Viewers. They are g\
enerally launched from the (Gnome/KDE etc) front 
end. For example, there’s VNC Server software with Red Hat Enterprise Linux\
 4 and a choice of Viewer client software. To 
launch:
•  Select the Remote Desktop entry in the Main Menu: Preferences menu
•  Click the Allow other users checkbox to allow remote users to view and control your desktop