Tripp Lite 0 Idades Manual
Have a look at the manual Tripp Lite 0 Idades Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 7 Tripp Lite manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
21 A Welcome screen, which lists initial installation configuration steps, will be\ displayed. These steps are: • Change default administration password (System/Administration page. Ref\ er Chapter 3.2) • Configure the local network settings (System/IP page. Refer Chapter 3\ .3) To configure Console Server features: • Configure serial ports settings (Serial & Network/Serial Port page. Refer Chapter 4) • Configure user port access (Serial & Network/Users page. Refer Chapte\ r 4) After completing each of the above steps, you can return to the config\ uration list by clicking the Tripp Lite logo in the top left corner of the screen: Chapter 3: Initial System Configuration • At the Management Console menu select System: Administration Note: If you are not able to connect to the Management Console at 192.168.0.\ 1 or if the default Username / Password were not accepted then reset your Console Server (refer Chapter 10) 3.1.3 Initial B092-016 connection You can configure the B092-016 Console Server using a connected compute\ r and browser connection as described in the two sections above, or you can configure it directly. To do this you will need to connect a console (keyboard, mouse and displ\ ay) or a KVM switch directly to its mouse, keyboard and VGA ports. When you ini\ tially power on the B092-016, you will be prompted on your directly connected video console to log in • Enter the default administration username and password (Username: root Password: default). The B092-016 control panel will be displayed • Click the Configure button on the control panel. This will load the Firefox browser and ope\ n the B092-016 Management Console
22 Chapter 3: Initial System Configuration 3.2 Administrator Password For security reasons, only the administration user named root can initially log into your Console Server. Only those people who know the root password can access and reconfigure the Console Server i\ tself. However, anyone who correctly guesses the root password (and the default root \ password which is default) could gain access. It is therefore essential that you enter and confirm a new root passwo\ rd before giving the Console Server any access to, or control of, your computers and network appliances. • Select Change default administration password from the Welcome page, which will take you to Serial & Network: Users & Groups • Select Edit for the user root • Add a new Password and then re-enter it in Confirm. This is the new password for root, the main administrative user account, so it is important that you choose a complex password, and keep\ it safe Note: There are no restrictions on the characters that can be used in the Sy\ stem Password (which can contain up to 254 characters). However, only the first eight Password characters are used to make the passwo\ rd hash. • Click Apply Note: If the Console Server has flash memory you will be given the option t\ o Save Password across firmware erases. Checking this will save the password hash in the non-volatile configur\ ation partition, which does not get erased on firmware reset. However take care as if this password is lost, the device will ne\ ed to be firmware recovered. • Select System: Administration
23 Chapter 3: Initial System Configuration • You may now wish to enter a System Name and System Description for the Co\ nsole Server to give it a unique ID and make it simple to identify Note: The System Name can contain from 1 to 64 alphanumeric characters (howe\ ver you can also use the special characters “-” “_” and “.” ). There are no restrictions on the c\ haracters that can be used in the System Description (which can contain up to 254 characters). • The MOTD Banner can be used to display a “message of the day” text\ to authenticating users when the ssh, ftp or web access the Console Server • Click Apply. As you have changed the password you will be prompted to log in again.\ This time use the new password Note: If you are not confident your Console Server has been supplied with \ the current release of firmware, you can upgrade. Refer to Upgrade Firmware - Chapter 10 3.2.1 Set up new administrator It is also recommended that you set up a new Administrator user as soon \ as convenient and log-in as this new user for all ongoing administration functions (rather than root). This Administrator can be configured in the admin group with full access privileges through the Serial & Network: Users & Groups menu (refer to Chapter 4 for details)
24 Chapter 3: Initial System Configuration 3.3 Network IP Address It is time to enter an IP address for the principal 10/100 LAN port on the Console Server; or enable its DHCP client so that it automatically obtains an IP address from a DHCP server on the network to\ which it is to be connected. • On the System: IP menu select the Network Interface page then check DHCP or Static for the Configuration Method • If you select Static you must manually enter the new IP Address, Subnet Mask, Gateway and DNS server details. This selection automatically disables the DHCP client • If you selected DHCP the Console Server will look for configuration details from a DHCP se\ rver on your management LAN. This selection automatically disables any static address. The Console Se\ rver MAC address can be found on a label on the base plate Note: In its factory default state (with no Configuration Method selected\ ) the Console Server has its DHCP client enabled, so it automatically accepts any network IP address assigned by a DHCP serve\ r on your network. In this initial state, the Console Server will then respond to both its Static address (192.168.0.1) and \ its newly assigned DHCP address • By default the Console Server LAN port auto detects the Ethernet connect\ ion speed. However you can use the Media menu to lock the Ethernet to 10 Mb/s or 100Mb/s and to Full Duplex (FD) or Half Duplex (HD) Note: If you have changed the Console Server IP address, you may need to recon\ figure your PC/workstation so it has an IP address that is in the same network range as this new address (as deta\ iled in an earlier note in this chapter) • Click Apply • You will need to reconnect the browser on the PC/workstation that is conn\ ected to the Console Server by entering http://new IP address
25 Chapter 3: Initial System Configuration 3.3.1 IPv6 configuration By default, the Console Server Ethernet interfaces support IPv. However, they can also be configured for IPv6 operation: • On the System: IP menu select General Settings page and check Enable IPv6 • You will then need to configure the IPv6 parameters on each network int\ erface page
26 3.3.2 Dynamic DNS (DDNS) configuration Dynamic DNS (DDNS) enables a Console Server with a dynamically assigne\ d IP address (that may change from time to time) to be located using a fixed host or domain name. • The first step in enabling DDNS is to create an account with the suppo\ rted DDNS service provider of your choice. Supported DDNS providers include: o DyNS www.dyns.cx o dyndns.org www.dyndns.org o GNUDip gnudip.cheapnet.net o ODS www.ods.org o TZO www.tzo.com o 3322.org (Chinese provider) www.3322.org Upon registering with the DDNS service provider, you will select a username and password, as well as a hostname that you will use as the DNS name (to allow external access to your machine \ using a URL). The Dynamic DNS service providers allow the user to choose a hostname UR\ L and set an initial IP address to correspond to that hostname URL. Many Dynamic DNS providers offer a sele\ ction of URL hostnames available for free use with their service. However, with a paid plan, any URL hostname (including your own registered dom\ ain name) can be used. You can now enable and configure DDNS on any of the Ethernet or cellula\ r network connections on the Console Server (by default DDNS is disabled on all ports): • Select the DDNS service provider from the drop down Dynamic DNS list on the System:IP or System:Dial menu • In DDNS Hostname enter the fully qualified DNS hostname for your console server e.g. your-hostname.dyndns.org • Enter the DDNS Username and DDNS Password for the DDNS service provider account • Specify the Maximum interval between updates - in days. A DDNS update will be sent even if the address has not chang\ ed • Specify the Minimum interval between checks for changed addresses - in seconds. Updates will still only be sent if \ the address has changed • Specify the Maximum attempts per update i.e. the number of times to attempt an update before giving up (defaul\ ts to 3) Chapter 3: Initial System Configuration
27 3.4 System Services and Service Access Service Access specifies which access protocols/services can be used t\ o access the Console Server (and connected serial ports). The Administrator can access and configure the Console Server (and co\ nnected devices) using a range of access protocols/ services – and for each such access, the particular service must be r\ unning with access through the firewall enabled. By default HTTP, HTTPS, Telnet and SSH services are running, and these services are enabled on all network i\ nterfaces. However, again by default, only HTTPS and SSH access to the Console Server is enabled, while HTTP and Telnet access is disabled. For other services, such as SNMP/Nagios NRPE/NUT, the service must first be started on the relevant network interface \ using Service Settings. Then the Service Access can be set to allow or block a\ ccess. To enable and configure a service: • Select the Service Settings tab on the System: Services page and enable required services Chapter 3: Initial System Configuration To change the access settings: • Select the Service Access tab on the System: Services page. This will display the service currently enabled for the Console Server’s network interfaces. o Network interface (for the principal Ethernet connection) o Dial out (V90 and cellular modem) o Dial in (internal or external V90 modem) o WiFi (802.11 wireless) o OoB Failover (second Ethernet connections) o VPN (IPSec or Open VPN connection over any network interface) • Check/uncheck for each network which service access is to be enabled /di\ sabled In the example shown below local Administrators on local Network Interfa\ ce LAN do not have Telnet access to the Console Server itself (only SSH and HTTPS access) but they do have Telnet access to the serial console devices attached to the Console Server.
28 The Services Access settings specify which services the Administrator ca\ n use over which network interface to access the console server. It also nominates the enabled services that the Administrator and the \ User can use to connect through the Console Server to attached serial and network connected devices. • The following general service access options can be specified: HTTPSThis ensures the Administrator has secure browser access to all the Management Console menus on the Co\ nsole Server. It also allows appropriately configured Users secure browser access \ to selected Manage menus. For information on certificate and user client software configuration re\ fer Chapter 9 - Authentication. By default HTTPS is enabled, and it is recommended that only HTTPS access be used if the Console Server is to be managed over any public network (e.g. the Internet). HTTPThe HTTP service allows the Administrator basic browser access to the Manageme\ nt Console. It is recommended the HTTP service be disabled if the Console Server is to be remotely accessed \ over the Internet. TelnetThis gives the Administrator telnet access to the system command line sh\ ell (Linux commands). While this may be suitable for a local direct connection over a management LAN, it is r\ ecommended this service be disabled if the Console Server is to be remotely administered. This service may also\ be useful for local Administrator and the User access to selected serial consoles SSHThis service provides secure SSH access. It is recommended you choose SSH as the protocol where the Administrator connects to the Console Server over the Internet or any ot\ her public network. This will provide authenticated communications between the SSH client program on the remote PC/workstation and the SSH sever in the Console Server. For more information on SSH configuration refer Chapter 9 - Authentication. • There are also a number of related service options that can be configu\ red at this stage: SNMP This will enable netsnmp in the Console Server, which will keep a remote log of all posted information. SNMP is disabled by default. To modify the default SNMP settings, the Administrator must make the edit\ s at the command line as described in Chapter 15 – Advanced Configuration TFTP/ FTP If a USB flash card or internal flash is detected on the Console Ser\ ver, then enabling this service will set up default tftp and ftp servers on the USB flash. These server are used to store config fi\ les, maintain access and transaction logs etc. Files transferred using tftp will be stored under /var/tmp/usbdisk/tftpboot Ping This allows the Console Server to respond to incoming ICMP echo requests\ . Ping is enabled by default, however for security reasons this service should generally be disabled post init\ ial configuration Nagios Access to the NUT UPS monitoring and Nagios NRPE monitoring daemons NUT Access to the NUT UPS monitoring and Nagios NRPE monitoring daemons • And there are some serial port access parameters that can be configure\ d on this menu: Base The Console Server uses specific default ranges for the TCP/IP ports for the various access services that Users and Administrators can use to access devices attached to serial ports (\ as covered in Chapter 4 – Configuring Serial Ports). The Administrator can also set alternate ranges for these services, \ and these secondary ports will then be used in addition to the defaults. The default TCP/IP base port address for telnet access is 2000, and the range for telnet is IP Address: Port (2000 + serial port #) i.e. 2001 – 2048. So if the Administrator were to s\ et 8000 as a secondary base for telnet then serial port #2 on the Console Server can be telnet accessed at IP Addres\ s:2002 and at IP Address:8002. The default base for SSH is 3000; for Raw TCP is 4000; and for RFC2217 it is 5000 RAW/ Direct You can also specify that serial port devices can be accessed from nomina\ ted network interfaces using Raw TCP, direct Telnet/SSH, unauthenticated Telnet services etc • Click Apply. As you apply your services selections, the screen will be updated with\ a confirmation message: Message Changes to configuration succeeded Chapter 3: Initial System Configuration
29 • The B092-016 Console Server with PowerAlert also presents some additional service and configuration opti\ ons: VNC The B092-016 Console Server has an internal VNC server. When enabled, it allows remote users to connect to the Console Server and run the PowerAlert software and any other embedded thin client programs as if the\ y were plugged in locally to the KVM connectors on the B092-016 (refer to\ Chapter 16 for more details). Users connect using port 5900 and need to run a VNC client applet Secure VNC This enables a secure encrypted remote connection using VNC over SSL on port 5800 to the B092-016 Console Server (refer to Chapter 16) PowerAlert This configuration option will automatically start the PowerAlert application on the B092-016 and display the console as soon as you log into the local display or VNC session (r\ efer to Chapter 16). The complete PowerAlert manual can be downloaded at www.tripplite.com/EN/support/PowerAlert/Downloads.cfm Chapter 3: Initial System Configuration
30 Chapter 3: Initial System Configuration 3.4.1 Brute force protection Brute force protection (Micro Fail2ban) temporarily blocks source IPs that show malicious signs, such as too many password failures. This may help mitigate scenarios where the appliance’s netw\ ork services are exposed to an untrusted network such as the public WAN, and scripted attacks or software worms are attempting to guess (bru\ te force) user credentials and gain unauthorized access. Brute Force Protection may be enabled for the listed services. Once protection \ is enabled, 3 or more failed connection attempts within 60 seconds from a specific source IP trigger it to be \ banned from connecting for the next 60 seconds. Active Bans are also listed and may be refreshed by reloading the page. Note: When an appliance is running on an untrusted network, it is recommended \ that a variety of strategies are used to lock down remote access. This includes strong passwords (or even better, SSH public key authentication), VPN, and using Firewall Rules to whitelist remote access from trusted source networks only.