Tripp Lite 0 Idades Manual
Have a look at the manual Tripp Lite 0 Idades Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 7 Tripp Lite manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
41 Chapter 4: Serial Port, Device and User Configuration Note: In Console Server mode, Users and Administrators can use SDT Connector to set up secure Telnet connections that are SSH tunneled from their client computers to the serial port on the Consol\ e Server with a simple point-and-click. To use SDT Connector to access consoles on the Console Server serial ports, configure the \ SDT Connector with the Console Server as a gateway, then as a host. Now enable Telnet service on Port (2000 + serial port #) i.e. 2001–2048. Refer \ to Chapter 6 for more details on using SDT Connector for Telnet and SSH access to devices attached to the Console Server serial ports. You can also use standard communications packages like PuTTY to set a direct Telnet (or SSH) connection to the serial ports (refer Note below): Note: PuTTY also supports Telnet (and SSH). The procedure to set up a Telnet session is simple: Enter the Console Server’s IP address as the ‘Host Name (or IP address)’. Select ‘Telnet’ as the protocol and set the ‘TCP port’ to 2000 plus the physical serial port number (i.e. 2001 to 2048). Click the ‘Open’ button. You may then receive a ‘Security Alert’ that the host’s key is n\ ot cached. Choose ‘yes’ to continue. You will then be presented with the login prompt of the remote system connec\ ted to the serial port chosen on the Console Server. You can login as normal and use the host serial console screen. PuTTY can be downloaded at http://www.tucows.com/preview/195286.html
42 Chapter 4: Serial Port, Device and User Configuration SSH It is recommended that the User or Administrator uses SSH as the protocol for connecting to serial consoles attached to the Console Server when communicating over the Inte\ rnet or any other public network. This will provide an authenticated, encrypted connection betwee\ n the SSH client program on the remote user’s computer and the Console Server. The user’s communication with the serial device attached to the Console Server is therefore secure. It is recommended for Users and Administrators to use SDT Connector when\ making an SSH connection to the consoles on devices attached to the Console Server’\ s serial ports. Configure the SDT Connector with the Console Server as a gateway, then as a host, and enable SSH service on Port (3000 + serial port #) i.e. 3001-3048 (refer to Chapter 6). You can also use common communications packages, like PuTTY or SSHTerm to SSH connect directly to port address IP Address _ Port (3000 + serial port #) i.e. 3001–3048. Alternately SSH connections can be configured using the standard SSH port 22. The serial port being accessed is then identified by appending a descriptor to the use\ rname. This syntax supports any of: : : : : So for a user named 'fred' to access serial port 2, when setting up the \ SSHTerm or the PuTTY SSH client, instead of typing username = fred and ssh port = 3002, the alternate is to type username = fred:port02 (or username = fred:ttyS1) and ssh port = 22. Or, by typing username=fred:serial and ssh port = 22, the user is presented with a port selection option: This syntax enables users to set up SSH tunnels to all serial ports with only a single IP port 22 having to be opened in their firewall/gateway. TCP RAW TCP allows connections directly to a TCP socket. Communications programs such as PuTTY also support RAW TCP; however, this protocol would usually be used by a custom application. For RAW TCP, the default port address is IP Address _ Port (4000 + serial port #) i.e. 4001 – 4048. RAW TCP also enables the serial port to be tunneled to a remote Console Serve\ r, so two serial port devices can be transparently interconnected over a network (see Chapter 4.1.6 – Serial Bridging). RFC2217 Selecting RFC2217 enables serial port redirection on that port. For RFC2217, the default port address is IP Address _ Port (5000 + serial port #) i.e. 5001 – 5048. You will also need to run serial port redirector software on your desktop\ computer. This software, which supports RFC2217 virtual com ports, is available commercially and \ as freeware, for Windows UNIX and Linux, and it allows you to use a serial device connected to th\ e remote Console Server as if it were connected to your local serial port.
43 Chapter 4: Serial Port, Device and User Configuration Unauthenticated Telnet Selecting Unauthenticated Telnet enables Telnet access to the serial port without requiring the user to provide credentials. When a user accesses the Console Server to Telnet to a serial port they are normally given a login prompt. However, with unauthenticated Telnet, they connect directly through to port with any Console Server login at all. This mode is mainly used w\ hen you have an external system (such as conserver) managing user authentication and access pri\ vileges at the serial device level. For Unauthenticated Telnet, the default port address is IP Address _ Port (6000 + serial port #) i.e. 6001 – 6048. IP Alias Enable access to the serial port using a specific IP address, specifi\ ed in CIDR format. Each serial port can have one or more IP aliases configured on a per-interface basis. These IP addresses can only be used to access the specific serial port, accessible using the \ standard protocol TCP port numbers of the console server services. For example, SSH on serial port 3 would be accessible on port 22 of a serial port IP alias (whereas on the console server’s p\ rimary address it is available on port 2003). This feature can also be configured via the multiple port edit page. \ In this case the IP addresses are applied sequentially, with the first selected port getting the IP entered and subsequent o\ nes getting incremented, with numbers being skipped for any unselected ports\ . For example if ports 2, 3 and 5 are selected and the IP alias 10.0.0.1/24 is entered for the \ Network Interface, the following addresses will be assigned: Port 2: 10.0.0.1/24 Port 3: 10.0.0.2/24 Port 5: 10.0.0.4/24 Web Terminal Selecting Web Terminal enables web browser access to the serial port via Manage: Devices: Serial using the Management Console's built in AJAX terminal. Web Terminal connects as the currently authenticated Management Console user and does not re-authenti\ cate. See section 13.3 for more details. Accumulation Period By default once a connection has been established for a particular seria\ l port (such as a RFC2217 redirection or Telnet connection to a remote computer) then any incoming characters on \ that port are forwarded over the network on a character by character basis. T\ he accumulation period changes this by specifying a period of time that incoming characters wil\ l be collected before then being sent as a packet over the network Escape Character This enables you to change the character used for sending escape charact\ ers. The default is ~. Power Menu This setting enables the shell power command so a user can control the p\ ower connection to a Managed Device from command line when they are telnet or SSH connected to the device. To operate the Managed Device must be set up with both its Serial port co\ nnection and Power connection configured. The command to bring up the power menu is ~p
44 Chapter 4: Serial Port, Device and User Configuration Single Connection This setting limits the port to a single connection so if multiple users\ have access privileges for a particular port only one user at a time can be accessing that port (i\ .e. port “snooping” is not permitted) 4.1.3 SDT Mode This setting allows port forwarding of LAN protocols such as RDP, VNC, HTPP, HTTPS, SSH and Telnet through to computers which are connected locally to the Console Server by their serial COM po\ rt. However such port forwarding requires a PPP link to be set up over this serial port. Refer to Chapter 6.6 - Using SDT Connector to Telnet or SSH connect to devices that are serially attached to the Console Server for configuration details 4.1.4 Device (RPC, UPS, EMD) Mode This mode configures the selected serial port to communicate with a se\ rial controlled Uninterruptible Power Supply (UPS), serial Remote Power Controller/ Power Distribution Unit (RPC) or Environmental Monitoring Device (EMD)\ • Select the desired Device Type (UPS, RPC or EMD) • Proceed to the appropriate device configuration page (Serial & Network: UPS Connections, RPC Connection or Environmental) as detailed in Chapter 8 - Power & Environmental Management. The B092-016 Console Server also allows you to configure ports as UPS devices that PowerAlert will manage. PowerAlert will discover the attached UPS device and auto-configure. See www.tripplite.com/EN/support/PowerAlert/Downloads.cfm for a complete PowerAlert manual. 4.1.5 Terminal Server Mode • Select Terminal Server Mode and the Terminal Type (vt220, vt102, vt100, Linux or ANSI) to enable a getty on the selected serial port The getty will then configure the port and wait for a connection to be made. An\ active connection on a serial device is usually indicated by the Data Carrier Detect (DCD) pin on the serial device be\ ing raised. When a connection is detected, the getty program issues a login: prompt, and then invokes the login program to ha\ ndle the actual system login. Note: Selecting Terminal Server mode will disable Port Manager for that serial port, so d\ ata is no longer logged for alerts etc.
45 Chapter 4: Serial Port, Device and User Configuration 4.1.6 Serial Bridging Mode With serial bridging, the serial data on a nominated serial port on one C\ onsole Server is encapsulated into network packets and then transported over a network to a second Console Server where is \ then represented as serial data. So the two Console Servers effectively act as a virtual serial cable over an IP network. One Console Server is configured to be the Server. The Server serial port to be bridged is set in Console Server mode with either RFC2217 or RAW enabled (as described in Chapter 4.1.2 – Console Server Mode). For the Client Console Server, the serial port to be bridged must be set in Bridging Mode: • Select Serial Bridging Mode and specify the IP address of the Server Console Server and the TCP port address of the remote serial port (for RFC2217 bridging this will be 5001-5048) • By default the bridging client will use RAW TCP so you must select RFC2217 if this is the Console Server mode you have specified on the server Console Server • You may secure the communications over the local Ethernet by enabling SSH however you will need to generate and upload keys (refer Chapter 14 – Advanced Configuration) 4.1.7 Syslog In addition to inbuilt logging and monitoring (which can be applied to \ serial-attached and network-attached management accesses, as covered in Chapter 7 - Alerts and Logging) the Console Server can also be configured to support the remote syslog protocol on a per serial port basis: • Select the Syslog Facility/Priority fields to enable logging of traffic on the selected serial port to \ a syslog server; and to appropriately sort and action those logged messages (i.e. redirect them\ / send alert email etc.) For example if the computer attached to serial port 3 should never send a\ nything out on its serial console port, the Administrator can set the Facility for that port to local0 (local0 .. local7 are meant for site local values), and the Priority to critical. At this priority, if the Console Server syslog server does receive a message, it will au\ tomatically raise an alert. Refer to Chapter 7 - Alerts & Logging.
46 Chapter 4: Serial Port, Device and User Configuration 4.2 Add/ Edit Users The Administrator uses this menu selection to set up, edit and delete us\ ers and to define the access permissions for each of these users. Users can be authorized to access specified Console Server serial port\ s and specified network-attached hosts. These users can also be given full Administrator status (with full configuration and \ management and access privileges). To simplify user set up, they can be configured as members of Groups. There are two Groups set \ up by default (admin and user) 1. Membership of the admin group provides the user with full Administrator privileges. The admin user (Administrator) can access the Console Server using any of the services which have been enab\ led in System: Services e.g. if only HTTPS has been enabled then the Administrator can only access the Console Serv\ er using HTTPS. However once logged in they can reconfigure the Console Server settings (e.g. to enable HTTP/Telnet for future access). They can also access any of the connected Hosts or serial port devices using any of the services tha\ t have been enabled for these connections. But again the Administrator can reconfigure the access services for any Ho\ st or serial port. So only trusted users should have Administrator access. Note: For convenience the SDT Connector “Retrieve Hosts” function retr\ ieves and auto-configures checked serial ports and checked hosts only, even for admin group users 2. Membership of the user group provides the user with limited access to the Console Server and c\ onnected Hosts and serial devices. These Users can access only the Management section of th\ e Management Console menu and they have no command line access to the Console Server. They also can only access those Hosts and serial devices that have bee\ n checked for them, using services that have been enabled. 3. With firmware V3.8.1 and later, there are six Groups set up by default (where earlier versions only h\ ad admin and user by default): admin Provides users with unlimited configuration and management privileges pptpd Group to allow access to the PPTP VPN server. Users in this group will have their password stored in clear text. dialin Group to allow dialin access via modems. Users in this group will have t\ heir password stored in clear text. ftp Group to allow ftp access and file access to storage devices pmshell Group to set default shell to pmshell users Provides users with basic management privileges If a user is set up with pptd, dialin, ftp or pmshell group membership they will have restricted user shell access to the nominated managed devices but they will not have any direct access to th\ e console server itself. To add this the users must also be a member of the “users” or “admin” groups. 4. The Administrator can also set up additional Groups with specific seri\ al port and host access permissions (same as Users). However users in these additional groups don’t have any access to the\ Management Console menu nor do they have any command line access to the Console Server itself. Lastly the Administrator can also set up users who are not a member of any Groups and they will have the same access as users in the additio\ nal groups.
47 Chapter 4: Serial Port, Device and User Configuration To set up new Groups and new users, and to classify users as members of p\ articular Groups: • Select Serial & Network: Users & Groups to display the configured Groups and Users • Click Add Group to add a new Group • Add a Group name and Description for each new Group, then nominate the Accessible Hosts, Accessible Ports and Accessible RPC Outlets(s) that you wish any users in this new Group to be able to access • Click Apply • Click Add User to add a new user • Add a Username and a confirmed Password for each new user. You may also include information related to the user (e.g. contact details) in the Description field Note: The User Name can contain from 1 to 127 alphanumeric characters (howe\ ver you can also use the special characters "-" "_" and "." ). There are no restrictions on the characters that\ can be used in the user Password (which each can contain up to 254 characters). However, only the first eight Password characters are used to make the password hash. • Specify which Group (or Groups) you wish the user to be a member of • Check specific Accessible Hosts and/or Accessible Ports to nominate the serial ports and network connected hosts you wish the user to have access privileges to • If there are configured RPCs you can check Accessible RPC Outlets to specify which outlets the user is able to control (i.e. Power On/Off) • Click Apply. The new user will now be able to access the Network Devices, Ports and RPC Outlets you nominated as accessible plus, if the user is a Group member they can also access any \ other device/port/outlet that was set up as accessible to the Group Note: There are no specific limits on the number of users you can set up; \ nor on the number of users per serial port or host. So multiple users (Users and Administrators) can control /monitor the \ one port or host. Similarly there are no specific limits on the number of Groups and each user can be a member of a number of Gro\ ups (in which case they take on the cumulative access privileges of each of those Groups). A user does not have to be\ a member of any Groups (but if the User is not even a member of the default user group then they will not be able to use the Management Console to manag\ e ports). However while there are no specific limits the time to re-configure \ does increase as the number and complexity increases so we recommend the aggregate number of users and groups be kept under 250 \ (1000 for B092-016 ) The Administrator can also edit the access settings for any existing use\ rs: • Select Serial & Network: Users & Groups and click Edit for the User to b\ e modified Note: For more information on enabling the SDT Connector so each user has se\ cure tunneled remote RPD/VNC/Telnet/HHTP/ HTTPS/SoL access to the network connected hosts refer to Chapter 6.
48 Chapter 4: Serial Port, Device and User Configuration 4.3 Authentication Refer to Chapter 9.1 - Remote Authentication Configuration for authentication configuration details 4.4 Network Hosts To access a locally networked computer or device (referred to as a Host)\ you must identify the Host and specify the TCP or UDP ports/services that will be used to control that Host: • Selecting Serial & Network: Network Hosts presents all the network connected Hosts that have been enabled for access, and the related access TCP ports/services • Click Add Host to enable access to a new Host (or select Edit to update the settings for existing Host) • Enter the IP Address or DNS Name and a Host Name (up to 254 alphanumeric characters) for the new network connected Host (and optionally enter a Description -up to characters) • Add or edit the Permitted Services (or TCP/UDP port numbers) that are authorized to be used in controlling this\ host. Only these permitted services will be forwarded through by SDT to the Host. All other services (TCP/UDP ports) will be blocked. • The Logging Level specifies the level of information to be logged and monitored for eac\ h Host access (refer Chapter 7 - Alerts and Logging) • If the Host is a networked server with IPMI power control, then specify \ RPC (for IPMI and PDU) or UPS and the Device Type. The Administrator can then configure these devices and enable which \ users have permissions to remotely cycle power etc (refer Chapter 8). Otherwise leave the Device Type set to None • If the Console Server has been configured with distributed Nagios moni\ toring enabled then you will also be presented with Nagios Settings options to enable nominated services on the Host to be monitored (refe\ r Chapter 10 – Nagios Integration) • Click Apply. This will create the new Host and also create a new Managed Device (w\ ith the same name)
49 Chapter 4: Serial Port, Device and User Configuration 4.5 Trusted Networks The Trusted Networks facility gives you an option to nominate specific IP addresses that u\ sers (Administrators and Users) must be located at, to have access to Console Server serial ports: • Select Serial & Network: Trusted Networks • To add a new trusted network, select Add Rule • Select the Accessible Port(s) that the new rule is to be applied to • Then enter the Network Address of the subnet to be permitted access • Then specify the range of addresses that are to be permitted by entering\ a Network Mask for that permitted IP range e.g. o To permit all the users located with a particular Class C network (204.1\ 5.5.0 say) connection to the nominated port then you would add the following Trusted Network New Rule: Network IP Address 204.15.5.0 Subnet Mask255.255.255.0 o If you want to permit only the one users who is located at a specific \ IP address (204.15.5.13 say) to connect: Network IP Address 204.15.5.0 Subnet Mask255.255.255.255 o If however you want to allow all the users operating from within a speci\ fic range of IP addresses (say any of the thirty addresses from 204.15.5.129 to 204.15.5.158) to be permitted con\ nection to the nominated port: Host /Subnet Address 204.15.5.128 Subnet Mask255.255.255.224 o Click Apply Note: The above Trusted Networks will limit access by Users and Administrators to the con\ sole serial ports. However they do not restrict access by the Administrator to the Console Server itself or\ to attached hosts. To change the default settings for this access, you will to need to edit the IPtables rules as described in the Chapter 14 - Advanced.
50 Chapter 4: Serial Port, Device and User Configuration 4.6 Serial Port Cascading Cascaded Ports enables you to cluster distributed Console Servers so that a large \ number of serial ports (up to 1000) can be configured and accessed through one IP address and managed through the\ one Management Console. One Console Server, the Master, controls other Console Servers as Slave units and all the serial ports\ on the Slave units appear as if they are part of the Master. Each Slave connects to the Master with an SSH connection using public key authentication. So the Master accesses ea\ ch Slave using an SSH key pair, rather than using passwords, ensuring secure authenticated communicati\ ons. So the Slave Console Server units can be distributed locally on a LAN or remotely ove\ r public networks around the world. 4.6.1 Automatically generate and upload SSH keys To set up public key authentication you must first generate an RSA or D\ SA key pair and upload them into the Master and Slave Console Servers. This can all be done automatically from the Master: • Select System: Administration on Master’s Management Console • Check Generate SSH keys automatically and click Apply Next you must select whether to generate keys using RSA and/or DSA (if \ unsure, select only RSA). Generating each set of keys will require approximately two minutes and the new keys will destr\ oy any old keys of that type that may previously been uploaded. Also while the new generation is underway on the master functi\ ons relying on SSH keys (e.g. cascading) may stop functioning until they are updated with the new set of keys. To generate keys: • Select RSA Keys and/or DSA Keys • Click Apply • Once the new keys have been successfully generated simply Click here to return and the keys will automatically be uploaded to the Master and connected Slaves