Tripp Lite 0 Idades Manual

							81
 
• Find the Source Network to be routed, and then tick the relevant Destination Network to enable Forwarding 
For example to configure a dual Ethernet device such as a B096-048, B09\
6-032 or B096-016 Console Server Management 
Switch:
• The Source Network would the Network Interface and the Destination Network would be Management L AN
IP Masquerading is generally required if the Console Server will be rout\
ing to the Internet, or if the external network being 
routed to does not have routing information about the internal network b\
ehind the Console Server. 
IP Masquerading performs Source Network Address Translation (SNAT) on outgoing packets, to make them appear like they've 
come from the Console Server (rather than devices on the internal netwo\
rk). When response packets come back devices on 
the external network, the Console Server will translate the packet addre\
ss back to the internal IP, so that it is routed correctly. 
This allows the Console Server to provide full outgoing connectivity for\
 internal devices using a single IP Address on the 
external network.
 
By default IP Masquerading is disabled for all networks. To enable masquerading:  
• Select Forwarding & Masquerading panel on the System: Firewall menu
• Check Enable IP Masquerading (SNAT) on the network interfaces where masquerading is be enabled
Generally this masquerading would be applied to any interface that is co\
nnecting with a public network such as the Internet.
Chapter 5: Firewall, Failover and Out-of-Band  
						

							82
5.5.2 Configuring client devices
Client devices on the local network must be configured with Gateway and DNS settings. This can be done statically on each 
device, or using DHCP
Manual Configuration:
Manually set a static gateway address (being the address of the Console\
 Server) and set the DNS server address to be the 
same as used on the external network i.e. if the Console Server is actin\
g as an internet gateway or a cellular router, then use 
the ISP provided DNS server address.
DHCP Configuration:
• Navigate to the System:IP page
• Click the tab of the interface connected to the internal network. To use DHCP, a static address must be set; check that the 
static IP and subnet mask fields are set.
• Click on the Disabled link next to DHCP Server which will bring up the S\
ystem: DHCP Server page
• Check Enable DHCP Server 
• To configure the DHCP server, tick the Use interface address as gateway check box
• Set the DNS server address(es), lease times, allocation pools and pre-\
assigned IP addresses; as detailed previously in 
Chapter 3.6.2
Once applied, devices on the internal network will be able to access res\
ources on the external network.
Chapter 5: Firewall, Failover and Out-of-Band  
						

							83
5.5.3 Port/Protocol Forwarding 
When using IP Masquerading, devices on the external network cannot initi\
ate connections to devices on the internal network. 
To work around this, Port Forwards can be set up to allow external  users to connect to a specific port,\
 or range of ports on the 
external interface of the Console Server, and have the Console Server redirect the data to a specified interna\
l address and port 
range.
To setup a port forward:
• Navigate to the System: Firewall page, and click on the Port Forwarding tab
• Click Add New Port Forward
• Fill in the following fields:
Name:   Name for the port forward. This should describe the target and the servi\
ce that the port forward is used to 
access
Input Interface:  This allows the user to only forward the port from a specific interfac\
e. In most cases, this should be left 
as "Any"
Source Address/
Address Range: This allows the user to restrict access to a port forward to a specifi\
c source IP address or IP address 
range of the data. This may be left blank. IP address ranges use the for\
mat ip/netmask (where netmask is 
in bits 1-32).
Input Port Range:   The range of ports to forward to the destination IP. These will be the port(s) specified when accessing the 
port forward. These ports need not be the same as the output port range.\
Protocol:    The protocol of the data being forwarded. The options are TCP or UDP, TCP and UDP, ICMP or ESP or GRE 
or Any.  
Output Address:  The target of the port forward. This is an address on the internal netwo\
rk where packets sent to the Input 
Interface on the input port range are sent.
Output Port Range:  The port or ports that the packets will be redirected to on the Output A\
ddress.
Chapter 5: Firewall, Failover and Out-of-Band
 
For example, to forward port 8443 to an internal HTTPS server on 192.168.10.2, the following settings would be used:
         Input Interface: Any
         Input Port Range: 8443
         Protocol: TCP
         Output Address: 192.168.10.2
         Output Port Range: 443  
						

							84
5.5.4 Firewall Rules
Firewall rules can be used to block or allow traffic through an interf\
ace based on port number, direction (ingress or egress) and 
protocol. This can be used to allow custom on box services, or block tra\
ffic based on policy.
Chapter 5: Firewall, Failover and Out-of-Band
To setup a firewall rule:
• Navigate to the System: Firewall page, and click on the Firewall Rules tab
• Click Add New Firewall Rule
• Fill in the following fields:
Name:    Name the firewall rule. This name should describe the policy the port \
rule is being used to implement 
(e.g. block ftp)
Interface:  Select the interface that the firewall rule will be applied to (i.e. \
Any, Dialout/Cellular, VPN, Network 
Interface, Dial-in etc)
Port Range:   Specify the port or range of ports (e.g. 1000 – 1500) that the rule\
 will apply to. This may be left blank for Any
Source MAC 
address:  Specify the source MAC address to be matched. This may be left blank for\
 any. MAC addresses use the 
format XX:XX:XX:XX:XX:XX, where XX are hex digits
Source Address 
Range:  Specify the source IP address (or address range) to match. IP address \
ranges use the format ip/netmask 
(where netmask is in bits 1-32). This may be left blank for Any
Destination Range:  Specify the destination IP address/address range to match. IP address ra\
nges use the format ip/netmask 
(where netmask is in bits 1-32). This may be left blank.
Protocol:  Select if the firewall rule will apply to TCP or UDP
Direction:  Select the traffic direction that the firewall rule will apply to (\
Ingress = incoming or Egress)
Action:   Select the action (Accept or Block) that will be applied to the packets detected that match the Interface\
+ 
Port Range + Source/destination Address Range + Protocol+ Direction 
For example, to block SSH traffic from leaving Dialout Interface, the following settings can \
be used:
         Interface: Dialout
         Port Range: 22
         Protocol: TCP
         Direction: Egress
         Action: Block  
						

							85
Chapter 5: Firewall, Failover and Out-of-Band
The firewall rules are processed in a set order- from top to bottom. So rule placement is important. For example with the 
following rules, all traffic coming in over the Network Interface is blocked except when it comes from two nominated IP 
addresses (SysAdmin and Tony):
To allow all incoming traffic on all 
interfaces from the SysAdmin: 
To allow all incoming 
traffic from Tony:
To block all incoming traffic 
from the Network Interface:
InterfaceAnyAnyNetwork Interface
Port RangeAnyAnyAny
Source MACAnyAnyAny
Source IPIP address of SysAdminIP address of TonyAny
Destination IPAnyAnyAny
ProtocolTCPTCPTCP
DirectionIngressIngressIngress
ActionAcceptAcceptBlock
However, if the Rule Order above was to be changed so the “Block Everyone Else” rule was second on the list, then the traffic 
coming in over the Network Interface from Tony would be blocked. 
5.6 Internal Cellular Modem Connection 
5.6.1  Connecting to a 4G LTE carrier network 
The B094-008-2E-V has an internal cellular modem that will connect to Verizon’s 4G LTE network (USA).
• Before powering on the B094-008-2E-V, you must first install the SIM card provided by your cellular carrie\
r and attach the 
external aerial antenna.
•  Select Internal Cellular Modem panel on the System: Dial menu.
•  Check Enable Dial-Out Settings.  
						

							86
Chapter 5: Firewall, Failover and Out-of-Band
Note:  Your 4G LTE carrier may have provided you with details for configuring the conn\
ection, including APN (Access Point 
Name), PIN code (optional PIN code that may be required to unlock the \
SIM card), Username/Password, etc. In most cases, 
you will only need to enter your cellular provider’s APN, leaving the\
 other fields blank.
• Enter the carrier’s APN. 
• If the SIM card is configured with a PIN code, you will be required to\
 enter a PIN code to unlock the card.
You may also need to set Override DNS to use alternate DNS servers from t\
hose provided by your carrier.
• To enable Override DNS, check the Override returned DNS Servers box. Enter the IP addresses of the DNS servers into 
the spaces provided.
• Check Apply to establish a radio connection with your cellular carrier.
5.6.2  Verifying the cellular connection   
Out-of-band access is enabled by default and the cellular modem connection sho\
uld be established. 
• You can verify the connection status from the Status: Statistics screen:
 o Select the Cellular tab. When in Service Availability, verify that Mode is set to Online.
 o Select Failover & Out-of-Band. The Connection Status will read Connected. 
 o Check your allocated IP address:  
						

							87
Chapter 5: Firewall, Failover and Out-of-Band
• You can measure the received signal strength from the Cellular Statistics\
 page on the Status: Statistics screen. This will 
display the current state of the cellular modem, including the Received \
Signal Strength Indicator (RSSI) 
Note: Received Signal Strength Indicator (RSSI) is a measurement of the Radio Frequency (RF) power present in a r\
eceived 
radio signal on a mobile device. It is expressed in Decibel-milliwatts (\
dBm). The best throughput will result in placing the 
device in an area with the highest RSSI. 
-100 dbm or less = Unacceptable coverage 
-99 dbm to -90 dbm = Weak Coverage 
-89 dbm to -70 dbm = Medium to High Coverage
-69 dbm or greater = Strong Coverage 
• With the cellular modem connection on, you can also check the connection \
status from the LEDs located on top of unit.
5.6.3  Cellular modem watchdog 
When you select Enable Dial-Out on the System: Dial menu, you will be given the option to configure a cellar modem 
watchdog service. This service will periodically ping a configurable I\
P address. If a threshold number of consecutive attempts 
fail, the service will cause the unit to reboot. This can be used to for\
ce a clean restart of the modem and create a workaround 
for any carrier issues.  
						

							88
Chapter 5: Firewall, Failover and Out-of-Band
5.7 Cellular Operation
When set up as a console server, the cellular modem can be set up to connect to the carrier in one of t\
hree modes:
• Cellular router mode – In this case, the dial-out connection to the carrier’s cellular\
 network is always on and IP traffic is 
routed between the cellular connected network and the console server’\
s local network ports. This is the default mode of 
operation.
• OOB mode – The dial-out connection to the carrier’s cellular network is al\
ways on and awaiting any incoming access (from 
a remote site seeking access to the console server or attached serial co\
nsoles/network hosts). 
• Failover mode – A dial-out cellular connection is established only in the event of\
 a ping failure.
5.7.1  OOB access set up   
In this mode, the dial-out connection to the carrier’s cellular netwo\
rk is always on and awaiting any incoming traffic. By 
default, the only traffic enabled are incoming SSH access to the console server and its serial ports, and incoming HTTPS 
access to the console server. There is a low level of “keep-alive” and management traffic tr\
ansmitted over the cellular network. 
However, the status reports and site alerts are generally transmitted over the \
main network. 
OOB mode is typically used for out-of-band access to remote sites by directly accessed appliances requiring a\
 public IP 
address. OOB mode is the default for B096-Series Multi-Port Serial Console/Terminal Servers with internal cellular modems. 
Out-of-band access is enabled by default and the cellular modem connection is \
always on. For direct access, the console 
server requires a public IP address and must not have SSH access firewalled. 
Almost all carriers offer corporate mobile data service/plans with a pub\
lic (static or dynamic) IP address. These plans often 
come with a service fee.
• If you have a static public IP address plan, you can also try accessing \
the console server using the public IP address 
provided by the carrier. By default, only HTTPS and SSH access is enabled on the OOB connection (e.g., you can browse 
to the console server, but cannot ping it).
• If you have a dynamic public IP address plan, a DDNS service will need t\
o be configured to enable the remote 
administrator to initiate incoming access. Once this is done, you can tr\
y accessing the console server using the allocated 
domain name. 
By default, most providers offer a consumer-grade service that delivers dynamic private IP address assignments to c\
ellular 
devices. This IP address is not visible across the Internet, but is gene\
rally adequate for home and general business use. 
• With a consumer-grade plan, the Failover & Out-of-Band tab on the Status: Statistics will display that your carrier has 
allocated a private IP Address (i.e., within the range 10.0.0.0 – 10.255.255.255, 172.16.0.0 – \
172.31.255.255 or 
192.168.0.0 – 192.168.255.255).
• For an inbound OOB connection with a consumer-grade plan, you will need to set up an outbound VPN.
During out-of-band access mode, the internal cellular modem will continually stay con\
nected. The alternative is to set up 
Failover mode on the console server (as detailed in the following section).  
						

							89
5.7.2 Cellular failover setup
In this mode, a dial-out cellular connection is established only when th\
e main network is disrupted. The cellular connection will 
remain idle in a low power state and will only be activated in the event\
 of a ping failure. This standby mode is well suited for 
remote sites with expensive power or extremely high cellular traffic c\
osts. 
In Cellular failover startup mode, the appliance will continually ping nominated probe addresses over the main network 
connection. In the event of ping failure, the appliance dials out and sets up a dial-out ppp over the cellular modem. Access 
is then switched to this network connection transparently. Access is switched back when the main network connection is 
restored. Once the carrier connection has been configured, the cellula\
r modem can be configured for failover.
During Cellular failover setup mode, the cellular connection will remain idle and in a low power state.\
 If the primary and 
secondary probe addresses are not available, it will reactivate the cell\
ular network connection and reconnect with the cellular 
carrier. 
Chapter 5: Firewall, Failover and Out-of-Band
• Navigate back to the Network Interface on the System: IP menu and specify Internal Cellular modem (cell modem 
01) as the Failover Interface to be used when a fault has been detected. 
• Specify the Probe Addresses of two sites (Primary and Secondary) that the console server is to ping to determine if the 
principal network is still operational.
• In the event of a principal network failure, the cellular network connec\
tion is activated as the access path to the console 
server (and Managed Devices). Only HTTPS and SSH access is enabled on the failover connection (doing this should 
enable the administrator to connect and fix the problem).
Note: By default, the console server supports automatic failure-recovery back to the original state prior to\
 failover. The console 
server continually pings probe addresses throughout original and failover stat\
es. The original state will automatically be set as 
a priority and reestablished following three successful pings of the pro\
be addresses during failover. The failover state will be 
removed once the original state has been re-established.
• You can check the connection status by selecting the Cellular panel on the Status: Statistics menu.
 o The Operational Status will change as the cellular modem finds a channel and connects to the \
network.
o The Failover & Out-of-Band screen displays information relating to a configured Failover/OOB interface and the 
status of that connection. The IP Address of the Failover/ OOB interface will be presented in the Failover & Out-of-
Band screen once the Failover/OOB interface has been triggered.
5.7.3  Cellular routing
Once you have configured your carrier connection, the cellular modem c\
an be configured to route traffic through the console 
server. This requires setting up forwarding and masquerading firewall rules as detailed in Chapter 5.  
						

							90
Chapter 6: Secure SSH Tunneling & SDT Connector
Each Console Server has an embedded SSH server and uses SSH tunneling. This enables one Console Server to securely 
manage all the systems and network devices in the data center, using text-based console tools (such as SSH, Telnet, SoL) or 
graphical desktop tools (VNC, RDP,  HTTPS, HTTP, X11, VMware, DRAC, iLO etc).
To set up Secure Tunnel access, the computer being accessed can be located on the same loc\
al network as the Console 
Server, or attached to the Console Server via its serial COM port. The remote \
User/Administrator then connects to the Console 
Server through an SSH tunnel (via dial-up, wireless or ISDN modem); a broadband Internet \
connection; an enterprise VPN 
network or a local network.
 
To set up the secure SSH tunnel from the Client computer to the Console Server, you must install and launch SSH client 
software on the User/Administrator’s computer. It is recommended that you use the SDT Connector client software supplied 
with the Console Server to do this. SDT Connector is simple to install and it auto-configures. It provides all your use\
rs with 
point-and-click access to all the systems and devices in the secure netw\
ork. With one click, SDT Connector sets up a 
secure SSH tunnel from the client to the selected Console Server and then establ\
ishes a port forward connection to the 
target network connected host or serial connected device. It will then e\
xecute the client application that will be used in 
communicating with the host. 
This chapter details the basic SDT Connector operations:
• Configuring the Console Server for SSH tunneled access to network attached hosts and setting up permitted Se\
rvices and 
Users access (Section 6.1)
• Setting up the SDT Connector client with gateway, host, service and client application details and making connections 
between the Client computer and hosts connected to the Console Server (\
Section 6.2)
• Using SDT Connector to browser access the Management Console (Section 6.3)
• Using SDT Connector to Telnet or SSH connect to devices that are serially attached to the Console Server (\
Section 6.4)
The chapter then covers more advanced SDT Connector and SDT tunneling to\
pics:
• Using SDT Connector for out of band access (Section 6.5)
• Automatic importing and exporting of configurations (Section 6.6)
• Configuring Public Key Authentication (Section 6.7)
• Setting up a SDT Secure Tunnel for Remote Desktop (Section 6.8)
• Setting up a SDT Secure Tunnel for VNC (Section 6.9)
• Using SDT to IP connect to hosts that are serially attached to the Conso\
le Server (Section 6.10)