Tripp Lite 0 Idades Manual

							111
Chapter 6: Secure SSH Tunneling & SDT Connector
•  To set up a persistent VNC server on Red Hat Enterprise Linux 4:
  o Set a password using vncpasswd 
  o Edit /etc/sysconfig/vncservers 
 o Enable the service with chkconfig vncserver on 
  o Start the service with service vncserver start 
  o Edit /home/username/.vnc/xstartup if you want a more advanced session than just twm and an xterm 
C. For Macintosh servers (and clients):
OSXvnc http://www.redstonesoftware.com/vnc.html is a robust, full-featured VNC server for\
 Mac OS X that allows any VNC 
client to remotely view and/or control Mac OS X machine. OSXvnc is suppo\
rted by Redstone Software 
D. Most other operating systems (Solaris, HPUX, PalmOS etc) either come with VNC bundled, or have third-party 
VNC software that you can download
6.9.2  Install, configure and connect the VNC Viewer
VNC is truly platform-independent, so a VNC Viewer on any operating syst\
em can connect to a VNC Server on any other 
operating system. There are Viewers (and Servers) from a wide selectio\
n of sources (e.g. UltraVNC TightVNC or RealVNC) for 
most operating systems. There are also a wealth of Java viewers availabl\
e so that any desktop can be viewed with any Java-
capable browser (http://en.wikipedia.org/wiki/VNC lists many of the VNC\
 Viewers sources).
•  Install the VNC Viewer software and set it up for the appropriate speed \
connection 
Note: To make VNC faster, when you set up the Viewer:
•  Set encoding to ZRLE (if you have a fast enough CPU)
•  Decrease color level (e.g. 64 bit) 
•  Disable the background transmission on the Server or use a plain wallpap\
er 
(Refer to http://doc.uvnc.com for detailed configuration instructions\
)
•  To establish the VNC connection, first configure the VNC Viewer, entering the VNC Server IP address
A.  When the Viewer computer is connected to the Console Server through an S\
SH tunnel (over the public Internet, or a dial-
in connection, or private network connection), enter localhost (or 127\
.0.0.1) as the IP VNC Server IP address and the 
source port you entered when setting SSH tunneling/port forwarding (in Section 6.2.6) e.g. :1234
 
B. When the Viewer computer is connected directly to the Console Server (e\
ither locally or remotely through a VPN or dial-in 
connection) and the VNC Host computer is serially connected to the Cons\
ole Server, then enter the IP address of the 
Console Server unit with the TCP port that the SDT tunnel will use. The TCP port will be 7900 plus the physical serial port 
number (i.e. 7901 to 7948, so all traffic directed to port 79xx on th\
e Console Server is tunneled through to port 5900 on 
the PPP connection on serial Port xx). For example, for a Windows Viewer computer using UltraVNC connecting to a VNC 
Server which is attached to Port 1 on a Console Server, enter 192.168.0.1  
						

							112
Chapter 6: Secure SSH Tunneling & SDT Connector
 
•  You can then establish the VNC connection by simply activating the VNC Vi\
ewer software on the Viewer computer and 
entering the password
 
Note: For general background reading on Remote Desktop and VNC access, we re\
commend the following:
• The Microsoft Remote Desktop How-To 
http://www.microsoft.com/windowsxp/using/mobility/getstarted/remoteintro.mspx
• The Illustrated Network Remote Desktop help page 
http://theillustratednetwork.mvps.org/RemoteDesktop/RemoteDesktopSetupan\
dTroubleshooting.html
• What is Remote Desktop in Windows XP and Windows Server 2003?  by Daniel Petri 
http://www.petri.co.il/what's_remote_desktop.htm
• Frequently Asked Questions about Remote Desktop 
http://www.microsoft.com/windowsxp/using/mobility/rdfaq.mspx
• Secure remote access of a home network using SSH, Remote Desktop and VNC for the home user 
http://theillustratednetwork.mvps.org/RemoteDesktop/SSH-RDP-VNC/RemoteDesktopVNCandSSH.html
• Taking your desktop virtual with VNC, Red Hat magazine 
http://www.redhat.com/magazine/006apr05/features/vnc/ and http://www.redhat.com/magazine/007may05/features/vnc/ 
• Wikipedia general background on VNC http://en.wikipedia.org/wiki/VNC  
						

							113
Chapter 6: Secure SSH Tunneling & SDT Connector
6.10 SDT IP Connection to Hosts
Network (IP) protocols like RDP, VNC and HTTP can also be used to connect to host devices that are serially connect\
ed through 
their COM port to the Console Server. To do this you must:
•  establish a PPP connection (Section 6.7.1) between the host and the ga\
teway, then 
•  set up Secure Tunneling - Ports on the Console Server (Section 6.7.2), then
• configure SDT Connector to use the appropriate network protocol to access IP consoles on the ho\
st devices that are 
attached to the Console Server serial ports (Section 6.7.3)
6.10.1  Establish a PPP connection between the host COM port and Console\
 Server 
(This step is only necessary for serially connected computers)
Firstly, physically connect the COM port on the host computer that is to be acc\
essed to the serial port on the Console Server. 
Then: 
A.  For non-Windows computers (Linux, UNIX, Solaris etc), establish a PPP connectio\
n over the serial port. The online 
tutorial http://www.yolinux.com/TUTORIALS/LinuxTutorialPPP.html presents a selection of methods for establishing a PPP 
connection for Linux 
B. For Windows XP and 2003 computers, follow the steps below to set up an advanc\
ed network connection between the 
Windows computer, through its COM port, to the Console Server. Both Windows 2003 and Windows XP Professional allow 
you to create a simple dial-in service which can be used for the Remote \
Desktop/VNC/HTTP/X connection to the Console 
Server:
• Open Network Connections in Control Panel and click the New Connection Wizard 
 
• Select Set up an advanced connection and click Next
•  On the Advanced Connection Options screen, select Accept Incoming Connections and click Next
•  Select the Connection Device (i.e. the serial COM port on the Windows computer that you cabled through to the Console 
Server). By default, select COM1. The COM port on the Windows computer should be configured to its maximum baud 
rate. Click Next
•  On the Incoming VPN Connection Options screen, select Do not allow virtual private connections and click Next  
						

							114
Chapter 6: Secure SSH Tunneling & SDT Connector
 
•  Specify which Users will be allowed to use this connection. This should \
be the same Users who were given Remote 
Desktop access privileges in the earlier step. Click Next
•  On the Network Connection screen, select TCP/IP and click Properties
 
• Select Specify TCP/IP addresses on the Incoming TCP/IP Properties screen. Nominate a From: and a To: TCP/IP 
address and click Next  
						

							115
Chapter 6: Secure SSH Tunneling & SDT Connector
Note: You can choose any TCP/IP addresses as long as they are addresses which are not used anywher\
e else on your network. 
The From: address will be assigned to the Windows XP/2003 computer and the To : address will be used by the Console 
Server. For simplicity, use the IP address as shown in the illustration above:
 From: 169.134.13.1
 To: 169.134.13.2
Alternately you can set the advanced connection and access on the Windows computer to use the Console Server defaults:
•  Specify 10.233.111.254 as the From: address 
• Select Allow calling computer to specify its own address 
Also you could use the Console Server default username and password when\
 you set up the new Remote Desktop User and 
give this User permission to use the advance connection to access the Windows computer:
•  The Console Server default Username is portXX where XX is the serial port number on the Console Server. 
•  The default Password is portXX
So to use the defaults for an RDP connection to the serial port 2 on the\
 Console Server, you would have set up a Windows 
user named port02
• When the PPP connection has been set up, a network icon will appear in t\
he Windows task bar
Note: The above notes describe setting up an incoming connection for Windows XP. The steps are the same for Windows 
2003, except that the setup screens present slightly differently: 
Put a check in the box for Always allow directly connected devices such as palmtop…..
Also, the option to Set up an advanced connection is not available in Windows 2003 if RRAS is configured. If RRAS has 
been configured, it is a simple task to enable the null modem connecti\
on for the dial-in configuration.
C.  For earlier version Windows computers, follow the steps in Section B, above. To get to the Make New Connection button:
• For Windows 2000, click Start and select Settings. At the Dial-Up Networking Folder, click Network and Dial-up 
Connections and click Make New Connection. Note: you first may need to set up a connection over the COM port us\
ing 
Connect directly to another computer before proceeding to Set up an advanced connection 
• For Windows 98, you double-click My Computer on the Desktop, then open Dial-Up Networking and double-click  
						

							116
Chapter 6: Secure SSH Tunneling & SDT Connector
6.10.2  Set up SDT Serial Ports on Console Server
To set up RDP (and VNC) forwarding on the Console Server’s Serial Port that is connected to the Windows computer COM port:
• Select the Serial & Network: Serial Port menu option and click Edit (for the particular Serial Port that is connected to 
the Windows computer COM port)
• On the SDT Settings menu, select SDT Mode (which will enable port forwarding and SSH tunneling) and enter a 
Username and User Password.
Note: When you enable SDT, this will override all other Configuration protocols on that port
Note: If you leave the Username and User Password fields blank, they default to portXX and portXX where XX is the serial 
port number. So the default username and password for Secure RDP over Port 2 is port02 
• Ensure the Console Server Common Settings (Baud Rate, Flow Control) are the same as were set up on the Windows 
computer COM port and click Apply
• RDP and VNC forwarding over serial ports is enabled on a Port basis. You can add Users who can have access to these 
ports (or reconfigure User profiles) by selecting Serial & Network :User & Groups menu tag - as described earlier in 
Chapter 4 Configuring Serial Ports 
6.10.3  Set up SDT Connector to SSH port forward over the Console Server Serial Port 
In the SDT Connector software running on your remote computer, specify the gateway IP address of your Console Server and a 
username/password for a user you have setup on the Console Server that h\
as access to the desired port. 
Next, add a New SDT Host. In the Host address you need to put portxx whe\
re xx = the port to which you are connecting. 
Example, for port 3 you would have a Host Address of: port03 and then se\
lect the RDP Service check box.  
						

							117
Chapter 6: Secure SSH Tunneling & SDT Connector
6.11 SSH Tunneling using other SSH clients (e.g. PuTTY) 
As covered in the previous sections of this chapter we recommend you use\
 the SDT Connector client software that is supplied 
with the Console Server. However there’s also a wide selection of commercial and free SSH client programs that can also 
provide the secure SSH connections to the Console Servers and secure tunnels to connected de\
vices: 
• PuTTY is a complete (though not very user friendly:) freeware implementat\
ion of SSH for Win32 and UNIX platforms
• SSHTerm is a useful open source SSH communications package 
• SSH Tectia is leading end-to-end commercial communications security solution \
for the enterprise 
• Reflection for Secure IT (formerly F-Secure SSH) is another good commercial SSH-based security solution 
By way of example the steps below show the establishment of an SSH tunneled connection to a network connected device 
using the PuTTY client software.
 
• In the Session menu enter the IP address of the Console Server in the Host Name or IP address field 
  o For dial-in connections, this IP address will be the Local Address that y\
ou assigned to the Console Server when  
    you set it up as the Dial-In PPP Server 
 o For Internet (or local/VPN connections) connections this will be the public IP address of \
the Console Server
• Select the SSH Protocol, and the Port will be set as 22
• Go to the SSH: Tunnels menu and in Add new forwarded port enter any high unused port number for the Source port 
e.g. 54321 
• Set the Destination: IP details
  o If your destination device is network connected to the Console Server an\
d you are connecting using RDP, set the  
    Destination as :3389 e.g. if when setting up the Managed Device as  
  Network Host on the Console Server you specified its IP address to be 192.168.253.\
1 (or its DNS Name was  
  accounts.myco.intranet.com) then specify the Destination as 192.168.523.1:3389 (or accounts.myco.intranet. 
   com:3389). Only devices which have been configured as networked Hosts can be \
accessed using SSH tunneling  
    (except by the “root” user who can tunnel to any IP address the C\
onsole Server can route to.   
						

							118
Chapter 6: Secure SSH Tunneling & SDT Connector
 o If your destination computer is serially connected to the Console Server\
, set the Destination as :3389 e.g. if the Label you specified on the serial port on the \
Console Server is win2k3, then specify the  
   remote host as win2k3:3389 . Alternative you can set the Destination as \
portXX:3389 where XX is the SDT  
   enabled serial port number e.g. if port 4 is on the Console Server is to\
 carry the RDP traffic then specify   
  port04:3389
Note: http://www.jfitz.com/tips/putty_config.html has useful examples on configuri\
ng PuTTY for SSH tunneling 
• Select Local and click the Add button
• Click Open to SSH connect the Client PC to the Console Server. You will now be prompted for the Username/Password for 
the Console Server user  
						

							119
Chapter 6: Secure SSH Tunneling & SDT Connector
 
 o If you are connecting as a User in the “users” group then you can \
only SSH tunnel to Hosts and Serial Ports  
    where you have specific access permissions 
 o If you are connecting as an Administrator (in the “admin” group)\
 then you can connect to any configured Host or  
    Serial Ports (which has SDT enabled)
To set up the secure SSH tunnel for a HTTP browser connection to the Managed Device specify port 80 (rather tha\
n port 3389 
as was used for RDP) in the Destination IP address. 
To set up the secure SSH tunnel from the Client (Viewer) PC to the Console Server for VNC fo\
llow the steps above, however 
when configuring the VNC port redirection specify port 5900 in the Des\
tination IP address.
Note: How secure is VNC? VNC access generally allows access to your whole co\
mputer, so security is very important. VNC 
uses a random challenge-response system to provide the basic authenticat\
ion that allows you to connect to a VNC server. This 
is reasonably secure and the password is not sent over the network. 
However, once connected, all subsequent VNC traffic is unencrypted. So a mali\
cious user could snoop your VNC session. Also 
there are VNC scanning programs available, which will scan a subnet look\
ing for PCs which are listening on one of the ports 
which VNC uses. 
Tunneling VNC over a SSH connection ensures all traffic is strongly encrypted. Also no VNC p\
ort is ever open to the internet, so 
anyone scanning for open VNC ports will not be able to find your compu\
ters. When tunneling VNC over a SSH connection, the 
only port which you're opening on your Console Server the SDT port 22.
So sometimes it may be prudent to tunnel VNC through SSH even when the Viewer PC and the Console Server are both on the 
same local network.  
						

							120
Chapter 7: Alerts, Automated Response and Logging
This chapter describes the automated response, alert generation and logg\
ing features of the Console Server. 
The new Auto-Response facility (in firmware V3.5.1 and later) extend\
s on the basic Alert facility available in earlier firmware 
revisions. With the new facility the Console Server monitors selected serial ports, \
logins, the power status and environmental 
monitors and probes for Check Condition triggers. The console server wil\
l then initiate a sequence of actions in response to the 
triggers. To configure, you:
• Set general parameters then select and configure the Check Conditions i.e. the conditions that will trigger the response 
(Section 7.1), then
• Specify the Trigger Actions i.e. sequence of actions initiated in the event of the trigger conditio\
n, then specify the Resolve 
Actions i.e. actions performed when trigger conditions have been resolved (Section 7.2) 
The Console Servers can also be configured selectively to maintain log\
 records of all access and communications with the 
Console Server and with the attached serial devices, all system activity\
 and a history of the status of any attached environmental 
monitors, UPS and PDU devices. The Console Servers can also log access a\
nd communications with network attached hosts. 
• If port logs are to be maintained on a remote server, then the access path to this location needs to be configured (Section 7.3)
• Then you need to activate and set the desired levels of logging for each\
 serial (Section 7.4) and/or network port (Section 
7.5) and/or power and environment devices (refer to Chapter 8)
7.1  Set Up Auto-Response and Configure Check Conditions
With the Auto-Response facility, a sequence of Trigger Actions is initiated in the event of a specified trigger condit\
ion (Check 
Condition). Subsequent Resolve Actions can also be performed when the t\
rigger condition has been resolved.    
To configure, first set the general parameters that will be applied t\
o all Auto-Responses:
• Check Log Events on Alerts & Logging: Auto-Response to enable logging al\
l Auto-Response activities
• Check Delay after Boot to set any general delay to be applied after cons\
ole server system boot, before processing events
To configure a new Auto-Response:
• Select New Auto-Response in the Configured Auto-Response field.  You will be presented with a new Auto-Response 
Settings menu
• Enter a unique Name for the new Auto-Response
• Specify the Reset Timeout for the time in seconds after resolution to de\
lay before this Auto-Response can be triggered again
• Check Repeat Trigger Actions to continue to repeat trigger action sequences until the \
check is resolved
• Enter any required delay time before repeating trigger actions in Repeat\
 Trigger Action Delay. This delay starts after the last 
action is queued