Tripp Lite 0 Idades Manual

							41
Chapter 4: Serial Port, Device and User Configuration
Note: In Console Server mode, Users and Administrators can use SDT Connector to set up secure Telnet connections that are 
SSH tunneled from their client computers to the serial port on the Consol\
e Server with a simple point-and-click. 
To use SDT Connector to access consoles on the Console Server serial ports, configure the \
SDT Connector with the Console 
Server as a gateway, then as a host. Now enable Telnet service on Port (2000 + serial port #) i.e. 2001–2048. Refer \
to Chapter 
6 for more details on using SDT Connector for Telnet and SSH access to devices attached to the Console Server serial ports.
You can also use standard communications packages like PuTTY to set a direct Telnet (or SSH) connection to the serial ports 
(refer Note below):
Note: PuTTY also supports Telnet (and SSH). The procedure to set up a Telnet session is simple: Enter the Console Server’s 
IP address as the ‘Host Name (or IP address)’. Select ‘Telnet’ as the protocol and set the ‘TCP port’ to 2000 plus the physical 
serial port number (i.e. 2001 to 2048). 
Click the ‘Open’ button. You may then receive a ‘Security Alert’ that the host’s key is n\
ot cached. Choose ‘yes’ to continue. You 
will then be presented with the login prompt of the remote system connec\
ted to the serial port chosen on the Console Server. 
You can login as normal and use the host serial console screen.
 
PuTTY can be downloaded at http://www.tucows.com/preview/195286.html  
						

							42
Chapter 4: Serial Port, Device and User Configuration
SSH It is recommended that the User or Administrator uses SSH as the protocol for connecting to serial 
consoles attached to the Console Server when communicating over the Inte\
rnet or any other public 
network. This will provide an authenticated, encrypted connection betwee\
n the SSH client program 
on the remote user’s computer and the Console Server. The user’s communication with the serial 
device attached to the Console Server is therefore secure. 
  It is recommended for Users and Administrators to use SDT Connector when\
 making an SSH 
connection to the consoles on devices attached to the Console Server’\
s serial ports. Configure the 
SDT Connector with the Console Server as a gateway, then as a host, and enable SSH service on 
Port (3000 + serial port #) i.e. 3001-3048 (refer to Chapter 6).
 You can also use common communications packages, like PuTTY or SSHTerm to SSH connect 
directly to port address IP Address _ Port (3000 + serial port #) i.e. 3001–3048.
 Alternately SSH connections can be configured using the standard SSH port 22. The serial port 
being accessed is then identified by appending a descriptor to the use\
rname. This syntax supports 
any of:
 :
 :
 : 
 : 
 So for a user named 'fred' to access serial port 2, when setting up the \
SSHTerm or the PuTTY SSH 
client, instead of typing username = fred and ssh port = 3002, the alternate is to type username 
= fred:port02 (or username = fred:ttyS1) and ssh port = 22. 
 Or, by typing username=fred:serial and ssh port = 22, the user is presented with a port selection 
option:
 
 This syntax enables users to set up SSH tunnels to all serial ports with only a single IP port 22 
having to be opened in their firewall/gateway.
TCP  RAW TCP allows connections directly to a TCP socket. Communications programs such as PuTTY 
also support RAW TCP; however, this protocol would usually be used by a custom application. For 
RAW TCP, the default port address is IP Address _ Port (4000 + serial port #) i.e. 4001 – 4048.
  RAW TCP also enables the serial port to be tunneled to a remote Console Serve\
r, so two serial port 
devices can be transparently interconnected over a network (see Chapter 4.1.6 – Serial Bridging).
RFC2217 Selecting RFC2217 enables serial port redirection on that port. For RFC2217, the default port 
address is IP Address _ Port (5000 + serial port #) i.e. 5001 – 5048.
 You will also need to run serial port redirector software on your desktop\
 computer. This software, 
which supports RFC2217 virtual com ports, is available commercially and \
as freeware, for Windows 
UNIX and Linux, and it allows you to use a serial device connected to th\
e remote Console Server as 
if it were connected to your local serial port.   
						

							43
Chapter 4: Serial Port, Device and User Configuration
Unauthenticated Telnet  Selecting Unauthenticated Telnet enables Telnet access to the serial port without requiring the user 
to provide credentials. When a user accesses the Console Server to Telnet to a serial port they are 
normally given a login prompt. However, with unauthenticated Telnet, they connect directly through 
to port with any Console Server login at all. This mode is mainly used w\
hen you have an external 
system (such as conserver) managing user authentication and access pri\
vileges at the serial device 
level.
  For Unauthenticated Telnet, the default port address is IP Address _ Port (6000 + serial port #) 
i.e. 6001 – 6048.
IP Alias   Enable access to the serial port using a specific IP address, specifi\
ed in CIDR format.  Each serial 
port can have one or more IP aliases configured on a per-interface basis. These IP addresses can 
only be used to access the specific serial port, accessible using the \
standard protocol TCP port 
numbers of the console server services. For example, SSH on serial port 3 would be accessible on 
port 22 of a serial port IP alias (whereas on the console server’s p\
rimary address it is available on 
port 2003).
                 This feature can also be configured via the multiple port edit page. \
In this case the IP addresses 
are applied sequentially, with the first selected port getting the IP entered and subsequent o\
nes 
getting incremented, with numbers being skipped for any unselected ports\
. For example if ports 
2, 3 and 5 are selected and the IP alias 10.0.0.1/24 is entered for the \
Network Interface, the 
following addresses will be assigned:
                Port 2: 10.0.0.1/24
 Port 3: 10.0.0.2/24
   Port 5: 10.0.0.4/24
Web Terminal   Selecting Web Terminal enables web browser access to the serial port via Manage: Devices: 
Serial using the Management Console's built in AJAX terminal.  Web Terminal connects as the 
currently authenticated Management Console user and does not re-authenti\
cate.  See section 
13.3 for more details.
Accumulation Period By default once a connection has been established for a particular seria\
l port (such as a RFC2217 
redirection or Telnet connection to a remote computer) then any incoming characters on \
that 
port are forwarded over the network on a character by character basis. T\
he accumulation period 
changes this by specifying a period of time that incoming characters wil\
l be collected before then 
being sent as a packet over the network
Escape Character   This enables you to change the character used for sending escape charact\
ers. The default is ~.
Power Menu  This setting enables the shell power command so a user can control the p\
ower connection to 
a Managed Device from command line when they are telnet or SSH connected to the device. 
To operate the Managed Device must be set up with both its Serial port co\
nnection and Power 
connection configured.  The command to bring up the power menu is ~p
   
						

							44
Chapter 4: Serial Port, Device and User Configuration
Single Connection  This setting limits the port to a single connection so if multiple users\
 have access privileges for 
a particular port only one user at a time can be accessing that port (i\
.e. port “snooping” is not 
permitted) 
4.1.3  SDT Mode 
This setting allows port forwarding of LAN protocols such as RDP, VNC, HTPP, HTTPS, SSH and Telnet through to computers 
which are connected locally to the Console Server by their serial COM po\
rt. However such port forwarding requires a PPP link 
to be set up over this serial port. 
 
Refer to Chapter 6.6 - Using SDT Connector to Telnet or SSH connect to devices that are serially attached to the 
Console Server for configuration details
4.1.4 Device (RPC, UPS, EMD) Mode
This mode configures the selected serial port to communicate with a se\
rial controlled Uninterruptible Power Supply (UPS), 
serial Remote Power Controller/ Power Distribution Unit (RPC) or Environmental Monitoring Device (EMD)\
 
• Select the desired Device Type (UPS, RPC or EMD)
• Proceed to the appropriate device configuration page (Serial & Network: UPS Connections, RPC Connection or 
Environmental) as detailed in Chapter 8 - Power & Environmental Management. The B092-016 Console Server also 
allows you to configure ports as UPS devices that PowerAlert will manage. PowerAlert will discover the attached UPS 
device and auto-configure. See www.tripplite.com/EN/support/PowerAlert/Downloads.cfm  for a complete PowerAlert 
manual.
 
4.1.5  Terminal Server Mode  
• Select Terminal Server Mode and the Terminal Type (vt220, vt102, vt100, Linux or ANSI) to enable a getty on the 
selected serial port
 
The getty will then configure the port and wait for a connection to be made. An\
 active connection on a serial device is usually 
indicated by the Data Carrier Detect (DCD) pin on the serial device be\
ing raised. When a connection is detected, the getty 
program issues a login: prompt, and then invokes the login program to ha\
ndle the actual system login. 
Note: Selecting Terminal Server mode will disable Port Manager for that serial port, so d\
ata is no longer logged for alerts etc.   
						

							45
Chapter 4: Serial Port, Device and User Configuration
4.1.6 Serial Bridging Mode 
With serial bridging, the serial data on a nominated serial port on one C\
onsole Server is encapsulated into network packets 
and then transported over a network to a second Console Server where is \
then represented as serial data. So the two Console 
Servers effectively act as a virtual serial cable over an IP network. 
One Console Server is configured to be the Server. The Server serial port to be bridged is set in Console Server mode with 
either RFC2217 or RAW enabled (as described in Chapter 4.1.2 – Console Server Mode). 
For the Client Console Server, the serial port to be bridged must be set in Bridging Mode:
 
• Select Serial Bridging Mode and specify the IP address of the Server Console Server and the TCP port address of the 
remote serial port (for RFC2217 bridging this will be 5001-5048) 
• By default the bridging client will use RAW TCP so you must select RFC2217 if this is the Console Server mode you have 
specified on the server Console Server
 
• You may secure the communications over the local Ethernet by enabling SSH however you will need to generate and 
upload keys (refer Chapter 14 – Advanced Configuration) 
4.1.7 Syslog 
In addition to inbuilt logging and monitoring (which can be applied to \
serial-attached and network-attached management 
accesses, as covered in Chapter 7 - Alerts and Logging) the Console Server can also be configured to support the remote 
syslog protocol on a per serial port basis: 
• Select the Syslog Facility/Priority fields to enable logging of traffic on the selected serial port to \
a syslog server; and to 
appropriately sort and action those logged messages (i.e. redirect them\
/ send alert email etc.)
 
For example if the computer attached to serial port 3 should never send a\
nything out on its serial console port, the 
Administrator can set the Facility for that port to local0 (local0 .. local7 are meant for site local values), and the Priority to 
critical. At this priority, if the Console Server syslog server does receive a message, it will au\
tomatically raise an alert. Refer to 
Chapter 7 - Alerts & Logging.  
						

							46
Chapter 4: Serial Port, Device and User Configuration
4.2 Add/ Edit Users 
The Administrator uses this menu selection to set up, edit and delete us\
ers and to define the access permissions for each of 
these users.
 
Users can be authorized to access specified Console Server serial port\
s and specified network-attached hosts. These users can 
also be given full Administrator status (with full configuration and \
management and access privileges). To simplify user set up, 
they can be configured as members of Groups. There are two Groups set \
up by default (admin and user)
1. Membership of the admin group provides the user with full Administrator privileges. The admin user (Administrator) can 
access the Console Server using any of the services which have been enab\
led in System: Services e.g. if only HTTPS 
has been enabled then the Administrator can only access the Console Serv\
er using HTTPS. However once logged in they 
can reconfigure the Console Server settings (e.g. to enable HTTP/Telnet for future access).  They can also access any of 
the connected Hosts or serial port devices using any of the services tha\
t have been enabled for these connections. But 
again the Administrator can reconfigure the access services for any Ho\
st or serial port. So only trusted users should have 
Administrator access.
Note: For convenience the SDT Connector “Retrieve Hosts” function retr\
ieves and auto-configures checked serial ports and 
checked hosts only, even for admin group users
2. Membership of the user group provides the user with limited access to the Console Server and c\
onnected Hosts and 
serial devices. These Users can access only the Management section of th\
e Management Console menu and they have 
no command line access to the Console Server. They also can only access those Hosts and serial devices that have bee\
n 
checked for them, using services that have been enabled. 
3.  With firmware V3.8.1 and later, there are six Groups set up by default (where earlier versions only h\
ad admin and user by 
default):
 admin Provides users with unlimited configuration and management privileges   
 pptpd  Group to allow access to the PPTP VPN server. Users in this group will have their password stored in clear text. 
 dialin  Group to allow dialin access via modems. Users in this group will have t\
heir password stored in clear text. 
 ftp  Group to allow ftp access and file access to storage devices   
 pmshell Group to set default shell to pmshell   
 users  Provides users with basic management privileges 
If a user is set up with pptd, dialin, ftp or pmshell group membership they will have restricted user shell access to the 
nominated managed devices but they will not have any direct access to th\
e console server itself. To add this the users 
must also be a member of the “users” or “admin” groups.
 4. The Administrator can also set up additional Groups with specific seri\
al port and host access permissions (same as Users). 
However users in these additional groups don’t have any access to the\
 Management Console menu nor do they have any 
command line access to the Console Server itself.  Lastly the Administrator can also set up users who are not a member 
of any Groups and they will have the same access as users in the additio\
nal groups.   
						

							47
Chapter 4: Serial Port, Device and User Configuration
To set up new Groups and new users, and to classify users as members of p\
articular Groups:
• Select Serial & Network: Users & Groups to display the configured Groups and Users
• Click Add Group to add a new Group
 
• Add a Group name and Description for each new Group, then nominate the Accessible Hosts, Accessible Ports and 
Accessible RPC Outlets(s) that you wish any users in this new Group to be able to access 
• Click Apply 
• Click Add User to add a new user
• Add a Username and a confirmed Password for each new user. You may also include information related to the user (e.g. 
contact details) in the Description field
Note: The User Name can contain from 1 to 127 alphanumeric characters (howe\
ver you can also use the special characters 
"-"   "_"  and "."  ). There are no restrictions on the characters that\
 can be used in the user Password (which each can contain 
up to 254 characters). However, only the first eight Password characters are used to make the password hash.                                      
• Specify which Group (or Groups) you wish the user to be a member of
• Check specific Accessible Hosts and/or Accessible Ports to nominate the serial ports and network connected hosts you 
wish the user to have access privileges to 
• If there are configured RPCs you can check Accessible RPC Outlets to specify which outlets the user is able to control 
(i.e. Power On/Off)
• Click Apply. The new user will now be able to access the Network Devices, Ports and RPC Outlets you nominated as 
accessible plus, if the user is a Group member they can also access any \
other device/port/outlet that was set up as 
accessible to the Group
Note: There are no specific limits on the number of users you can set up; \
nor on the number of users per serial port or host. 
So multiple users (Users and Administrators) can control /monitor the \
one port or host. Similarly there are no specific limits 
on the number of Groups and each user can be a member of a number of Gro\
ups (in which case they take on the cumulative 
access privileges of each of those Groups).  A user does not have to be\
 a member of any Groups (but if the User is not even a 
member of the default user group then they will not be able to use the Management Console to manag\
e ports). 
However while there are no specific limits the time to re-configure \
does increase as the number and complexity increases so 
we recommend the aggregate number of users and groups be kept under 250 \
(1000 for B092-016 )
The Administrator can also edit the access settings for any existing use\
rs:
• Select Serial & Network: Users & Groups and click Edit for the User to b\
e modified
Note: For more information on enabling the SDT Connector so each user has se\
cure tunneled remote RPD/VNC/Telnet/HHTP/
HTTPS/SoL access to the network connected hosts refer to Chapter 6.   
						

							48
Chapter 4: Serial Port, Device and User Configuration
4.3 Authentication
Refer to Chapter 9.1 - Remote Authentication Configuration for authentication configuration details
4.4 Network Hosts
To access a locally networked computer or device (referred to as a Host)\
 you must identify the Host and specify the TCP or 
UDP ports/services that will be used to control that Host:  
 
• Selecting Serial & Network: Network Hosts presents all the network connected Hosts that have been enabled for 
access, and the related access TCP ports/services  
• Click Add Host to enable access to a new Host (or select Edit to update the settings for existing Host)
 
• Enter the IP Address or DNS Name and a Host Name (up to 254 alphanumeric characters) for the new network 
connected Host (and optionally enter a Description -up to characters) 
• Add or edit the Permitted Services (or TCP/UDP port numbers) that are authorized to be used in controlling this\
 host. Only 
these permitted services will be forwarded through by SDT to the Host. All other services (TCP/UDP ports) will be blocked.  
• The Logging Level specifies the level of information to be logged and monitored for eac\
h Host access (refer Chapter 7 - 
Alerts and Logging)
• If the Host is a networked server with IPMI power control, then specify \
RPC (for IPMI and PDU) or UPS and the Device 
Type. The Administrator can then configure these devices and enable which \
users have permissions to remotely cycle 
power etc (refer Chapter 8). Otherwise leave the Device Type set to None 
• If the Console Server has been configured with distributed Nagios moni\
toring enabled  then you will also be presented with  
Nagios Settings options to enable nominated services on the Host to be monitored (refe\
r Chapter 10 – Nagios Integration)
• Click Apply. This will create the new Host and also create a new Managed Device (w\
ith the same name)  
						

							49
Chapter 4: Serial Port, Device and User Configuration
4.5 Trusted Networks
The Trusted Networks facility gives you an option to nominate specific IP addresses that u\
sers (Administrators and Users) 
must be located at, to have access to Console Server serial ports:
• Select Serial & Network: Trusted Networks
•  To add a new trusted network, select Add Rule 
 
•  Select the Accessible Port(s) that the new rule is to be applied to 
•  Then enter the Network Address of the subnet to be permitted access
•  Then specify the range of addresses that are to be permitted by entering\
 a Network Mask for that permitted IP range e.g.  
  o To permit all the users located with a particular Class C network (204.1\
5.5.0 say) connection to the nominated    
    port then you would add the following Trusted Network New Rule:
Network IP Address 204.15.5.0
Subnet Mask255.255.255.0
 o If you want to permit only the one users who is located at a specific \
IP address (204.15.5.13 say) to connect:
Network IP Address 204.15.5.0
Subnet Mask255.255.255.255
  o If however you want to allow all the users operating from within a speci\
fic range of IP addresses (say any of the    
    thirty addresses from 204.15.5.129 to 204.15.5.158) to be permitted con\
nection to the nominated port:
Host /Subnet Address 204.15.5.128
Subnet Mask255.255.255.224
 o Click Apply
Note: The above Trusted Networks will limit access by Users and Administrators to the con\
sole serial ports. However they do 
not restrict access by the Administrator to the Console Server itself or\
 to attached hosts. To change the default settings for this 
access, you will to need to edit the IPtables rules as described in the Chapter 14 - Advanced.    
						

							50
Chapter 4: Serial Port, Device and User Configuration
4.6 Serial Port Cascading 
Cascaded Ports enables you to cluster distributed Console Servers so that a large \
number of serial ports (up to 1000) can be 
configured and accessed through one IP address and managed through the\
 one Management Console. One Console Server, 
the Master, controls other Console Servers as Slave units and all the serial ports\
 on the Slave units appear as if they are part 
of the Master.
Each Slave connects to the Master with an SSH connection using public key authentication. So the Master accesses ea\
ch 
Slave using an SSH key pair, rather than using passwords, ensuring secure authenticated communicati\
ons. So the Slave 
Console Server units can be distributed locally on a LAN or remotely ove\
r public networks around the world.
4.6.1   Automatically generate and upload SSH keys
To set up public key authentication you must first generate an RSA or D\
SA key pair and upload them into the Master and Slave 
Console Servers. This can all be done automatically from the Master:
• Select System: Administration on Master’s Management Console
• Check Generate SSH keys automatically and click Apply
 
Next you must select whether to generate keys using RSA and/or DSA (if \
unsure, select only RSA). Generating each set of 
keys will require approximately two minutes and  the new keys will destr\
oy any old keys of that type that may previously been 
uploaded. Also while the new generation is underway on the master functi\
ons relying on SSH keys (e.g. cascading) may stop 
functioning until they are updated with the new set of keys. To generate keys:
• Select RSA Keys and/or DSA Keys
• Click Apply
 
•  Once the new keys have been successfully generated simply Click here to return and the keys will automatically be 
uploaded to the Master and connected Slaves