opengear ACM7000 Remote Site Gateway User Manual

June 1, 2024
Opengear

opengear-logo

opengear ACM7000 Remote Site Gateway

opengear-ACM7000-Remote-Site-Gateway-image

Product Information

Specifications:

  • Product: ACM7000 Remote Site Gateway
  • Model: ACM7000-L Resilience Gateway
  • Management System: IM7200 Infrastructure Manager
  • Console Servers: CM7100
  • Version: 5.0 – 2023-12

Product Usage Instructions

Safety Precautions:

Do not connect or disconnect the console server during an electrical storm. Always use a surge suppressor or UPS to protect the equipment from transients.

FCC Warning:

This device complies with Part 15 of the FCC rules. Operation of this device is subject to the following conditions: (1) This device may not cause harmful interference, and (2) this device must accept any interference that may cause undesired operation.

FAQs

  • Q: Can I use the ACM7000 Remote Site Gateway during an electrical storm?
    • A: No, it is advised not to connect or disconnect the console server during an electrical storm to prevent damage.
  • Q: What version of FCC rules does the device comply with?
    • A: The device complies with Part 15 of the FCC rules.

User Manual
ACM7000 Remote Site Gateway ACM7000-L Resilience Gateway IM7200 Infrastructure Manager CM7100 Console Servers
Version 5.0 – 2023-12

Safety
Follow the safety precautions below when installing and operating the console server: · Do not remove the metal covers. There are no operator serviceable components inside. Opening or removing the cover may expose you to dangerous voltage which may cause fire or electric shock. Refer all service to Opengear qualified personnel. · To avoid electric shock the power cord protective grounding conductor must be connected through to ground. · Always pull on the plug, not the cable, when disconnecting the power cord from the socket.
Do not connect or disconnect the console server during an electrical storm. Also use a surge suppressor or UPS to protect the equipment from transients.
FCC Warning Statement
This device complies with Part 15 of the FCC rules. Operation of this device is subject to the following
conditions: (1) This device may not cause harmful interference, and (2) this device must accept any interference that may cause undesired operation.
Proper back-up systems and necessary safety devices should be utilized to protect against injury, death or property damage due to system failure. Such protection is the responsibility of the user. This console server device is not approved for use as a life-support or medical system. Any changes or modifications made to this console server device without the explicit approval or consent of Opengear will void Opengear of any liability or responsibility of injury or loss caused by any malfunction. This equipment is for indoor use and all the communication wirings are limited to inside of the building.
2

User Manual
Copyright
©Opengear Inc. 2023. All Rights Reserved. Information in this document is subject to change without notice and does not represent a commitment on the part of Opengear. Opengear provides this document “as is,” without warranty of any kind, expressed or implied, including, but not limited to, the implied warranties of fitness or merchantability for a particular purpose. Opengear may make improvements and/or changes in this manual or in the product(s) and/or the program(s) described in this manual at any time. This product could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes may be incorporated in new editions of the publication.\

Chapter 1

This Manual

THIS MANUAL

This User Manual explains installing, operating, and managing Opengear console servers. This manual assumes you are familiar with the Internet and IP networks, HTTP, FTP, basic security operations, and your organization’s internal network.
1.1 Types of users
The console server supports two classes of users:
· Administrators who have unlimited configuration and management privileges over the console
server and connected devices as well as all services and ports to control all the serial connected devices and network connected devices (hosts). Administrators are set up as members of the admin user group. An administrator can access and control the console server using the config utility, the Linux command line or the browser-based Management Console.
· Users who have been set up by an administrator with limits of their access and control authority.
Users have a limited view of the Management Console and can only access authorized configured devices and review port logs. These users are set up as members of one or more of the preconfigured user groups such as PPTPD, dialin, FTP, pmshell, users, or user groups the administrator may have created. They are only authorized to perform specified controls on specific connected devices. Users, when authorized, can access and control serial or network connected devices using specified services (e.g. Telnet, HHTPS, RDP, IPMI, Serial over LAN, Power Control). Remote users are users who are not on the same LAN segment as the console server. A remote user may be on the road connecting to managed devices over the public Internet, an administrator in another office connecting to the console server over the enterprise VPN, or in the same room or the same office but connected on a separate VLAN to the console server.
1.2 Management Console
The Opengear Management Console allows you to configure and monitor the features of your Opengear console server. The Management Console runs in a browser and provides a view of the console server and all connected devices. Administrators can use the Management Console to configure and manage the console server, users, ports, hosts, power devices, and associated logs and alerts. Non-admin users can use the Management Console with limited menu access to control select devices, review their logs, and access them using the built-in Web terminal.
The console server runs an embedded Linux operating system, and can be configured at the command line. You can get command line access by cellular / dial-in, directly connecting to the console server’s serial console/modem port, or by using SSH or Telnet to connect to the console server over the LAN (or connecting with PPTP, IPsec or OpenVPN).
6

User Manual
For command line interface (CLI) commands and advanced instructions, download the Opengear CLI and Scripting Reference.pdf from https://ftp.opengear.com/download/documentation/manual/previous%20versions%20archived/
1.3 More information
For more information, consult: · Opengear Products Web Site: See https://opengear.com/products. To get the most up-to-date information on what’s included with your console server, visit the What’s included section for your particular product. · Quick Start Guide: To get the Quick Start Guide for your device see https://opengear.com/support/documentation/. · Opengear Knowledge Base: Visit https://opengear.zendesk.com to access technical how-to articles, tech tips, FAQs, and important notifications. · Opengear CLI and Scripting Reference: https://ftp.opengear.com/download/documentation/manual/current/IM_ACM_and_CM710 0/Opengear%20CLI%20and%20Scripting%20Reference.pdf
7

Chapter 2:

System Configuration

SYSTEM CONFIGURATION

This chapter provides step-by-step instructions for the initial configuration of your console server and connecting it to the Management or Operational LAN. The steps are:
Activate the Management Console. Change the administrator password. Set the IP address console server’s principal LAN port. Select the services to be enabled and access privileges. This chapter also discusses the communications software tools that an administrator may use to access the console server, and the configuration of the additional LAN ports.
2.1 Management Console Connection
Your console server comes configured with a default IP Address 192.168.0.1 and subnet mask 255.255.255.0 for NET1 (WAN). For initial configuration, we recommend that you connect a computer directly to the console. If you do choose to connect your LAN before completing the initial setup steps, make sure that:
· There are no other devices on the LAN with an address of 192.168.0.1. · The console server and the computer are on the same LAN segment, with no interposed router
appliances.
2.1.1 Connected computer set up To configure the console server with a browser, the connected computer should have an IP address in the same range as the console server (for example, 192.168.0.100):
· To configure the IP Address of your Linux or Unix computer, run ifconfig. · For Windows PCs:
1. Click Start > Settings > Control Panel and double click Network Connections. 2. Right click on Local Area Connection and select Properties. 3. Select Internet Protocol (TCP/IP) and click Properties. 4. Select Use the following IP address and enter the following details:
o IP address: 192.168.0.100 o Subnet mask: 255.255.255.0 5. If you want to retain your existing IP settings for this network connection, click Advanced and Add the above as a secondary IP connection.
2.1.2 Browser connection
Open a browser on the connected PC / workstation and enter https://192.168.0.1.
Log in with:
Username> root Password> default
8

User Manual
The first time you log in, you are required to change the root password. Click Submit.
To complete the change, enter the new password again. Click Submit. The Welcome screen appears.
If your system has a cellular modem you will be given the steps to configure the cellular router features: · Configure the cellular modem connection (System > Dial page. See Chapter 4) · Allow forwarding to the cellular destination network (System > Firewall page. See Chapter 4) · Enable IP masquerading for cellular connection (System > Firewall page. See Chapter 4)
After completing each of the above steps, you can return to the configuration list by clicking the Opengear logo in the top left corner of the screen. NOTE If you are not able to connect to the Management Console at 192.168.0.1 or if the default
Username / Password are not accepted, reset your console server (See Chapter 10).
9

Chapter 2: System Configuration
2.2 Administrator Set Up
2.2.1 Change default root System Password You are required to change the root password when you first log in to the device. You can change this password at any time.
1. Click Serial & Network > Users & Groups or, on the Welcome screen, click Change default administration password.
2. Scroll down and locate the root user entry under Users and click Edit. 3. Enter the new password in the Password and Confirm fields.
NOTE Checking Save Password across firmware erases saves the password so it does not get erased when the firmware is reset. If this password is lost, the device will need to be firmware recovered.
4. Click Apply. Log in with the new password 2.2.2 Set up a new administrator Create a new user with administrative privileges and log in as this user for administration functions, rather than using root.
10

User Manual
1. Click Serial & Network > Users & Groups. Scroll to the bottom of the page and click the Add User button.
2. Enter a Username. 3. In the Groups section, check the admin box. 4. Enter a password in the Password and Confirm fields.
5. You can also add SSH Authorized Keys and choose to Disable Password Authentication for this user.
6. Additional options for this user can be set on this page including Dial-in Options, Accessible Hosts, Accessible Ports, and Accessible RPC Outlets.
7. Click the Apply button at the bottom of the screen to create this new user.
11

Chapter 2: System Configuration
2.2.3 Add System Name, System Description, and MOTD. 1. Select System > Administration. 2. Enter a System Name and System Description for the console server to give it a unique ID and make it easier to identify. System Name can contain from 1 to 64 alphanumeric characters and the special characters underscore (_), minus (-), and period (.). System Description can contain up to 254 characters.
3. The MOTD Banner can be used to display a message of the day text to users. It appears on the upper left of the screen below the Opengear logo.
4. Click Apply.
12

Chapter 2: System Configuration
5. Select System > Administration. 6. The MOTD Banner can be used to display a message of the day text to users. It appears on the
upper left of the screen below the Opengear logo. 7. Click Apply.
2.3 Network Configuration
Enter an IP address for the principal Ethernet (LAN/Network/Network1) port on the console server or enable its DHCP client to automatically obtain an IP address from a DHCP server. By default, the console server has its DHCP client enabled and automatically accepts any network IP address assigned by a DHCP server on your network. In this initial state, the console server will respond to both its default Static address 192.168.0.1 and its DHCP address.
1. Click System > IP and click the Network Interface tab. 2. Choose either DHCP or Static for the Configuration Method.
If you choose Static, enter the IP Address, Subnet Mask, Gateway and DNS server details. This selection disables the DHCP client.
12

User Manual
3. The console server LAN port automatically detects the Ethernet connection speed. Use the Media drop-down list to lock the Ethernet to 10 Mb/s or 100Mb/s and to Full Duplex or Half Duplex.
If you encounter packet loss or poor network performance with the Auto setting, change the Ethernet Media settings on the console server and the device it is connected to. In most cases, change both to 100baseTx-FD (100 megabits, full duplex).
4. If you select DHCP, the console server will look for configuration details from a DHCP server. This selection disables any static address. The console server MAC address can be found on a label on the base plate.
5. You may enter a secondary address or comma-separated list of addresses in CIDR notation, e.g. 192.168.1.1/24 as an IP Alias.
6. Click Apply 7. Reconnect the browser on the computer that is connected to the console server by entering
http://your new IP address.
If you change the console server IP address, you need to reconfigure your computer to have an IP address in the same network range as the new console server address. You can set the MTU on Ethernet interfaces. This is an advanced option to be used if your deployment scenario doesn’t work with the default MTU of 1500 bytes. To set the MTU, click System > IP and click the Network Interface tab. Scroll down to the MTU field and enter the desired value. Valid values are from 1280 to 1500 for 100-megabit interfaces, and 1280 to 9100 for gigabit interfaces If bridging or bonding is configured, the MTU set on the Network Interface page will be set on the interfaces that are part of the bridge or the bond. NOTE In some cases, the user specified MTU may not take effect. Some NIC drivers may round oversized MTUs to the maximum allowed value and others will return an error code. You can also use a CLI command to manage MTU Size: configure

config -s config.interfaces.wan.mtu=1380 check

config -g config.interfaces.wan config.interfaces.wan.address 192.168.2.24

config.interfaces.wan.ddns.provider none config.interfaces.wan.gateway 192.168.2.1 config.interfaces.wan.ipv6.mode stateless config.interfaces.wan.media Auto config.interfaces.wan.mode static config.interfaces.wan.mtu 1380 config.interfaces.wan.netmask 255.255.255.0
13

Chapter 2: System Configuration
2.3.1 IPv6 configuration The console server Ethernet interfaces support IPv4 by default. They can be configured for IPv6 operation:
1. Click System > IP. Click the General Settings tab and check Enable IPv6. If desired, click the Disable IPv6 for Cellular checkbox.
2. Configure the IPv6 parameters on each interface page. IPv6 can be configured for either Automatic mode, which will use SLAAC or DHCPv6 to configure addresses, routes, and DNS, or Static mode, which allows the address information to be manually entered.
2.3.2 Dynamic DNS (DDNS) configuration With Dynamic DNS (DDNS), a console server whose IP address is dynamically assigned can be located using a fixed host or domain name. Create an account with the supported DDNS service provider of your choice. When you set up your DDNS account, you choose a username, password, and hostname that you will use as the DNS name. DDNS service providers let you choose a hostname URL and set an initial IP address to correspond to that hostname URL.
14

User Manual
To enable and configure DDNS on any of the Ethernet or cellular network connections on the console server. 1. Click System > IP and scroll down the Dynamic DNS section. Select your DDNS service provider
from the drop-down Dynamic DNS list. You can also set the DDNS information under the Cellular Modem tab under System > Dial.
2. In DDNS Hostname, enter the fully qualified DNS hostname for your console server e.g. yourhostname.dyndns.org.
3. Enter the DDNS Username and DDNS Password for the DDNS service provider account. 4. Specify the Maximum interval between updates in days. A DDNS update will be sent even if the
address has not changed. 5. Specify the Minimum interval between checks for changed addresses in seconds. Updates will
be sent if the address has changed. 6. Specify the Maximum attempts per update which is the number of times to attempt an update
before giving up. This is 3 by default. 7. Click Apply.
15

Chapter 2: System Configuration
2.3.3 EAPoL mode for WAN, LAN and OOBFO
(OOBFO is applicable to the IM7216-2-24E-DAC only)
Overview of EAPoL IEEE 802.1X, or PNAC (Port-based Network Access Control) makes use of the physical access characteristics of IEEE 802 LAN infrastructures in order to provide a means of authenticating and authorizing devices attached to a LAN port that has point-to-point connection characteristics, and of preventing access to that port in cases which the authentication and authorization fails. A port in this context is a single point of attachment to the LAN infrastructure.
When a new wireless or wired node (WN) requests access to a LAN resource, the access point (AP) asks for the WN’s identity. No other traffic than EAP is allowed before the WN is authenticated (the “port” is closed, or “unauthenticated”). The wireless node that requests authentication is often called Supplicant, the Supplicant is responsible for responding to Authenticator data that will establish its credentials. The same goes for the access point; the Authenticator is not the access point. Rather, the access point contains an Authenticator. The Authenticator does not need to be in the access point; it can be an external component. The following Authentication methods are implemented:
· EAP-MD5 supplicant o The EAP MD5-Challenge method uses plain username/password
· EAP-PEAP-MD5 o EAP PEAP (Protected EAP) MD5 authentication method uses user credentials and CA certificate
· EAP-TLS o EAP TLS (Transport Layer Security) authentication method requires CA certificate, client certificate and a private key.
The EAP protocol, which is used for authentication, was originally used for dial-up PPP. The identity was the username, and either PAP or CHAP authentication was used to check the user’s password. As the identity is sent in clear (not encrypted), a malicious sniffer may learn the user’s identity. “Identity hiding” is therefore used; the real identity is not sent before the encrypted TLS tunnel is up.
16

User Manual
After the identity has been sent, the authentication process begins. The protocol used between the Supplicant and the Authenticator is EAP, (or EAPoL). The Authenticator re-encapsulates the EAP messages to RADIUS format, and passes them to the Authentication Server. During authentication, the Authenticator relays packets between the Supplicant and the Authentication Server. When the authentication process completes, the Authentication Server sends a success message (or failure, if the authentication failed). The Authenticator then opens the “port” for the Supplicant. Authentication settings can be accessed from the EAPoL Supplicant Settings page. The status of current EAPoL are displayed in detail on the Status Statistics page on the EAPoL tab:
An abstraction of EAPoL on network ROLEs is displayed in the “Connection Manager” section on the Dashboard interface.
17

Chapter 2: System Configuration
Shown below is an example of successful authentication:
IEEE 802.1x (EAPOL) support on the switch ports of IM7216-2-24E-DAC and ACM7004-5: In order to avoid loops, users should not plug more than one switch port to the same upper-level switch.
18

User Manual
2.4 Service Access and Brute Force Protection
The administrator can access the console server and connected serial ports and managed devices using a range of access protocols/services. For each access
· The service must first be configured and enabled to run on the console server. · Access through the firewall must be enabled for each network connection. To enable and configure a service: 1. Click System > Services and click the Service Settings tab.

2. Enable and configure basic services:

HTTP

By default, HTTP service is running and cannot be fully disabled. By default, HTTP access is disabled on all interfaces. We recommend this access remain disabled if the console server is accessed remotely over the Internet.
Alternate HTTP lets you to configure an alternate HTTP port to listen on. The HTTP service will continue listening on TCP port 80 for CMS and connector communications but will be inaccessible through the firewall.

HTTPS

By default, HTTPS service is running and enabled on all network interfaces. It is recommended that only HTTPS access be used if the console server is to be managed over any public network. This ensures administrators have secure browser access to all the menus on the console server. It also allows appropriately configured users secure browser access to selected Manage menus.
The HTTPS service can be disabled or reenabled by checking HTTPS Web Management and an alternate port specified (default port is 443).

Telnet

By default the Telnet service is running but disabled on all network interfaces.
Telnet can be used to give an administrator access to the system command line shell. This service may be useful for local administrator and the user access to selected serial consoles. We recommended that you disable this service if the console server is remotely administered.
The Enable Telnet command shell checkbox will enable or disable the Telnet service. An alternate Telnet port to listen on can be specified in Alternate Telnet Port (default port is 23).

17

Chapter 2: System Configuration

SSH

This service provides secure SSH access to the console server and attached devices ­

and by default the SSH service is running and enabled on all interfaces. It is

recommended you choose SSH as the protocol where an administrator connects to

the console server over the Internet or any other public network. This will provide

authenticated communications between the SSH client program on the remote

computer and the SSH sever in the console server. For more information on SSH

configuration See Chapter 8 – Authentication.

The Enable SSH command shell checkbox will enable or disable this service. An alternate SSH port to listen on can be specified in SSH command shell port (default port is 22).

3. Enable and configure other services:

TFTP/FTP If a USB flash card or internal flash is detected on an console server, checking Enable TFTP (FTP) service enables this service and set up default tftp and ftp server on the USB flash. These servers are used to store config files, maintain access and transaction logs etc. Files transferred using tftp and ftp will be stored under /var/mnt/storage.usb/tftpboot/ (or /var/mnt/storage.nvlog/tftpboot/ on ACM7000series devices). Unchecking Enable TFTP (FTP) service will disable the TFTP (FTP) service.

DNS Relay Checking Enable DNS Server/Relay enables the DNS relay feature so clients can be configured with the console server’s IP for their DNS server setting, and the console server will forward the DNS queries to the real DNS server.

Web Terminal Checking Enable Web Terminal allows web browser access to the system command line shell via Manage > Terminal.

4. Specify alternate port numbers for Raw TCP, direct Telnet/SSH and unauthenticated Telnet/SSH services. The console server uses specific ranges for the TCP/IP ports for the various access
services that users can use to access devices attached to serial ports (as covered in Chapter 3 ­ Configure Serial Ports). The administrator can set alternate ranges for these services and these secondary ports will be used in addition to the defaults.

The default TCP/IP base port address for Telnet access is 2000, and the range for Telnet is IP Address: Port (2000 + serial port #) i.e. 2001 ­ 2048. If an administrator were to set 8000 as a secondary base for Telnet, serial port #2 on the console server can be Telnet accessed at IP
Address:2002 and at IP Address:8002. The default base for SSH is 3000; for Raw TCP is 4000; and for RFC2217 it is 5000

5. Other services can be enabled and configured from this menu by selecting Click here to configure:

Nagios Access to the Nagios NRPE monitoring daemons

NUT

Access to the NUT UPS monitoring daemon

SNMP Enables snmp in the console server. SNMP is disabled by default

NTP

6. Click Apply. A confirmation message appears: Message Changes to configuration succeeded

The Services Access settings can be set to allow or block access. This specifies which enabled services administrators can use over each network interface to connect to the console server and through the console server to attached serial and network connected devices.

18

User Manual
1. Select the Service Access tab on the System > Services page.
2. This displays the enabled services for the console server’s network interfaces. Depending on the particular console server model the interfaces displayed may include: · Network interface (for the principal Ethernet connection) · Management LAN / OOB Failover (second Ethernet connections) · Dialout /Cellular (V90 and 3G modem) · Dial-in (internal or external V90 modem) · VPN (IPsec or Open VPN connection over any network interface)
3. Check/uncheck for each network which service access is to be enabled /disabled The Respond to ICMP echoes (i.e. ping) service access options that can be configured at this stage. This allows the console server to respond to incoming ICMP echo requests. Ping is enabled by default. For increased security, you should disable this service when you complete initial configuration You can allow serial port devices to be accessed from nominated network interfaces using Raw TCP, direct Telnet/SSH, unauthenticated Telnet/SSH services, etc.
4. Click Apply Web Management Settings The Enable HSTS checkbox enables strict HTTP strict transport security. HSTS mode means that a StrictTransport- Security header should be sent over HTTPS transport. A compliant web browser remembers this header, and when asked to contact the same host over HTTP (plain) it will automatically switch to
19

Chapter 2: System Configuration
HTTPS before attempting HTTP, as long as the browser has accessed the secure site once and seen the S-T-S header.
Brute Force Protection Brute force protection (Micro Fail2ban) temporarily blocks source IPs that show malicious signs, such as too many password failures. This may help when the device’s network services are exposed to an untrusted network such as the public WAN and scripted attacks or software worms are attempting to guess (brute force) user credentials and gain unauthorized access.

Brute Force Protection may be enabled for the listed services. By default, once protection is enabled 3 or more failed connection attempts within 60 seconds from a specific source IP trigger it to be banned from connecting for a configurable time period. Attempt limit and Ban timeout may be customized. Active Bans are also listed and may be refreshed by reloading the page.

NOTE

When running on an untrusted network, consider using a variety of strategies are used to lock down remote access. This includes SSH public key authentication, VPN, and Firewall Rules to
allowlist remote access from trusted source networks only. See the Opengear Knowledge Base for details.

2.5 Communications Software
You have configured access protocols for the administrator client to use when connecting to the console server. User clients also use these protocols when accessing console server serial attached devices and network attached hosts. You need communications software tools set up on the administrator and user client’s computer. To connect you may use tools such as PuTTY and SSHTerm.

20

User Manual
Commercially available connectors couple the trusted SSH tunneling protocol with popular access tools such as Telnet, SSH, HTTP, HTTPS, VNC, RDP to provide point-and-click secure remote management access to all the systems and devices being managed. Information on using connectors for browser access to the console server’s Management Console, Telnet/SSH access to the console server command line, and TCP/UDP connecting to hosts that are network connected to the console server can be found in Chapter 5. Connectors can be installed on Windows PCs, Mac OS X and on most Linux, UNIX and Solaris systems.
2.6 Management Network Configuration
Console servers have additional network ports that can be configured to provide management LAN access and/or failover or out-of-band access. 2.6.1 Enable the Management LAN Console servers can be configured so the second Ethernet port provides a management LAN gateway. The gateway has firewall, router and DHCP server features. You need to connect an external LAN switch to Network 2 to attach hosts to this management LAN:
NOTE The second Ethernet port can be configured as either a Management LAN gateway port or as an OOB/Failover port. Ensure you did not allocate NET2 as the Failover Interface when you configured the principal Network connection on the System > IP menu.
21

Chapter 2: System Configuration
To configure the Management LAN gateway: 1. Select the Management LAN Interface tab on the System > IP menu and uncheck Disable. 2. Configure the IP Address and Subnet Mask for the Management LAN. Leave the DNS fields blank. 3. Click Apply.
The management gateway function is enabled with default firewall and router rules configured so the Management LAN is only accessible by SSH port forwarding. This ensures the remote and local connections to Managed devices on the Management LAN are secure. The LAN ports can also be configured in bridged or bonded mode or manually configured from the command line. 2.6.2 Configure the DHCP server The DHCP server enables the automatic distribution of IP addresses to devices on the Management LAN that are running DHCP clients. To enable the DHCP server:
1. Click System > DHCP Server. 2. On the Network Interface tab, Check Enable DHCP Server.
22

User Manual
3. Enter the Gateway address to be issued to the DHCP clients. If this field is left blank, the console server’s IP address is used.
4. Enter the Primary DNS and Secondary DNS address to issue the DHCP clients. If this field is left blank, console server’s IP address is used.
5. Optionally enter a Domain Name suffix to issue DHCP clients. 6. Enter the Default Lease time and Maximum Lease time in seconds. This is the amount of time
that a dynamically assigned IP address is valid before the client must request it again. 7. Click Apply The DHCP server issues IP addresses from specified address pools: 1. Click Add in the Dynamic Address Allocation Pools field. 2. Enter the DHCP Pool Start Address and End Address. 3. Click Apply.
23

Chapter 2: System Configuration
The DHCP server also supports pre-assigning IP addresses to be allocated to specific MAC addresses and reserving IP addresses to be used by connected hosts with fixed IP addresses. To reserve an IP address for a particular host:
1. Click Add in the Reserved Addresses field. 2. Enter the Hostname, the Hardware Address (MAC) and the Statically Reserved IP address for
the DHCP client and click Apply.
When DHCP has allocated hosts addresses, it is recommended to copy these into the pre-assigned list so the same IP address is reallocated in the event of a reboot.
24

User Manual
2.6.3 Select Failover or broadband OOB Console servers provide a failover option so in the event of a problem using the main LAN connection for accessing the console server an alternate access path is used. To enable failover:
1. Select the Network Interface page on the System > IP menu 2. Select the Failover Interface to be used in the event of an outage on the main network.
3. Click Apply. Failover becomes active after you specify the external sites to be probed to trigger failover and set up the failover ports.
2.6.4 Aggregating the network ports By default, the console server’s Management LAN network ports can be accessed using SSH tunneling /port forwarding or by establishing an IPsec VPN tunnel to the console server. All the wired network ports on the console servers can be aggregated by being bridged or bonded.
25

User Manual
· By default, Interface Aggregation is disabled on the System > IP > General Settings menu · Select Bridge Interfaces or Bond Interfaces
o When bridging is enabled, network traffic is forwarded across all Ethernet ports with no firewall restrictions. All the Ethernet ports are all transparently connected at the data link layer (layer 2) so they retain their unique MAC addresses
o With bonding, the network traffic is carried between the ports but present with one MAC address
Both modes remove all the Management LAN Interface and Out-of-Band/Failover Interface functions and disable the DHCP Server · In aggregation mode all Ethernet ports are collectively configured using the Network Interface menu
25

Chapter 2: System Configuration
2.6.5 Static routes Static routes provide a very quick way to route data from one subnet to different subnet. You can hard code a path that tells the console server/router to get to a certain subnet using a certain path. This may be useful for accessing various subnets at a remote site when using the cellular OOB connection.

To add to the static route to the route table of the System:
1. Select the Route Settings tab on the System > IP General Settings menu.
2. Click New Route
3. Enter a Route Name for the route.
4. In the Destination Network/Host field, enter the IP address of the destination network/host that the route provides access to.
5. Enter a value in the Destination netmask field that identifies the destination network or host. Any number between 0 and 32. A subnet mask of 32 identifies a host route.
6. Enter Route Gateway with the IP address of a router that will routes packets to the destination network. This may be left blank.
7. Select the Interface to use to reach the destination, may be left as None.
8. Enter a value in the Metric field that represents the metric of this connection. Use any number equal to or greater than 0. This only has to be set if two or more routes conflict or have overlapping targets.
9. Click Apply.

NOTE

The route details page provides a list of network interfaces and modems to which a route can be bound. In the case of a modem, the route will be attached to any dialup session established via that device. A route can be specified with a gateway, an interface or both. If the specified interface is not active, routes configured for that interface will not be active.

26

User Manual 3. SERIAL PORT, HOST, DEVICE & USER CONFIGURATION
The console server enables access and control of serially-attached devices and network-attached devices (hosts). The administrator must configure access privileges for each of these devices and specify the services that can be used to control the devices. The administrator can also set up new users and specify each user’s individual access and control privileges.
This chapter covers each of the steps in configuring network connected and serially attached devices: · Serial Ports ­ setting up protocols used serially connected devices · Users & Groups ­ setting up users and defining the access permissions for each of these users · Authentication ­ this is covered in more detail in Chapter 8 · Network Hosts ­ configuring access to local network connected computers or appliances (hosts) · Configuring Trusted Networks – nominate IP addresses that trusted users access from · Cascading and Redirection of Serial Console Ports · Connecting to power (UPS, PDU, and IPMI) and environmental monitoring (EMD) devices · Serial Port Redirection ­ using the PortShare windows and Linux clients · Managed Devices – presents a consolidated view of all the connections · IPSec ­ enabling VPN connection · OpenVPN · PPTP
3.1 Configure Serial Ports
The first step in configuring a serial port is to set the Common Settings such as the protocols and the RS232 parameters that are to be used for the data connection to that port (e.g. baud rate). Select what mode the port is to operate in. Each port can be set to support one of these operating modes:
· Disabled mode is the default, the serial port is inactive
27

Chapter 3:

Serial Port, Host, Device & User Configuration

· Console server mode enables general access to serial console port on the serially attached devices
· Device mode sets the serial port up to communicate with an intelligent serial controlled PDU, UPS or Environmental Monitor Devices (EMD)
· Terminal Server mode sets the serial port to await an incoming terminal login session · Serial Bridge mode enables the transparent interconnection of two serial port devices over a
network.
1. Select Serial & Network > Serial Port to display serial port details 2. By default, each serial port is set in Console server mode. Click Edit next to the port to be
reconfigured. Or click Edit Multiple Ports and select which ports you wish to configure as a group. 3. When you have reconfigured the common settings and the mode for each port, set up any remote syslog (see the following sections for specific information). Click Apply 4. If the console server has been configured with distributed Nagios monitoring enabled, use Nagios Settings options to enable nominated services on the Host to be monitored 3.1.1 Common Settings There are a number of common settings that can be set for each serial port. These are independent of the mode in which the port is being used. These serial port parameters must be set so they match the serial port parameters on the device you attach to that port:
28

User Manual

· Type in a label for the port · Select the appropriate Baud Rate, Parity, Data Bits, Stop Bits and Flow Control for each port

· Set the Port Pinout. This menu item appears for IM7200 ports where pin-out for each RJ45 serial port can be set as either X2 (Cisco Straight) or X1 (Cisco Rolled)

· Set the DTR mode. This allows you to choose if DTR is always asserted or only asserted when there is an active user session

· Before proceeding with further serial port configuration, you should connect the ports to the serial devices they will be controlling and ensure they have matching settings

3.1.2

Console Server Mode
Select Console server Mode to enable remote management access to the serial console that is attached to this serial port:

Logging Level This specifies the level of information to be logged and monitored.
29

Chapter 3: Serial Port, Host, Device & User Configuration
Level 0: Disable logging (default)
Level 1: Log LOGIN, LOGOUT and SIGNAL events
Level 2: Log LOGIN, LOGOUT, SIGNAL, TXDATA and RXDATA events
Level 3: Log LOGIN, LOGOUT, SIGNAL and RXDATA events
Level 4: Log LOGIN, LOGOUT, SIGNAL and TXDATA events
Input/RXDATA is data received by the Opengear device from the connected serial device, and output/TXDATA is data sent by the Opengear device (e.g. typed by the user) to the connected serial device.
Device consoles typically echo back characters as they are typed so TXDATA typed by a user is subsequently received as RXDATA, displayed on their terminal.
NOTE: After prompting for a password, the connected device sends * characters to prevent the password from being displayed.

Telnet When the Telnet service is enabled on the console server, a Telnet client on a user’s computer can connect to a serial device attached to this serial port on the console server. Because Telnet communications are unencrypted, this protocol is only recommended for local or VPN tunneled connections.
If the remote communications are being tunneled with a connector, Telnet can be used for securely accessing these attached devices.

NOTE

In console server mode, users can use a connector to set up secure Telnet connections thatare SSH tunneled from their client computers to the serial port on the console server. Connectors can be installed on Windows PCs and most Linux platforms and it enables secure Telnet connections to be selected with point-and-click.

To use a connector to access consoles on the console server serial ports, configure the connector with the console server as a gateway, and as a host, and enable Telnet service on Port (2000 + serial port #) i.e. 2001­2048.

You can also use standard communications packages like PuTTY to set a direct Telnet or SSH connection to the serial ports.

NOTE In Console server mode, when you connect to a serial port you connect via pmshell. To generate a BREAK on the serial port, type the character sequence ~b. If you’re doing this over OpenSSH type ~~b.

SSH

It is recommended that you use SSH as the protocol when users connect to the console server

(or connect through the console server to the attached serial consoles) over the Internet or any

other public network.

For SSH access to the consoles on devices attached to the console server serial ports, you can use a connector. Configure the connector with the console server as a gateway, and as a host, and enable SSH service on Port (3000 + serial port #) i.e. 3001-3048.

You can also use common communications packages, like PuTTY or SSHTerm to SSH connect to port address IP Address _ Port (3000 + serial port #) i.e. 3001­3048

SSH connections can be configured using the standard SSH port 22. The serial port being accessed is identified by appending a descriptor to the username. This syntax supports:

: :

30

User Manual

: : For a user named chris to access serial port 2, when setting up the SSHTerm or the PuTTY SSH client, instead of typing username = chris and ssh port = 3002, the alternate is to type username = chris:port02 (or username = chris:ttyS1) and ssh port = 22. Or by typing username=chris:serial and ssh port = 22, the user is presented with a port selection option:

This syntax enables users to set up SSH tunnels to all serial ports with a single IP port 22 having to be opened in their firewall/gateway
NOTE In console server mode, you connect to a serial port via pmshell. To generate a BREAK on the serial port, type the character sequence ~b. If you’re doing this over OpenSSH, type ~~b.

TCP

RAW TCP allows connections to a TCP socket. While communications programs like PuTTY

also support RAW TCP, this protocol is usually used by a custom application

For RAW TCP, the default port address is IP Address _ Port (4000 + serial port

) i.e. 4001 ­ 4048

RAW TCP also enables the serial port to be tunneled to a remote console server, so two serial port devices can transparently interconnect over a network (see Chapter 3.1.6 ­ Serial Bridging)

RFC2217 Selecting RFC2217 enables serial port redirection on that port. For RFC2217, the default port address is IP Address _ Port (5000 + serial port #) i.e. 5001 ­ 5048
Special client software is available for Windows UNIX and Linux that supports RFC2217 virtual com ports, so a remote host can monitor and manage remote serially attached devices as though they are connected to the local serial port (see Chapter 3.6 ­ Serial Port Redirection for details)
RFC2217 also enables the serial port to be tunneled to a remote console server, so two serial port devices can transparently interconnect over a network (see Chapter 3.1.6 ­ Serial Bridging)

Unauthenticated Telnet This enables Telnet access to the serial port without authentication credentials. When a user accesses the console server to Telnet to a serial port, they are given a login prompt. With unauthenticated Telnet, they connect directly through to the port without any console server login challenge. If a Telnet client does prompt for authentication, any entered data allows connection.

31

Chapter 3: Serial Port, Host, Device & User Configuration
This mode is used with an external system (such as conserver) managing user authentication and access privileges at the serial device level.
Logging into a device connected to the console server may require authentication.
For Unauthenticated Telnet the default port address is IP Address _ Port (6000

  • serial port #) i.e. 6001 ­ 6048

Unauthenticated SSH This enables SSH access to the serial port without authentication credentials. When a user accesses the console server to Telnet to a serial port, they are given a login prompt. With unauthenticated SSH they connect directly through to the port without any console server login challenge.
This mode is used when you have another system managing user authentication and access privileges at the serial device level but wish to encrypt the session across the network.
Logging into a device connected to the console server may require authentication.
For Unauthenticated Telnet the default port address is IP Address _ Port (7000

  • serial port #) i.e. 7001 ­ 7048
    The : method of port access (as described in the above SSH section) always requires authentication.

Web Terminal This enables web browser access to the serial port via Manage > Devices: Serial using the Management Console’s built in AJAX terminal. Web Terminal connects as the currently authenticated Management Console user and does not re-authenticate. See section 12.3 for more details.

IP Alias

Enable access to the serial port using a specific IP address, specified in CIDR format. Each serial port can be assigned one or more IP aliases, configured on a per-network-interface basis. A serial port can, for example, be made accessible at both 192.168.0.148 (as part of the internal network) and 10.10.10.148 (as part of the Management LAN). It is also possible to make a serial port available on two IP addresses on the same network (for example, 192.168.0.148 and 192.168.0.248).

These IP addresses can only be used to access the specific serial port, accessible using the standard protocol TCP port numbers of the console server services. For example, SSH on serial port 3 would be accessible on port 22 of a serial port IP alias (whereas on the console server’s primary address it is available on port 2003).

This feature can also be configured via the multiple port edit page. In this case the IP addresses are applied sequentially, with the first selected port getting the IP entered and subsequent ones getting incremented, with numbers being skipped for any unselected ports. For example, if ports 2, 3 and 5 are selected and the IP alias 10.0.0.1/24 is entered for the Network Interface, the following addresses are assigned:

Port 2: 10.0.0.1/24

Port 3: 10.0.0.2/24

Port 5: 10.0.0.4/24

IP Aliases also support IPv6 alias addresses. The only difference is that addresses are hexadecimal numbers, so port 10 may correspond to an address ending in A, and 11 to one ending in B, rather than 10 or 11 as per IPv4.

32

User Manual
Encrypt Traffic / Authenticate Enable trivial encryption and authentication of RFC2217 serial communications using Portshare (for strong encryption use VPN).
Accumulation Period Once a connection has been established for a particular serial port (such as a RFC2217 redirection or Telnet connection to a remote computer), any incoming characters on that port are forwarded over the network on a character by character basis. The accumulation period specifies a period of time that incoming characters are collected before being sent as a packet over the network
Escape Character Change the character used for sending escape characters. The default is ~. Replace Backspace Substitute the default backspace value of CTRL+? (127) with CTRL+h (8). Power Menu The command to bring up the power menu is ~p and enables the shell power command so a
user can control the power connection to a managed device from command line when they are Telnet or SSH connected to the device. The managed device must be set up with both its Serial port connection and Power connection configured.
Single Connection This limits the port to a single connection so if multiple users have access privileges for a particular port only one user at a time can access that port (i.e. port snooping is not permitted).
33

Chapter 3: Serial Port, Host, Device & User Configuration
3.1.3 Device (RPC, UPS, Environmental) Mode This mode configures the selected serial port to communicate with a serial controlled Uninterruptable Power Supply (UPS), Remote Power Controller / Power Distribution Units (RPC) or Environmental Monitoring Device (Environmental)

1. Select the desired Device Type (UPS, RPC, or Environmental)
2. Proceed to the appropriate device configuration page (Serial & Network > UPS Connections, RPC Connection or Environmental) as detailed in Chapter 7.

3.1.4 ·

Terminal Server Mode
Select Terminal Server Mode and the Terminal Type (vt220, vt102, vt100, Linux or ANSI) to enable a getty on the selected serial port

The getty configures the port and wait for a connection to be made. An active connection on a serial device is indicated by the raised Data Carrier Detect (DCD) pin on the serial device. When a connection is detected, the getty program issues a login: prompt, and invokes the login program to handle the system login.
NOTE Selecting Terminal Server mode disables Port Manager for that serial port, so data is no longer logged for alerts etc.

34

User Manual
3.1.5 Serial Bridging Mode With serial bridging, the serial data on a nominated serial port on one console server is encapsulated into network packets and transported over a network to a second console server where it is represented as serial data. The two console servers act as a virtual serial cable over an IP network. One console server is configured to be the Server. The Server serial port to be bridged is set in Console server mode with either RFC2217 or RAW enabled. For the Client console server, the serial port to be bridged must be set in Bridging Mode:
· Select Serial Bridging Mode and specify the IP address of the Server console server and the TCP port address of the remote serial port (for RFC2217 bridging this will be 5001-5048)
· By default, the bridging client uses RAW TCP. Select RFC2217 if this is the console server mode you have specified on the server console server
· You can secure the communications over the local Ethernet by enabling SSH. Generate and upload keys.
3.1.6 Syslog In addition to inbuilt logging and monitoring which can be applied to serial-attached and network-attached management accesses, as covered in Chapter 6, the console server can also be configured to support the remote syslog protocol on a per serial port basis:
· Select the Syslog Facility/Priority fields to enable logging of traffic on the selected serial port to a syslog server; and to sort and act on those logged messages (i.e. redirect them / send alert email.)
35

Chapter 3: Serial Port, Device and User Configuration
For example, if the computer attached to serial port 3 should never send anything out on its serial console port, the administrator can set the Facility for that port to local0 (local0 .. local7 are meant for site local values), and the Priority to critical. At this priority, if the console server syslog server does receive a message, it raises an alert. See Chapter 6. 3.1.7 NMEA Streaming The ACM7000-L can provide GPS NMEA data streaming from the internal GPS /cellular modem. This data stream presents as a serial data stream on port 5 on the ACM models.
The Common Settings (baud rate etc.) are ignored when configuring the NMEA serial port. You can specify the Fix Frequency (i.e. this GPS fix rate determines how often GPS fixes are obtained). You can also apply all the Console Server Mode, Syslog and Serial Bridging settings to this port.
You can use pmshell, webshell, SSH, RFC2217 or RawTCP to get at the stream:
For example, using the Web Terminal:
36

User Manual

3.1.8 USB Consoles
Console servers with USB ports support USB console connections to devices from a wide range of vendors, including Cisco, HP, Dell and Brocade. These USB ports can also function as plain RS-232 serial ports when a USB-to-serial adapter is connected.

These USB ports are available as regular portmanager ports and are presented numerically in the web UI after all RJ45 serial ports.

The ACM7008-2 has eight RJ45 serial ports on the rear of the console server and four USB ports on the front. In Serial & Network > Serial Port these are listed as

Port # Connector

1

RJ45

2

RJ45

3

RJ45

4

RJ45

5

RJ45

6

RJ45

7

RJ45

8

RJ45

9

USB

10 USB

11 USB

12 USB

If the particular ACM7008-2 is a cellular model, port #13 — for the GPS — will also be listed.

The 7216-24U has 16 RJ45 serial ports and 24 USB ports on its rear-face as well as two front-facing USB ports and (in the cellular model) a GPS.

The RJ45 serial ports are presented in Serial & Network > Serial Port as port numbers 1­16. The 24 rearfacing USB ports take port numbers 17­40, and the front-facing USB ports are listed at port numbers 41 and 42 respectively. And, as with the ACM7008-2, if the particular 7216-24U is a cellular model, the GPS is presented at port number 43.

The common settings (baud rate, etc.) are used when configuring the ports, but some operations may not work depending on the implementation of the underlying USB serial chip.

3.2 Add and Edit Users
The administrator uses this menu selection to create, edit and delete users and to define the access permissions for each of these users.

37

Chapter 3: Serial Port, Device and User Configuration

Users can be authorized to access specified services, serial ports, power devices and specified networkattached hosts. These users can also be given full administrator status (with full configuration and management and access privileges).

Users can be added to groups. Six groups are set up by default:

admin

Provides unlimited configuration and management privileges.

pptpd

Allows access to the PPTP VPN server. Users in this group have their password stored in clear text.

dialin

Allows dialin access via modems. Users in this group have their password stored in clear text.

ftp

Allows ftp access and file access to storage devices.

pmshell

Sets default shell to pmshell.

users

Provides users with basic management privileges.

The admin group provides members full administrator privileges. The admin user can access the console server using any of the services which have been enabled in System > Services They can also access any of the connected Hosts or serial port devices using any of the services that have been enabled for these connections. Only trusted users should have administrator access
The user group provides members with limited access to the console server and connected hosts and serial devices. These users can only access the Management section of the Management Console menu and they have no command line access to the console server. They can only access those Hosts and serial devices that have been checked for them, using services that have been enabled
Users in the pptd, dialin, ftp or pmshell groups have restricted user shell access to the nominated managed devices but they will not have any direct access to the console server. To add this the users must also be a member of the users or admin groups
The administrator can set up additional groups with specific power device, serial port and host access permissions. Users in these additional groups don’t have any access to the Management Console menu nor do they have any command line access to the console server.

38

User Manual
The administrator can set up users with specific power device, serial port and host access permissions who are not a member of any groups. These users don’t have any access to the Management Console menu nor command line access to the console server. 3.2.1 Set up new group To set up new groups and new users, and to classify users as members of particular groups:
1. Select Serial & Network > Users & Groups to display all groups and users 2. Click Add Group to add a new group
3. Add a Group name and Description for each new group, and nominate the Accessible Hosts, Accessible Ports and Accessible RPC Outlets that users in this new group will be able to access
4. Click Apply 5. The administrator can Edit or Delete any added group 3.2.2 Set up new users To set up new users, and to classify users as members of particular groups: 1. Select Serial & Network > Users & Groups to display all groups and users 2. Click Add User
39

Chapter 3: Serial Port, Device and User Configuration
3. Add a Username for each new user. You may also include information related to the user (e.g. contact details) in the Description field. The Username can contain from 1 to 127 alphanumeric characters and the characters “-” “_” and “.”.
4. Specify which Groups you wish the user to be a member of 5. Add a confirmed Password for each new user. All characters are allowed. 6. SSH pass- key authentication can be used. Paste the public keys of authorized public/private
keypairs for this user in the Authorized SSH Keys field 7. Check Disable Password Authentication to only allow public key authentication for this user
when using SSH 8. Check Enable Dial-Back in the Dial-in Options menu to allow an out-going dial-back connection
to be triggered by logging into this port. Enter the Dial-Back Phone Number with the phone number to call-back when user logs in 9. Check Accessible Hosts and/or Accessible Ports to nominate the serial ports and network connected hosts you wish the user to have access privileges to 10. If there are configured RPCs, check Accessible RPC Outlets to specify which outlets the user is able to control (i.e. Power On/Off) 11. Click Apply. The new user will be able to access the accessible Network Devices, Ports and RPC Outlets. If the user is a group member, they can also access any other device/port/outlet accessible to the group
40

User Manual
There are no limits on the number of users you can set up or the number of users per serial port or host. Multiple users can control/monitor the one port or host. There are no limits on the number of groups and each user can be a member of a number of groups. A user does not have to be a member of any groups, but if the user is a member of the default user group, they will not be able to use the Management Console to manage ports. While there are no limits, the time to re-configure increases as the number and complexity increases. We recommend the aggregate number of users and groups be kept under 250. The administrator can also edit the access settings for any existing users:
· Select Serial & Network > Users & Groups and click Edit to modify the user access privileges · Click Delete to remove the user · Click Disable to temporarily block access privileges
3.3 Authentication
See Chapter 8 for authentication configuration details.
3.4 Network Hosts
To monitor and remotely access a locally networked computer or device (referred to as a Host) you must identify the Host:
1. Selecting Serial & Network > Network Hosts presents all the network connected Hosts that have been enabled for use.
2. Click Add Host to enable access to a new Host (or select Edit to update the settings for existing Host)
41

Chapter 3: Serial Port, Device and User Configuration
3. If the Host is a PDU or UPS power device or a server with IPMI power control, specify RPC (for IPMI and PDU) or UPS and the Device Type. The administrator can configure these devices and enable which users have permission to remotely cycle power, etc. See Chapter 7. Otherwise leave the Device Type set to None.
4. If the console server has been configured with distributed Nagios monitoring enabled, you will also see Nagios Settings options to enable nominated services on the Host to be monitored.
5. Click Apply. This creates the new Host and also create a new managed device with the same name.
3.5 Trusted Networks
The Trusted Networks facility gives you an option to nominate IP addresses that users must be located at, to have access to console server serial ports:
42

User Manual
1. Select Serial & Network > Trusted Networks 2. To add a new trusted network, select Add Rule. In the absence of Rules, there are no access
limitations as to the IP address at which users can be located.

3. Select the Accessible Ports that the new rule is to be applied to
4. Enter the Network Address of the subnet to be permitted access
5. Specify the range of addresses that are to be permitted by entering a Network Mask for that permitted IP range e.g.
· To permit all the users located with a particular Class C network connection to the nominated port, add the following Trusted Network New Rule:

Network IP Address

204.15.5.0

Subnet Mask

255.255.255.0

· To permit only one user located at a specific IP address to connect:

Network IP Address

204.15.5.13

Subnet Mask

255.255.255.255

· To allow all the users operating from within a specific range of IP addresses (say any of the thirty addresses from 204.15.5.129 to 204.15.5.158) to be permitted connection to the nominated port:

Host /Subnet Address

204.15.5.128

Subnet Mask

255.255.255.224

6. Click Apply

43

Chapter 3: Serial Port, Device and User Configuration
3.6 Serial Port Cascading
Cascaded Ports enables you to cluster distributed console servers so a large number of serial ports (up to 1000) can be configured and accessed through one IP address and managed through the one Management Console. One console server, the Primary, controls other console servers as Node units and all the serial ports on the Node units appear as if they are part of the Primary. Opengear’s clustering connects each Node to the Primary with an SSH connection. This is done using public key authentication, so the Primary can access each Node using the SSH key pair (rather than using passwords). This ensures secure authenticated communications between Primary and Nodes enabling theNode console server units to be distributed locally on a LAN or remotely around the world.
3.6.1 Automatically generate and upload SSH keys To set up public key authentication you must first generate an RSA or DSA key pair and upload them into the Primary and Node console servers. This can be done automatically from the Primary:
44

User Manual
1. Select System > Administration on Primary’s Management Console
2. Check Generate SSH keys automatically. 3. Click Apply
Next you must select whether to generate keys using RSA and/or DSA (if unsure, select only RSA). Generating each set of keys require two minutes and the new keys destroy old keys of that type. While the new generation is underway, functions relying on SSH keys (e.g. cascading) may stop functioning until they are updated with the new set of keys. To generate keys:
1. Check boxes for the keys you wish to generate. 2. Click Apply
3. Once the new keys have been generated, click the link Click here to return. The keys are uploaded
to the Primary and connected Nodes.
3.6.2 Manually generate and upload SSH keys Alternately if you have an RSA or DSA key pair you can upload them to the Primary and Node consoleservers. To upload the key public and private key pair to the Primary console server:
1. Select System > Administration on the Primary’s Management Console
2. Browse to the location you have stored RSA (or DSA) Public Key and upload it to SSH RSA (DSA) Public Key
3. Browse to the stored RSA (or DSA) Private Key and upload it to SSH RSA (DSA) Private Key 4. Click Apply
45

Chapter 3: Serial Port, Device and User Configuration
Next, you must register the Public Key as an Authorized Key on the Node. In the case of one Primary withmultiple Nodes, you upload one RSA or DSA public key for each Node.
1. Select System > Administration on the Node’s Management Console 2. Browse to the stored RSA (or DSA) Public Key and upload it to Node’s SSH Authorized Key
3. Click Apply The next step is to Fingerprint each new Node-Primary connection. This step validates that you are establishing an SSH session to who you think you are. On the first connection the Node receives a fingerprint from the Primary used on all future connections: To establish the fingerprint first log in the Primary server as root and establish an SSH connection to theNode remote host:

ssh remhost Once the SSH connection has been established, you are asked to

accept the key. Answer yes and the fingerprint is added to the list of known hosts. If you are asked to supply a password, there was problem uploading keys. 3.6.3 Configure the Nodes and their serial ports Begin setting up the Nodes and configuring Node serial ports from the Primary console server:
1. Select Serial & Network > Cascaded Ports on the Primary’s Management Console: 2. To add clustering support, select Add Node
You can’t add Nodes until you have generated SSH keys. To define and configure a Node:
46

User Manual
1. Enter the remote IP Address or DNS Name for the Node console server 2. Enter a brief Description and a short Label for the Node 3. Enter the full number of serial ports on the Node unit in Number of Ports 4. Click Apply. This establishes the SSH tunnel between the Primary and the new Node
The Serial & Network > Cascaded Ports menu displays all the nodes and the port numbers that have been allocated on the Primary. If the Primary console server has 16 ports of its own, ports 1-16 are preallocated to the Primary, so the first node added is assigned port number 17 onwards. Once you have added all the Node console servers, the Node serial ports and the connected devices are configurable and accessible from the Primary’s Management Console menu and accessible through the Primary’s IP address.
1. Select the appropriate Serial & Network > Serial Port and Edit to configure the serial ports on the
Node.
2. Select the appropriate Serial & Network > Users & Groups to add new users with access privileges
to the Node serial ports (or to extend existing users access privileges).
3. Select the appropriate Serial & Network > Trusted Networks to specify network addresses that
can access nominated node serial ports. 4. Select the appropriate Alerts & Logging > Alerts to configure Node port Connection, State
Changeor Pattern Match alerts. The configuration changes made on the Primary are propagated out to all the nodes when you click Apply.
3.6.4 Managing Nodes The Primary is in control of the Node serial ports. For example, if change a user access privileges or edit any serial port setting on the Primary, the updated configuration files are sent out to each Node in parallel.Each Node makes changes to their local configurations (and only makes changes that relate to its particular serial ports). You can use the local Node Management Console to change the settings on any node serial port (such as alter the baud rates). These changes are overwritten next time the Primary sends out a configuration file update. While the Primary is in control of all node serial port related functions, it is not primary over the node network host connections or over the Node Console Server system. Node functions such as IP, SMTP & SNMP Settings, Date &Time, DHCP server must be managed by accessing each node directly and these functions are not over written when configuration changes are propagated from the Primary. The Node’s Network Host and IPMI settings must be configured at each node.
47

Chapter 3: Serial Port, Device and User Configuration
The Primary’s Management Console provides a consolidated view of the settings for its own and the entireNode’s serial ports. The Primary does not provide a fully consolidated view. For example, if you want to find out who is logged in to cascaded serial ports from the primary, you’ll see that Status > Active Users only displays those users active on the Primary’s ports, so you may need to write custom scripts to providethis view.
3.7 Serial Port Redirection (PortShare)
Opengear’s Port Share software delivers the virtual serial port technology your Windows and Linux applications need to open remote serial ports and read the data from serial devices that are connected to your console server.
PortShare is supplied free with each console server and you are licensed to install PortShare on one or more computers for accessing any serial device connected to a console server port. PortShare for Windows The portshare_setup.exe can be downloaded from the ftp site. See the PortShare User Manual and Quick Start for details on installation and operation. PortShare for Linux The PortShare driver for Linux maps the console server serial port to a host try port. Opengear has released the portshare-serial- client as an open source utility for Linux, AIX, HPUX, SCO, Solaris and UnixWare. This utility can be downloaded from the ftp site. This PortShare serial port redirector allows you to use a serial device connected to the remote console server as if it were connected to your local serial port. The portshare-serial-client creates a pseudo tty port, connects the serial application to the pseudo tty port, receives data from the pseudo tty port, transmits it to the console server through network and receives data from the console server through network and transmits it to the pseudo-tty port. The .tar file can be downloaded from the ftp site. See the PortShare User Manual and Quick Start for details on installation and operation.
48

User Manual
3.8 Managed Devices
The Managed Devices page presents a consolidated view of all the connections to a device that can be accessed and monitored through the console server. To view the connections to the devices, select Serial & Network > Managed Devices
This screen displays all the managed devices with their Description/Notes and lists of all the configured Connections:
· Serial Port # (if serially connected) or · USB (if USB connected) · IP Address (if network connected) · Power PDU/outlet details (if applicable) and any UPS connections Devices such as servers may have more than one power connection (e.g. dual power supplied) and more than one network connection (e.g. for BMC/service processor). All users can view these managed device connections by selecting Manage > Devices. Administrators can also edit and add/delete these managed devices and their connections. To edit an existing device and add a new connection: 1. Select Edit on the Serial & Network > Managed Devices and click Add Connection 2. Select the connection type for the new connection (Serial, Network Host, UPS or RPC) and select
the connection from the presented list of configured unallocated hosts/ports/outlets
49

Chapter 3: Serial Port, Device and User Configuration
To add a new network connected managed device: 1. The Administrator adds a new network connected managed device using Add Host on the Serial & Network > Network Host menu. This automatically creates a corresponding new managed device. 2. When adding a new network connected RPC or UPS power device, you set up a Network Host, designate it as RPC or UPS. Go to RPC Connections or UPS Connections to configure the relevant connection. Corresponding new managed device with the same Name /Description as the RPC/UPS Host is not created until this connection step is completed.
NOTE The outlet names on the newly created PDU are Outlet 1 and Outlet 2. When you connect a particular managed device that draws power from the outlet, the outlet takes the name of the powered managed device.
To add a new serially connected managed device: 1. Configure the serial port using the Serial & Network > Serial Port menu (See Section 3.1 Configure Serial Port) 2. Select Serial & Network > Managed Devices and click Add Device 3. Enter a Device Name and Description for the managed device

4. Click Add Connection and select Serial and the Port that connects to the managed device

5. To add a UPS/RPC power connection or network connection or another serial connection click Add Connection

6. Click Apply

NOTE

To set up a serially connected RPC UPS or EMD device, configure the serial port, designate it as a Device, and enter a Name and Description for that device in the Serial & Network > RPC Connections (or UPS Connections or Environmental). This creates a corresponding new managed device with the same Name /Description as the RPC/UPS Host. The outlet names on this newly created PDU are Outlet 1and Outlet 2. When you connect a managed device that draws power from the outlet, the outlet takes the name of the powered managed Device.

3.9 IPsec VPN
The ACM7000, CM7100, and IM7200 include Openswan, a Linux implementation of the IPsec (IP Security) protocols, which can be used to configure a Virtual Private Network (VPN). The VPN allows multiple sites or remote administrators to access the console server and managed devices securely over the Internet.

50

User Manual
The administrator can establish encrypted authenticated VPN connections between console servers distributed at remote sites and a VPN gateway (such as Cisco router running IOS IPsec) on their central office network:
· Users at the central office can securely access the remote console servers and connected serial console devices and machines on the Management LAN subnet at the remote location as though they were local
· All these remote console servers can be monitored with a CMS6000 on the central network · With serial bridging, serial data from controller at the central office machine can be securely
connected to the serially controlled devices at the remote sites The road warrior administrator can use a VPN IPsec software client to remotely access the console server and every machine on the Management LAN subnet at the remote location
Configuration of IPsec is quite complex so Opengear provides a GUI interface for basic set up as described below. To enable the VPN gateway:
1. Select IPsec VPN on the Serial & Networks menu
2. Click Add and complete the Add IPsec Tunnel screen 3. Enter any descriptive name you wish to identify the IPsec Tunnel you are adding such as
WestStOutlet-VPN
51

Chapter 3: Serial Port, Device and User Configuration
4. Select the Authentication Method to be used, either RSA digital signatures or a Shared secret (PSK) o If you select RSA you are asked to click here to generate keys. This generates an RSA public key for the console server (the Left Public Key). Locate the key to be used on the remote gateway, cut and paste it into the Right Public Key
o If you select Shared secret, enter a Pre-shared secret (PSK). The PSK must match the PSK configured at the other end of the tunnel
5. In Authentication Protocol select the authentication protocol to be used. Either authenticate as part of ESP (Encapsulating Security Payload) encryption or separately using the AH (Authentication Header) protocol.
52

User Manual
6. Enter a Left ID and Right ID. This is the identifier that the Local host/gateway and remote host/gateway use for IPsec negotiation and authentication. Each ID must include an @ and can include a fully qualified domain name ( e.g. left@example.com)
7. Enter the public IP or DNS address of this Opengear VPN gateway as the Left Address. You can leave this blank to use the interface of the default route
8. In Right Address enter the public IP or DNS address of the remote end of the tunnel (only if the remote end has a static or DynDNS address). Otherwise leave this blank
9. If the Opengear VPN gateway is serving as a VPN gateway to a local subnet (e.g. the console server has a Management LAN configured) enter the private subnet details in Left Subnet. Use the CIDR notation (where the IP address number is followed by a slash and the number of `one’ bits in the binary notation of the netmask). For example, 192.168.0.0/24 indicates an IP address where the first 24 bits are used as the network address. This is the same as 255.255.255.0. If the VPN access is only to the console server and to its attached serial console devices, leave Left Subnet blank
10. If there is a VPN gateway at the remote end, enter the private subnet details in Right Subnet. Use the CIDR notation and leave blank if there is only a remote host
11. Select Initiate Tunnel if the tunnel connection is to be initiated from the Left console server end. This can only be initiated from the VPN gateway (Left) if the remote end is configured with a static (or DynDNS) IP address
12. Click Apply to save changes
NOTE Configuration details set up on the console server (referred to as the Left or Local host) must match the set up entered when configuring the Remote (Right) host/gateway or software client. See http://www.opengear.com/faq.html for details on configuring these remote ends
3.10 OpenVPN
The ACM7000, CM7100, and IM7200 with firmware V3.2 and later include OpenVPN. OpenVPN uses the OpenSSL library for encryption, authentication, and certification, which means it uses SSL/TSL (Secure Socket Layer/Transport Layer Security) for key exchange and can encrypt both data and control channels. Using OpenVPN allows for the building of cross-platform, point-to- point VPNs using either X.509 PKI (Public Key Infrastructure) or custom configuration files. OpenVPN allows secure tunneling of data through a single TCP/UDP port over an unsecured network, thus providing secure access to multiple sites and secure remote administration to a console server over the Internet. OpenVPN also allows the use of Dynamic IP addresses by both the server and client thus providing client mobility. For example, an OpenVPN tunnel may be established between a roaming windows client and an Opengear console server within a data center. Configuration of OpenVPN can be complex so Opengear provides a GUI interface for basic set up as described below. More detailed information is available at http://www.openvpn.net
3.10.1 Enable the OpenVPN 1. Select OpenVPN on the Serial & Networks menu
53

Chapter 3: Serial Port, Device and User Configuration
2. Click Add and complete the Add OpenVPN Tunnel screen 3. Enter any descriptive name you wish to identify the OpenVPN Tunnel you are adding, for example
NorthStOutlet-VPN
4. Select the authentication method to be used. To authenticate using certificates select PKI (X.509 Certificates) or select Custom Configuration to upload custom configuration files. Custom configurations must be stored in /etc/config.
NOTE If you select PKI, establish: Separate certificate (also known as a public key). This Certificate File is a .crt file type Private Key for the server and each client. This Private Key File is a .key file type
Primary Certificate Authority (CA) certificate and key which is used to sign each of the server
andclient certificates. This Root CA Certificate is a *.crt file type For a server, you may also need dh1024.pem (Diffie Hellman parameters). See http://openvpn.net/easyrsa.html for a guide to basic RSA key management. For alternative authentication methods see http://openvpn.net/index.php/documentation/howto.html#auth.
5. Select the Device Driver to be used, either Tun-IP or Tap-Ethernet. The TUN (network tunnel) and TAP (network tap) drivers are virtual network drivers that support IP tunneling and Ethernet tunneling, respectively. TUN and TAP are part of the Linux kernel.
6. Select either UDP or TCP as the Protocol. UDP is the default and preferred protocol for OpenVPN. 7. Check or uncheck the Compression button to enable or disable compression. 8. In Tunnel Mode, nominate whether this is the Client or Server end of the tunnel. When running as
a server, the console server supports multiple clients connecting to the VPN server over the same port.
54

User Manual
3.10.2 Configure as Server or Client
1. Complete the Client Details or Server Details depending on the Tunnel Mode selected. o If Client has been selected, the Primary Server Address is the address of the OpenVPN Server. o If Server has been selected, enter the IP Pool Network address and the IP Pool Network mask for the IP Pool. The network defined by the IP Pool Network address/mask is used to provide the addresses for connecting clients.
2. Click Apply to save changes
55

Chapter 3: Serial Port, Device and User Configuration
3. To enter authentication certificates and files, select the Manage OpenVPN Files tab. Upload or browse to relevant authentication certificates and files.
4. Apply to save changes. Saved files are displayed in red on the right-hand side of the Upload button.
5. To enable OpenVPN, Edit the OpenVPN tunnel
56

User Manual
6. Check the Enabled button. 7. Apply to save changes NOTE Make sure that the console server system time is correct when working with OpenVPN to avoid
authentication issues.
8. Select Statistics on the Status menu to verify that the tunnel is operational.
57

Chapter 3: Serial Port, Device and User Configuration
3.10.3 Windows OpenVPN Client and Server set up This section outlines the installation and configuration of a Windows OpenVPN client or a Windows OpenVPN server and setting up a VPN connection to a console server. Console servers generate Windows client config automatically from the GUI ­ for Pre- shared Secret (Static Key File) configurations.
Alternately OpenVPN GUI for Windows software (which includes the standard OpenVPN package plus a Windows GUI) can be downloaded from http://openvpn.net. Once installed on the Windows machine, an OpenVPN icon is added to the Notification Area located in the right side of the taskbar. Right click on this icon to start and stop VPN connections, edit configurations, and view logs.
When the OpenVPN software begins running, the C:Program FilesOpenVPNconfig folder is scanned for .opvn files. This folder is rechecked for new configuration files whenever the OpenVPN GUI icon is rightclicked. Once OpenVPN is installed, create a configuration file:
58

User Manual

Using a text editor, create an xxxx.ovpn file and save in C:Program FilesOpenVPNconfig. For example, C:Program FilesOpenVPNconfigclient.ovpn
An example of an OpenVPN Windows client configuration file is shown below:

description: IM4216_client client proto udp verb 3 dev tun remote

192.168.250.152 port 1194 ca c:\openvpnkeys\ca.crt cert c:\openvpnkeys\client.crt key c:\openvpnkeys\client.key nobind persist-key persist-tun comp-lzo
An example of an OpenVPN Windows Server configuration file is shown below:
server 10.100.10.0 255.255.255.0 port 1194 keepalive 10 120 proto udp mssfix 1400 persist-key persist-tun dev tun ca c:\openvpnkeys\ca.crt cert c:\openvpnkeys\server.crt key c:\openvpnkeys\server.key dh c:\openvpnkeys\dh.pem comp-lzo verb 1 syslog IM4216_OpenVPN_Server
The Windows client/server configuration file options are:

Options #description: Client server proto udp proto tcp mssfix <max. size> verb
dev tun dev tap

Description This is a comment describing the configuration. Comment lines start with#’ and are ignored by OpenVPN. Specify whether this will be a client or server configuration file. In the server configuration file, define the IP address pool and netmask. For example, server 10.100.10.0 255.255.255.0 Set the protocol to UDP or TCP. The client and server must use the same settings. Mssfix sets the maximum size of the packet. This is only useful for UDP if problems occur. Set log file verbosity level. Log verbosity level can be set from 0 (minimum) to 15 (maximum). For example, 0 = silent except for fatal errors 3 = medium output, good for general usage 5 = helps with debugging connection problems 9 = verbose, excellent for troubleshooting Selectdev tun’ to create a routed IP tunnel or `dev tap’ to create an Ethernet tunnel. The client and server must use the same settings.

59

Chapter 3: Serial Port, Device and User Configuration

remote Port Keepalive
http-proxy <proxy port #> ca
cert
key
dh Nobind persist-key persist-tun cipher BF-CBC Blowfish (default) cipher AES-128-CBC AES cipher DES-EDE3-CBC Triple-DES comp-lzo syslog

The hostname/IP of OpenVPN server when operating as a client. Enter either the DNS hostname or the static IP address of the server. The UDP/TCP port of the server. Keepalive uses ping to keep the OpenVPN session alive. ‘Keepalive 10 120′ pings every 10 seconds and assumes the remote peer is down if no ping has been received over a 120 second time period. If a proxy is required to access the server, enter the proxy server DNS name or IP and port number. Enter the CA certificate file name and location. The same CA certificate file can be used by the server and all clients. Note: Ensure each ’ in the directory path is replaced with \’. For example, c:openvpnkeysca.crt will become c:\openvpnkeys\ca.crt Enter the client’s or server’s certificate file name and location. Each client should have its own certificate and key files. Note: Ensure each ’ in the directory path is replaced with \’. Enter the file name and location of the client’s or server’s key. Each client should have its own certificate and key files. Note: Ensure each ’ in the directory path is replaced with \’. This is used by the server only. Enter the path to the key with the Diffie-Hellman parameters. `Nobind’ is used when clients do not need to bind to a local address or specific local port number. This is the case in most client configurations. This option prevents the reloading of keys across restarts. This option prevents the close and reopen of TUN/TAP devices across restarts. Select a cryptographic cipher. The client and server must use the same settings.
Enable compression on the OpenVPN link. This must be enabled on both the client and the server. By default, logs are located in syslog or, if running as a service on Window, in Program FilesOpenVPNlog directory.

To initiate the OpenVPN tunnel following the creation of the client/server configuration files: 1. Right click on the OpenVPN icon in the Notification Area 2. Select the newly created client or server configuration. 3. Click Connect

4. The log file is displayed as the connection is established
60

User Manual
5. Once established, the OpenVPN icon displays a message indicating a successful connection and assigned IP. This information, as well as the time the connection was established, is available by scrolling over the OpenVPN icon.
3.11 PPTP VPN
Console servers include a PPTP (Point-to-Point Tunneling Protocol) server. PPTP is used for communications over a physical or virtual serial link. The PPP endpoints define a virtual IP address to themselves. Routes to networks can be defined with these IP addresses as the gateway, which results in traffic being sent across the tunnel. PPTP establishes a tunnel between the physical PPP endpoints and securely transports data across the tunnel.
The strength of PPTP is its ease of configuration and integration into existing Microsoft infrastructure. It is generally used for connecting single remote Windows clients. If you take your portable computer on a business trip, you can dial a local number to connect to your Internet access service provider (ISP) and create a second connection (tunnel) into your office network across the Internet and have the same access to your corporate network as if you were connected directly from your office. Telecommuters can also set up a VPN tunnel over their cable modem or DSL links to their local ISP.
61

Chapter 3: Serial Port, Device and User Configuration
To set up a PPTP connection from a remote Windows client to your Opengear appliance and local network:
1. Enable and configure the PPTP VPN server on your Opengear appliance 2. Set up VPN user accounts on the Opengear appliance and enable the appropriate
authentication 3. Configure the VPN clients at the remote sites. The client does not require special software as
the PPTP Server supports the standard PPTP client software included with Windows NT and later 4. Connect to the remote VPN 3.11.1 Enable the PPTP VPN server 1. Select PPTP VPN on the Serial & Networks menu
2. Select the Enable check box to enable the PPTP Server 3. Select the Minimum Authentication Required. Access is denied to remote users attempting to
connect using an authentication scheme weaker than the selected scheme. The schemes are described below, from strongest to weakest. · Encrypted Authentication (MS-CHAP v2): The strongest type of authentication to use; this is
the recommended option · Weakly Encrypted Authentication (CHAP): This is the weakest type of encrypted password
authentication to use. It is not recommended that clients connect using this as it provides very little password protection. Also note that clients connecting using CHAP are unable to encrypt traffic
62

User Manual
· Unencrypted Authentication (PAP): This is plain text password authentication. When using this type of authentication, the client password is transmitted unencrypted.
· None 4. Select the Required Encryption Level. Access is denied to remote users attempting to connect
that are not using this encryption level. 5. In Local Address enter IP address to assign to the server’s end of the VPN connection 6. In Remote Addresses enter the pool of IP addresses to assign to the incoming client’s VPN
connections (e.g. 192.168.1.10-20). This must be a free IP address or range of addresses from the network that remote users are assigned while connected to the Opengear appliance 7. Enter the desired value of the Maximum Transmission Unit (MTU) for the PPTP interfaces into the MTU field (defaults to 1400) 8. In the DNS Server field, enter the IP address of the DNS server that assigns IP addresses to connecting PPTP clients 9. In the WINS Server field, enter the IP address of the WINS server that assigns IP addresses to connecting PPTP client 10. Enable Verbose Logging to assist in debugging connection problems 11. Click Apply Settings 3.11.2 Add a PPTP user 1. Select Users & Groups on the Serial & Networks menu and complete the fields as covered in section 3.2. 2. Ensure the pptpd group has been checked, to allow access to the PPTP VPN server. Note – users in this group have their passwords stored in clear text. 3. Keep note of the username and password for when you need to connect to the VPN connection 4. Click Apply
63

Chapter 3: Serial Port, Device and User Configuration
3.11.3 Set up a remote PPTP client Ensure the remote VPN client PC has Internet connectivity. To create a VPN connection across the Internet, you must set up two networking connections. One connection is for the ISP, and the other connection is for the VPN tunnel to the Opengear appliance. NOTE This procedure sets up a PPTP client in the Windows Professional operating system. The steps
may vary slightly depending on your network access or if you are using an alternate version of Windows. More detailed instructions are available from the Microsoft web site. 1. Login to your Windows client with administrator privileges 2. From the Network & Sharing Center on the Control Panel select Network Connections and create a new connection
64

User Manual
3. Select Use My Internet Connection (VPN) and enter the IP Address of the Opengear appliance To connect remote VPN clients to the local network, you need to know the username and password for the PPTP account you added, as well as the Internet IP address of the Opengear appliance. If your ISP has not allocated you a static IP address, consider using a dynamic DNS service. Otherwise you must modify the PPTP client configuration each time your Internet IP address changes.
65

Chapter 3: Serial Port, Device and User Configuration

3.12 Call Home
All console servers include the Call Home feature which initiates the setup of a secure SSH tunnel from the console server to a centralized Opengear Lighthouse. The console server registers as a candidate on the Lighthouse. Once accepted there it becomes a Managed Console Server.
Lighthouse monitors the Managed Console Server and administrators can access the remote Managed Console Server through the Lighthouse. This access is available even when the remote console server is behinda third-party firewall or has a private non-routable IP addresses.

NOTE

Lighthouse maintains public key authenticated SSH connections to each of its Managed Console Servers. These connections are used for monitoring, directing and accessing the Managed Console Servers and the managed devices connected to the Managed Console Server.

To manage Local Console Servers, or console servers that are reachable from the Lighthouse, the SSHconnections are initiated by Lighthouse.

To manage Remote Console Servers, or console servers that are firewalled, not routable, or otherwise unreachable from the Lighthouse, the SSH connections are initiated by the Managed ConsoleServer via an initial Call Home connection.

This ensures secure, authenticated communications and enables Managed Console Servers units to be distributed locally on a LAN, or remotely around the world.

3.12.1 Set up Call Home candidate To set up the console server as a Call Home management candidate on the Lighthouse:
1. Select Call Home on the Serial & Network menu

2. If you have not already generated or uploaded an SSH key pair for this console server, do so before proceeding
3. Click Add

4. Enter the IP address or DNS name (e.g. the dynamic DNS address) of the Lighthouse.
5. Enter the Password that you configured on the CMS as the Call Home Password.
66

User Manual
6. Click Apply These steps initiate the Call Home connection from the console server to the Lighthouse. This creates an SSHlistening port on the Lighthouse and sets the console server up as a candidate.
Once the candidate has been accepted on the Lighthouse an SSH tunnel to the console server is redirected backacross the Call Home connection. The console server has become a Managed Console Server and the Lighthouse can connect to and monitor it through this tunnel. 3.12.2 Accept Call Home candidate as Managed Console Server on Lighthouse This section gives an overview on configuring the Lighthouse to monitor console Lighthouse servers that are connected via Call Home. For more details see the Lighthouse User Guide:
1. Enter a new Call Home Password on the Lighthouse. This password is used for accepting
Call Homeconnections from candidate console servers
2. The Lighthouse can be contacted by the console server it must either have a static IP
address or, ifusing DHCP, be configured to use a dynamic DNS service
The Configure > Managed Console Servers screen on the Lighthouse shows the status of
local andremote Managed Console Servers and candidates.
The Managed Console Servers section shows the console servers being monitored by the
Lighthouse.The Detected Console Servers section contains:
o The Local Console Servers drop-down which lists all the console servers which are on the
same subnet as the Lighthouse, and are not being monitored
67

Chapter 3: Serial Port, Device and User Configuration
o The Remote Console Servers drop-down which lists all the console servers that have established a Call Home connection and are not being monitored (i.e. candidates). You can click Refresh to update
To add a console server candidate to the Managed Console Server list, select it from the Remote Console Servers drop-down list and click Add. Enter IP Address and SSH Port (if these fields have not been auto-completed) and enter a Description and unique Name for the Managed Console server you are adding
Enter the Remote Root Password (i.e. System Password that has been set on this Managed Console server). This password is used by the Lighthouse to propagate auto generated SSH keys and isnot stored. Click Apply. The Lighthouse sets up secure SSH connections to and from the Managed Console Server and retrieves its Managed Devices, user account details and configured alerts 3.12.3 Calling Home to a generic central SSH server If you are connecting to a generic SSH server (not Lighthouse) you may configure Advanced settings: · Enter the SSH Server Port and SSH User. · Enter the details for the SSH port forward(s) to create
By selecting Listening Server, you may create a Remote port forward from the Server to this unit, or a Local port forward from this unit to the Server:
68

User Manual
· Specify a Listening Port to forward from, leave this field blank to allocate an unused port · Enter the Target Server and Target Port that will be the recipient of forwarded connections
3.13 IP Passthrough
IP Passthrough is used to make a modem connection (e.g. the internal cellular modem) appear like a regular Ethernet connection to a third-party downstream router, allowing the downstream router to use the modem connection as a primary or backup WAN interface.
The Opengear device provides the modem IP address and DNS details to the downstream device over DHCP and passes network traffic to and from the modem and router.
While IP Passthrough turns an Opengear into a modem-to-Ethernet half bridge, some layer 4 services (HTTP/HTTPS/SSH) may be terminated at the Opengear (Service Intercepts). Also, services running on the Opengear can initiate outbound cellular connections independent of the downstream router.
This allows the Opengear to continue to be used for out-of-band management and alerting and also be managed via Lighthouse, while in IP Passthrough mode.
3.13.1 Downstream Router Setup To use failover connectivity on the downstream router (aka Failover to Cellular or F2C), it must have two or more WAN interfaces.
NOTE Failover in IP Passthrough context is performed by the downstream router, and the built-in out-ofband failover logic on the Opengear is not available while in IP Passthrough mode.
Connect an Ethernet WAN interface on the downstream router to the Opengear’s Network Interface or Management LAN port with an Ethernet cable.
Configure this interface on the downstream router to receive its network settings via DHCP. If failover is required, configure the downstream router for failover between its primary interface and the Ethernet port connected to the Opengear.
3.13.2 IP Passthrough Pre-Configuration Prerequisite steps to enable IP Passthrough are:
1. Configure the Network Interface and where applicable Management LAN interfaces with static network settings. · Click Serial & Network > IP. · For Network Interface and where applicable Management LAN, select Static for the Configuration Method and enter the network settings (see the section entitled Network Configuration for detailed instructions). · For the interface connected to the downstream router, you may choose any dedicated private network ­ this network only exists between the Opengear and downstream router and is not normally accessible. · For the other interface, configure it as you would per normal on the local network. · For both interfaces, leave Gateway blank.
2. Configure the modem in Always On Out-of-band mode.
69

Chapter 3: Serial Port, Device and User Configuration
· For a cellular connection, click System > Dial: Internal Cellular Modem. · Select Enable Dial-Out and enter carrier details such as APN (see section Cellular Modem
Connection for detailed instructions). 3.13.3 IP Passthrough Configuration To configure IP Passthrough:
· Click Serial & Network > IP Passthrough and check Enable. · Select the Opengear Modem to use for upstream connectivity. · Optionally, enter the MAC Address of downstream router’s connected interface. If MAC address is
not specified, the Opengear will passthrough to the first downstream device requesting a DHCP address. · Select the Opengear Ethernet Interface to use for connectivity to the downstream router.
· Click Apply. 3.13.4 Service Intercepts These allow the Opengear to continue to provide services, for example, for out-of-band management when in IP Passthrough mode. Connections to the modem address on the specified intercept port(s) are handled by the Opengear rather than passed through to the downstream router.
· For the required service of HTTP, HTTPS or SSH, check Enable · Optionally modify the Intercept Port to an alternate port (e.g. 8443 for HTTPS), this is useful if you
want to continue to allow the downstream router to remain accessible via its regular port. 3.13.5 IP Passthrough Status Refresh the page to view the Status section. It displays the modem’s External IP Address being passed through, the Internal MAC Address of the downstream router (only populated when the downstream router accepts the DHCP lease), and the overall running status of the IP Passthrough service. You may be alerted to the failover status of the downstream router by configuring a Routed Data Usage Check under Alerts & Logging > Auto-Response. 3.13.6 Caveats Some downstream routers may be incompatible with the gateway route. This can happen when IP Passthrough is bridging a 3G cellular network where the gateway address is a point-to-point destination address and no subnet information is available. The Opengear sends a DHCP netmask of 255.255.255.255. Devices normally construe this as a single host route on the interface, but some older downstream devices may have issues.
70

User Manual
Intercepts for local services will not work if the Opengear is using a default route other than the modem. Also, they will not work unless the service is enabled and access to the service is enabled (see System > Services, under the Service Access tab find Dialout/Cellular).
Outbound connections originating from Opengear to remote services are supported (e.g. sending SMTP email alerts, SNMP traps, getting NTP time, IPSec tunnels). There is a small risk of connection failure should both the Opengear and the downstream device try to access the same UDP or TCP port on the same remote host at the same time when they have randomly chosen the same originating local port number.
3.14 Configuration over DHCP (ZTP)
Opengear devices can be provisioned during their initial boot from a DHCPv4 or DHCPv6 server using config-over-DHCP. Provisioning on untrusted networks can be facilitated by providing keys on a USB flash drive. The ZTP functionality can also be used to perform a firmware upgrade on initial connection to the network, or to enroll into a Lighthouse 5 instance.
Preparation The typical steps for configuration over a trusted network are:
1. Configure a same-model Opengear device. 2. Save its configuration as an Opengear backup (.opg) file. 3. Select System > Configuration Backup > Remote Backup. 4. Click Save Backup. A backup configuration file — model-name_iso- format-date_config.opg — is downloaded from the Opengear device to the local system. You can save the configuration as an xml file: 1. Select System > Configuration Backup > XML Configuration. An editable field containing the
configuration file in XML format appears. 2. Click into the field to make it active. 3. If you are running any browser on Windows or Linux, right-click and choose Select All from the
contextual menu or press Control-A. Right-click and choose Copy from the contextual menu or press Control-C. 4. If you are using any browser on macOS, choose Edit > Select All or press Command-A. Choose Edit > Copy or press Command-C. 5. In your preferred text-editor, create a new empty document, paste the copied data into the empty document and save the file. Whatever file-name you choose, it must include the .xml filename suffix. 6. Copy the saved .opg or .xml file to a public-facing directory on a file server serving at least one of the following protocols: HTTPS, HTTP, FTP or TFTP. (Only HTTPS can be used if the connection between the file server and a to-be-configured Opengear device travels over an untrusted network.). 7. Configure your DHCP server to include a `vendor specific’ option for Opengear devices. (This will be done in a DHCP server-specific way.) The vendor specific option should be set to a string containing the URL of the published .opg or .xml file in the step above. The option string must not exceed 250 characters and it must end in either .opg or .xml.
71

Chapter 3: Serial Port, Device and User Configuration
8. Connect a new Opengear device, either factory-reset or Config-Erased, to the network and apply power. It may take up to 5 minutes for the device to reboot itself.
Example ISC DHCP (dhcpd) server configuration
The following is an example DHCP server configuration fragment for serving an .opg configuration image via the ISC DHCP server, dhcpd:
option space opengear code width 1 length width 1; option opengear.config-url code 1 = text; class “opengear-config-over-dhcp-test” {
match if option vendor-class-identifier ~~ “^Opengear/”; vendor-option-space opengear; option opengear.config-url “https://example.com/opg/${class}.opg”; }
This setup can be modified to upgrade the configuration image using the opengear.image-url option, and providing a URI to the firmware image.
Setup when the LAN is untrusted If the connection between the file server and a to-be-configured Opengear device includes an untrusted network, a two-handed approach can mitigate the issue.
NOTE This approach introduces two physical steps where trust can be difficult, if not impossible, to establish completely. First, the custody chain from the creation of the data-carrying USB flash drive to its deployment. Second, the hands connecting the USB flash drive to the Opengear device.
· Generate an X.509 certificate for the Opengear device.
· Concatenate the certificate and its private key into a single file named client.pem.
· Copy client.pem onto a USB flash drive.
· Set up an HTTPS server such that access to the .opg or .xml file is restricted to clients that can provide the X.509 client certificate generated above.
· Put a copy of the CA cert that signed the HTTP server’s certificate — ca- bundle.crt — onto the USB flash drive bearing client.pem.
· Insert the USB flash drive into the Opengear device before attaching power or network.
· Continue the procedure from `Copy the saved .opg or .xml file to a public- facing directory on a file server’ above using the HTTPS protocol between the client and server.
Prepare a USB drive and create the X.509 certificate and private key
· Generate the CA certificate so the client and server Certificate Signing Requests (CSRs) can be signed.

cp /etc/ssl/openssl.cnf . # mkdir -p exampleCA/newcerts # echo 00 >

exampleCA/serial # echo 00 > exampleCA/crlnumber # touch exampleCA/index.txt # openssl genrsa -out ca.key 8192 # openssl req -new -x509 -days 3650 -key ca.key -out demoCA/cacert.pem
-subj /CN=ExampleCA # cp demoCA/cacert.pem ca-bundle.crt
This procedure generates a certificate called ExampleCA but any allowed certificate name can be used. Also, this procedure uses openssl ca. If your organization has an enterprise-wide, secure CA generation process, that should be used instead.
72

User Manual
· Generate the server certificate.

openssl genrsa -out server.key 4096 # openssl req -new -key server.key -out

server.csr -subj /CN=demo.example.com # openssl ca -days 365 -in server.csr -out server.crt
-keyfile ca.key -policy policy_anything -batch -notext
NOTE The hostname or IP address must be the same string used in the serving URL. In the example above, the hostname is demo.example.com.
· Generate the client certificate.

openssl genrsa -out client.key 4096 # openssl req -new -key client.key -out

client.csr -subj /CN=ExampleClient # openssl ca -days 365 -in client.csr -out client.crt
-keyfile ca.key -policy policy_anything -batch -notext # cat client.key client.crt > client.pem
· Format a USB flash drive as a single FAT32 volume.
· Move the client.pem and ca-bundle.crt files onto the flash drive’s root directory.
Debugging ZTP issues Use the ZTP log feature to debug ZTP issues. While the device is attempting to perform ZTP operations, log information is written to /tmp/ztp.log on the device.
The following is an example of the log file from a successful ZTP run.

cat /tmp/ztp.log Wed Dec 13 22:22:17 UTC 2017 [5127 notice] odhcp6c.eth0:

restoring config via DHCP Wed Dec 13 22:22:17 UTC 2017 [5127 notice] odhcp6c.eth0: waiting 10s for network to settle Wed Dec 13 22:22:27 UTC 2017 [5127 notice] odhcp6c.eth0: NTP skipped: no server Wed Dec 13 22:22:27 UTC 2017 [5127 info] odhcp6c.eth0: vendorspec.1 = ‘http://[fd07:2218:1350:44::1]/tftpboot/config.sh’ Wed Dec 13 22:22:27 UTC 2017 [5127 info] odhcp6c.eth0: vendorspec.2 (n/a) Wed Dec 13 22:22:27 UTC 2017 [5127 info] odhcp6c.eth0: vendorspec.3 (n/a) Wed Dec 13 22:22:27 UTC 2017 [5127 info] odhcp6c.eth0: vendorspec.4 (n/a) Wed Dec 13 22:22:27 UTC 2017 [5127 info] odhcp6c.eth0: vendorspec.5 (n/a) Wed Dec 13 22:22:28 UTC 2017 [5127 info] odhcp6c.eth0: vendorspec.6 (n/a) Wed Dec 13 22:22:28 UTC 2017 [5127 info] odhcp6c.eth0: no firmware to download (vendorspec.2) backup-url: trying http://[fd07:2218:1350:44::1]/tftpboot/config.sh … backup-url: forcing wan config mode to DHCP backup-url: setting hostname to acm7004-0013c601ce97 backup-url: load succeeded Wed Dec 13 22:22:36 UTC 2017 [5127 notice] odhcp6c.eth0: successful config load Wed Dec 13 22:22:36 UTC 2017 [5127 info] odhcp6c.eth0: no lighthouse configuration (vendorspec.3/4/5/6) Wed Dec 13 22:22:36 UTC 2017 [5127 notice] odhcp6c.eth0: provisioning completed, not rebooting
Errors are recorded in this log.
3.15 Enrollment into Lighthouse
Use Enrollment into Lighthouse to enroll Opengear devices into a Lighthouse instance, providing centralized access to console ports, and allowing central configuration of the Opengear devices.
See the Lighthouse User Guide for instructions for enrolling Opengear devices into Lighthouse.
73

Chapter 3: Serial Port, Device and User Configuration
3.16 Enable DHCPv4 Relay
A DHCP relay service forwards the DHCP packets between clients and remote DHCP servers. DHCP relay service can be enabled on an Opengear console server, so that its listens for DHCP clients on designated lower interfaces, wraps and forwards their messages up to DHCP servers using either normal routing, or broadcast directly onto designated upper interfaces. The DHCP relay agent thus receives DHCP messages and generates a new DHCP message to send out on another interface. In the steps below, the console servers can connect to circuit-ids, Ethernet or cell modems using DHCPv4 Relay service.
DHCPv4 Relay + DHCP Option 82 (circuit-id) Infrastructure – Local DHCP server, ACM7004-5 for relay, any other devices for clients. Any device with LAN role can be used as a relay. In this example, the 192.168.79.242 is the address for the client’s relayed interface (as defined in the DHCP server configuration file above) and the 192.168.79.244 is the relay box’s upper interface address, and enp112s0 is the downstream interface of the DHCP server.
1 Infrastructure – DHCPv4 Relay + DHCP Option 82 (circuit-id)
Steps on the DHCP Server 1. Setup local DHCP v4 server, in particular, it should contain a “host” entry as below for the DHCP client: host cm7116-2-dac { # hardware ethernet 00:13:C6:02:7E:41; host-identifier option agent.circuit- id “relay1”; fixed-address 192.168.79.242; } Note: the “hardware ethernet” line is commented off, so that the DHCP server will make use of the “circuit- id” setting to assign an address for relevant client. 2. Re-start DHCP Server to reload its changed configuration file. pkill -HUP dhcpd
74

User Manual
3. Manually add a host route to the client “relayed” interface (the interface behind the DHCP relay, not other interfaces the client may also have:
sudo ip route add 192.168.79.242/32 via 192.168.79.244 dev enp112s0 This will help avoid the asymmetric routing issue when the client and DHCP server would like to access each other via the client’s relayed interface, when the client has other interfaces in the same subnet of the DHCP address pool.
Note: This step is a must-have to support the dhcp server and client able to access each other.
Steps on the Relay box – ACM7004-5
1. Setup WAN/eth0 in either static or dhcp mode (not unconfigured mode). If in static mode, it must have an IP address within the address pool of the DHCP server.
2. Apply this config through CLI (where 192.168.79.1 is DHCP server address)
config -s config.services.dhcprelay.enabled=on config -s config.services.dhcprelay.lowers.lower1.circuit_id=relay1 config -s config.services.dhcprelay.lowers.lower1.role=lan config -s config.services.dhcprelay.lowers.total=1 config -s config.services.dhcprelay.servers.server1=192.168.79.1 config -s config.services.dhcprelay.servers.total=1 config -s config.services.dhcprelay.uppers.upper1.role=wan config -s config.services.dhcprelay.uppers.total=1
3. The lower interface of the DHCP relay must have a static IP address within the address pool of the DHCP server. In this example, giaddr = 192.168.79.245
config -s config.interfaces.lan.address=192.168.79.245 config -s config.interfaces.lan.mode=static config -s config.interfaces.lan.netmask=255.255.255.0 config -d config.interfaces.lan.disabled -r ipconfig
4. Wait a short while for the client to acquire a DHCP lease via the relay.
Steps on the Client (CM7116-2-dac in this example or any other OG CS)
1. Plug in the client’s LAN/eth1 to the relay’s LAN/eth1 2. Configure the client’s LAN to get IP address via DHCP as per usual 3. Once the clie

References

Read User Manual Online (PDF format)

Read User Manual Online (PDF format)  >>

Download This Manual (PDF format)

Download this manual  >>

Related Manuals