opengear ACM7000 Remote Site Gateway User Manual
- June 1, 2024
- Opengear
Table of Contents
- opengear ACM7000 Remote Site Gateway
- Product Information
- Product Usage Instructions
- FAQs
- This Manual
- System Configuration
- config -s config.interfaces.wan.mtu=1380 check
- config -g config.interfaces.wan config.interfaces.wan.address 192.168.2.24
- Serial Port, Host, Device & User Configuration
- ) i.e. 4001 4048
- ssh remhost Once the SSH connection has been established, you are asked to
- description: IM4216_client client proto udp verb 3 dev tun remote
- cp /etc/ssl/openssl.cnf . # mkdir -p exampleCA/newcerts # echo 00 >
- openssl genrsa -out server.key 4096 # openssl req -new -key server.key -out
- openssl genrsa -out client.key 4096 # openssl req -new -key client.key -out
- cat /tmp/ztp.log Wed Dec 13 22:22:17 UTC 2017 [5127 notice] odhcp6c.eth0:
- References
- Read User Manual Online (PDF format)
- Download This Manual (PDF format)
opengear ACM7000 Remote Site Gateway
Product Information
Specifications:
- Product: ACM7000 Remote Site Gateway
- Model: ACM7000-L Resilience Gateway
- Management System: IM7200 Infrastructure Manager
- Console Servers: CM7100
- Version: 5.0 – 2023-12
Product Usage Instructions
Safety Precautions:
Do not connect or disconnect the console server during an electrical storm. Always use a surge suppressor or UPS to protect the equipment from transients.
FCC Warning:
This device complies with Part 15 of the FCC rules. Operation of this device is subject to the following conditions: (1) This device may not cause harmful interference, and (2) this device must accept any interference that may cause undesired operation.
FAQs
- Q: Can I use the ACM7000 Remote Site Gateway during an electrical storm?
- A: No, it is advised not to connect or disconnect the console server during an electrical storm to prevent damage.
- Q: What version of FCC rules does the device comply with?
- A: The device complies with Part 15 of the FCC rules.
User Manual
ACM7000 Remote Site Gateway ACM7000-L Resilience Gateway IM7200 Infrastructure
Manager CM7100 Console Servers
Version 5.0 – 2023-12
Safety
Follow the safety precautions below when installing and operating the console
server: · Do not remove the metal covers. There are no operator serviceable
components inside. Opening or removing the cover may expose you to dangerous
voltage which may cause fire or electric shock. Refer all service to Opengear
qualified personnel. · To avoid electric shock the power cord protective
grounding conductor must be connected through to ground. · Always pull on the
plug, not the cable, when disconnecting the power cord from the socket.
Do not connect or disconnect the console server during an electrical storm.
Also use a surge suppressor or UPS to protect the equipment from transients.
FCC Warning Statement
This device complies with Part 15 of the FCC rules. Operation of this device
is subject to the following
conditions: (1) This device may not cause harmful interference, and (2) this
device must accept any interference that may cause undesired operation.
Proper back-up systems and necessary safety devices should be utilized to
protect against injury, death or property damage due to system failure. Such
protection is the responsibility of the user. This console server device is
not approved for use as a life-support or medical system. Any changes or
modifications made to this console server device without the explicit approval
or consent of Opengear will void Opengear of any liability or responsibility
of injury or loss caused by any malfunction. This equipment is for indoor use
and all the communication wirings are limited to inside of the building.
2
User Manual
Copyright
©Opengear Inc. 2023. All Rights Reserved. Information in this document is
subject to change without notice and does not represent a commitment on the
part of Opengear. Opengear provides this document “as is,” without warranty of
any kind, expressed or implied, including, but not limited to, the implied
warranties of fitness or merchantability for a particular purpose. Opengear
may make improvements and/or changes in this manual or in the product(s)
and/or the program(s) described in this manual at any time. This product could
include technical inaccuracies or typographical errors. Changes are
periodically made to the information herein; these changes may be incorporated
in new editions of the publication.\
Chapter 1
This Manual
THIS MANUAL
This User Manual explains installing, operating, and managing Opengear console
servers. This manual assumes you are familiar with the Internet and IP
networks, HTTP, FTP, basic security operations, and your organization’s
internal network.
1.1 Types of users
The console server supports two classes of users:
· Administrators who have unlimited configuration and management privileges
over the console
server and connected devices as well as all services and ports to control all
the serial connected devices and network connected devices (hosts).
Administrators are set up as members of the admin user group. An administrator
can access and control the console server using the config utility, the Linux
command line or the browser-based Management Console.
· Users who have been set up by an administrator with limits of their access
and control authority.
Users have a limited view of the Management Console and can only access
authorized configured devices and review port logs. These users are set up as
members of one or more of the preconfigured user groups such as PPTPD, dialin,
FTP, pmshell, users, or user groups the administrator may have created. They
are only authorized to perform specified controls on specific connected
devices. Users, when authorized, can access and control serial or network
connected devices using specified services (e.g. Telnet, HHTPS, RDP, IPMI,
Serial over LAN, Power Control). Remote users are users who are not on the
same LAN segment as the console server. A remote user may be on the road
connecting to managed devices over the public Internet, an administrator in
another office connecting to the console server over the enterprise VPN, or in
the same room or the same office but connected on a separate VLAN to the
console server.
1.2 Management Console
The Opengear Management Console allows you to configure and monitor the
features of your Opengear console server. The Management Console runs in a
browser and provides a view of the console server and all connected devices.
Administrators can use the Management Console to configure and manage the
console server, users, ports, hosts, power devices, and associated logs and
alerts. Non-admin users can use the Management Console with limited menu
access to control select devices, review their logs, and access them using the
built-in Web terminal.
The console server runs an embedded Linux operating system, and can be
configured at the command line. You can get command line access by cellular /
dial-in, directly connecting to the console server’s serial console/modem
port, or by using SSH or Telnet to connect to the console server over the LAN
(or connecting with PPTP, IPsec or OpenVPN).
6
User Manual
For command line interface (CLI) commands and advanced instructions, download
the Opengear CLI and Scripting Reference.pdf from
https://ftp.opengear.com/download/documentation/manual/previous%20versions%20archived/
1.3 More information
For more information, consult: · Opengear Products Web Site: See
https://opengear.com/products. To get the most up-to-date information on
what’s included with your console server, visit the What’s included section
for your particular product. · Quick Start Guide: To get the Quick Start Guide
for your device see https://opengear.com/support/documentation/. · Opengear
Knowledge Base: Visit https://opengear.zendesk.com to access technical how-to
articles, tech tips, FAQs, and important notifications. · Opengear CLI and
Scripting Reference:
https://ftp.opengear.com/download/documentation/manual/current/IM_ACM_and_CM710
0/Opengear%20CLI%20and%20Scripting%20Reference.pdf
7
Chapter 2:
System Configuration
SYSTEM CONFIGURATION
This chapter provides step-by-step instructions for the initial configuration
of your console server and connecting it to the Management or Operational LAN.
The steps are:
Activate the Management Console. Change the administrator password. Set the IP
address console server’s principal LAN port. Select the services to be enabled
and access privileges. This chapter also discusses the communications software
tools that an administrator may use to access the console server, and the
configuration of the additional LAN ports.
2.1 Management Console Connection
Your console server comes configured with a default IP Address 192.168.0.1 and
subnet mask 255.255.255.0 for NET1 (WAN). For initial configuration, we
recommend that you connect a computer directly to the console. If you do
choose to connect your LAN before completing the initial setup steps, make
sure that:
· There are no other devices on the LAN with an address of 192.168.0.1. · The
console server and the computer are on the same LAN segment, with no
interposed router
appliances.
2.1.1 Connected computer set up To configure the console server with a
browser, the connected computer should have an IP address in the same range as
the console server (for example, 192.168.0.100):
· To configure the IP Address of your Linux or Unix computer, run ifconfig. ·
For Windows PCs:
1. Click Start > Settings > Control Panel and double click Network
Connections. 2. Right click on Local Area Connection and select Properties. 3.
Select Internet Protocol (TCP/IP) and click Properties. 4. Select Use the
following IP address and enter the following details:
o IP address: 192.168.0.100 o Subnet mask: 255.255.255.0 5. If you want to
retain your existing IP settings for this network connection, click Advanced
and Add the above as a secondary IP connection.
2.1.2 Browser connection
Open a browser on the connected PC / workstation and enter
https://192.168.0.1.
Log in with:
Username> root Password> default
8
User Manual
The first time you log in, you are required to change the root password. Click
Submit.
To complete the change, enter the new password again. Click Submit. The
Welcome screen appears.
If your system has a cellular modem you will be given the steps to configure
the cellular router features: · Configure the cellular modem connection
(System > Dial page. See Chapter 4) · Allow forwarding to the cellular
destination network (System > Firewall page. See Chapter 4) · Enable IP
masquerading for cellular connection (System > Firewall page. See Chapter 4)
After completing each of the above steps, you can return to the configuration
list by clicking the Opengear logo in the top left corner of the screen. NOTE
If you are not able to connect to the Management Console at 192.168.0.1 or if
the default
Username / Password are not accepted, reset your console server (See Chapter
10).
9
Chapter 2: System Configuration
2.2 Administrator Set Up
2.2.1 Change default root System Password You are required to change the root
password when you first log in to the device. You can change this password at
any time.
1. Click Serial & Network > Users & Groups or, on the Welcome screen, click
Change default administration password.
2. Scroll down and locate the root user entry under Users and click Edit. 3.
Enter the new password in the Password and Confirm fields.
NOTE Checking Save Password across firmware erases saves the password so it
does not get erased when the firmware is reset. If this password is lost, the
device will need to be firmware recovered.
4. Click Apply. Log in with the new password 2.2.2 Set up a new administrator
Create a new user with administrative privileges and log in as this user for
administration functions, rather than using root.
10
User Manual
1. Click Serial & Network > Users & Groups. Scroll to the bottom of the page
and click the Add User button.
2. Enter a Username. 3. In the Groups section, check the admin box. 4. Enter
a password in the Password and Confirm fields.
5. You can also add SSH Authorized Keys and choose to Disable Password
Authentication for this user.
6. Additional options for this user can be set on this page including Dial-in
Options, Accessible Hosts, Accessible Ports, and Accessible RPC Outlets.
7. Click the Apply button at the bottom of the screen to create this new
user.
11
Chapter 2: System Configuration
2.2.3 Add System Name, System Description, and MOTD. 1. Select System >
Administration. 2. Enter a System Name and System Description for the console
server to give it a unique ID and make it easier to identify. System Name can
contain from 1 to 64 alphanumeric characters and the special characters
underscore (_), minus (-), and period (.). System Description can contain up
to 254 characters.
3. The MOTD Banner can be used to display a message of the day text to users.
It appears on the upper left of the screen below the Opengear logo.
4. Click Apply.
12
Chapter 2: System Configuration
5. Select System > Administration. 6. The MOTD Banner can be used to display
a message of the day text to users. It appears on the
upper left of the screen below the Opengear logo. 7. Click Apply.
2.3 Network Configuration
Enter an IP address for the principal Ethernet (LAN/Network/Network1) port on
the console server or enable its DHCP client to automatically obtain an IP
address from a DHCP server. By default, the console server has its DHCP client
enabled and automatically accepts any network IP address assigned by a DHCP
server on your network. In this initial state, the console server will respond
to both its default Static address 192.168.0.1 and its DHCP address.
1. Click System > IP and click the Network Interface tab. 2. Choose either
DHCP or Static for the Configuration Method.
If you choose Static, enter the IP Address, Subnet Mask, Gateway and DNS
server details. This selection disables the DHCP client.
12
User Manual
3. The console server LAN port automatically detects the Ethernet connection
speed. Use the Media drop-down list to lock the Ethernet to 10 Mb/s or 100Mb/s
and to Full Duplex or Half Duplex.
If you encounter packet loss or poor network performance with the Auto
setting, change the Ethernet Media settings on the console server and the
device it is connected to. In most cases, change both to 100baseTx-FD (100
megabits, full duplex).
4. If you select DHCP, the console server will look for configuration details
from a DHCP server. This selection disables any static address. The console
server MAC address can be found on a label on the base plate.
5. You may enter a secondary address or comma-separated list of addresses in
CIDR notation, e.g. 192.168.1.1/24 as an IP Alias.
6. Click Apply 7. Reconnect the browser on the computer that is connected to
the console server by entering
http://your new IP address.
If you change the console server IP address, you need to reconfigure your
computer to have an IP address in the same network range as the new console
server address. You can set the MTU on Ethernet interfaces. This is an
advanced option to be used if your deployment scenario doesn’t work with the
default MTU of 1500 bytes. To set the MTU, click System > IP and click the
Network Interface tab. Scroll down to the MTU field and enter the desired
value. Valid values are from 1280 to 1500 for 100-megabit interfaces, and 1280
to 9100 for gigabit interfaces If bridging or bonding is configured, the MTU
set on the Network Interface page will be set on the interfaces that are part
of the bridge or the bond. NOTE In some cases, the user specified MTU may not
take effect. Some NIC drivers may round oversized MTUs to the maximum allowed
value and others will return an error code. You can also use a CLI command to
manage MTU Size: configure
config -s config.interfaces.wan.mtu=1380 check
config -g config.interfaces.wan config.interfaces.wan.address 192.168.2.24
config.interfaces.wan.ddns.provider none config.interfaces.wan.gateway
192.168.2.1 config.interfaces.wan.ipv6.mode stateless
config.interfaces.wan.media Auto config.interfaces.wan.mode static
config.interfaces.wan.mtu 1380 config.interfaces.wan.netmask 255.255.255.0
13
Chapter 2: System Configuration
2.3.1 IPv6 configuration The console server Ethernet interfaces support IPv4
by default. They can be configured for IPv6 operation:
1. Click System > IP. Click the General Settings tab and check Enable IPv6.
If desired, click the Disable IPv6 for Cellular checkbox.
2. Configure the IPv6 parameters on each interface page. IPv6 can be
configured for either Automatic mode, which will use SLAAC or DHCPv6 to
configure addresses, routes, and DNS, or Static mode, which allows the address
information to be manually entered.
2.3.2 Dynamic DNS (DDNS) configuration With Dynamic DNS (DDNS), a console
server whose IP address is dynamically assigned can be located using a fixed
host or domain name. Create an account with the supported DDNS service
provider of your choice. When you set up your DDNS account, you choose a
username, password, and hostname that you will use as the DNS name. DDNS
service providers let you choose a hostname URL and set an initial IP address
to correspond to that hostname URL.
14
User Manual
To enable and configure DDNS on any of the Ethernet or cellular network
connections on the console server. 1. Click System > IP and scroll down the
Dynamic DNS section. Select your DDNS service provider
from the drop-down Dynamic DNS list. You can also set the DDNS information
under the Cellular Modem tab under System > Dial.
2. In DDNS Hostname, enter the fully qualified DNS hostname for your console
server e.g. yourhostname.dyndns.org.
3. Enter the DDNS Username and DDNS Password for the DDNS service provider
account. 4. Specify the Maximum interval between updates in days. A DDNS
update will be sent even if the
address has not changed. 5. Specify the Minimum interval between checks for
changed addresses in seconds. Updates will
be sent if the address has changed. 6. Specify the Maximum attempts per update
which is the number of times to attempt an update
before giving up. This is 3 by default. 7. Click Apply.
15
Chapter 2: System Configuration
2.3.3 EAPoL mode for WAN, LAN and OOBFO
(OOBFO is applicable to the IM7216-2-24E-DAC only)
Overview of EAPoL IEEE 802.1X, or PNAC (Port-based Network Access Control)
makes use of the physical access characteristics of IEEE 802 LAN
infrastructures in order to provide a means of authenticating and authorizing
devices attached to a LAN port that has point-to-point connection
characteristics, and of preventing access to that port in cases which the
authentication and authorization fails. A port in this context is a single
point of attachment to the LAN infrastructure.
When a new wireless or wired node (WN) requests access to a LAN resource, the
access point (AP) asks for the WN’s identity. No other traffic than EAP is
allowed before the WN is authenticated (the “port” is closed, or
“unauthenticated”). The wireless node that requests authentication is often
called Supplicant, the Supplicant is responsible for responding to
Authenticator data that will establish its credentials. The same goes for the
access point; the Authenticator is not the access point. Rather, the access
point contains an Authenticator. The Authenticator does not need to be in the
access point; it can be an external component. The following Authentication
methods are implemented:
· EAP-MD5 supplicant o The EAP MD5-Challenge method uses plain
username/password
· EAP-PEAP-MD5 o EAP PEAP (Protected EAP) MD5 authentication method uses user
credentials and CA certificate
· EAP-TLS o EAP TLS (Transport Layer Security) authentication method requires
CA certificate, client certificate and a private key.
The EAP protocol, which is used for authentication, was originally used for
dial-up PPP. The identity was the username, and either PAP or CHAP
authentication was used to check the user’s password. As the identity is sent
in clear (not encrypted), a malicious sniffer may learn the user’s identity.
“Identity hiding” is therefore used; the real identity is not sent before the
encrypted TLS tunnel is up.
16
User Manual
After the identity has been sent, the authentication process begins. The
protocol used between the Supplicant and the Authenticator is EAP, (or EAPoL).
The Authenticator re-encapsulates the EAP messages to RADIUS format, and
passes them to the Authentication Server. During authentication, the
Authenticator relays packets between the Supplicant and the Authentication
Server. When the authentication process completes, the Authentication Server
sends a success message (or failure, if the authentication failed). The
Authenticator then opens the “port” for the Supplicant. Authentication
settings can be accessed from the EAPoL Supplicant Settings page. The status
of current EAPoL are displayed in detail on the Status Statistics page on the
EAPoL tab:
An abstraction of EAPoL on network ROLEs is displayed in the “Connection
Manager” section on the Dashboard interface.
17
Chapter 2: System Configuration
Shown below is an example of successful authentication:
IEEE 802.1x (EAPOL) support on the switch ports of IM7216-2-24E-DAC and
ACM7004-5: In order to avoid loops, users should not plug more than one switch
port to the same upper-level switch.
18
User Manual
2.4 Service Access and Brute Force Protection
The administrator can access the console server and connected serial ports and
managed devices using a range of access protocols/services. For each access
· The service must first be configured and enabled to run on the console
server. · Access through the firewall must be enabled for each network
connection. To enable and configure a service: 1. Click System > Services and
click the Service Settings tab.
2. Enable and configure basic services:
HTTP
By default, HTTP service is running and cannot be fully disabled. By default,
HTTP access is disabled on all interfaces. We recommend this access remain
disabled if the console server is accessed remotely over the Internet.
Alternate HTTP lets you to configure an alternate HTTP port to listen on. The
HTTP service will continue listening on TCP port 80 for CMS and connector
communications but will be inaccessible through the firewall.
HTTPS
By default, HTTPS service is running and enabled on all network interfaces. It
is recommended that only HTTPS access be used if the console server is to be
managed over any public network. This ensures administrators have secure
browser access to all the menus on the console server. It also allows
appropriately configured users secure browser access to selected Manage menus.
The HTTPS service can be disabled or reenabled by checking HTTPS Web
Management and an alternate port specified (default port is 443).
Telnet
By default the Telnet service is running but disabled on all network
interfaces.
Telnet can be used to give an administrator access to the system command line
shell. This service may be useful for local administrator and the user access
to selected serial consoles. We recommended that you disable this service if
the console server is remotely administered.
The Enable Telnet command shell checkbox will enable or disable the Telnet
service. An alternate Telnet port to listen on can be specified in Alternate
Telnet Port (default port is 23).
17
Chapter 2: System Configuration
SSH
This service provides secure SSH access to the console server and attached devices
and by default the SSH service is running and enabled on all interfaces. It is
recommended you choose SSH as the protocol where an administrator connects to
the console server over the Internet or any other public network. This will provide
authenticated communications between the SSH client program on the remote
computer and the SSH sever in the console server. For more information on SSH
configuration See Chapter 8 – Authentication.
The Enable SSH command shell checkbox will enable or disable this service. An alternate SSH port to listen on can be specified in SSH command shell port (default port is 22).
3. Enable and configure other services:
TFTP/FTP If a USB flash card or internal flash is detected on an console server, checking Enable TFTP (FTP) service enables this service and set up default tftp and ftp server on the USB flash. These servers are used to store config files, maintain access and transaction logs etc. Files transferred using tftp and ftp will be stored under /var/mnt/storage.usb/tftpboot/ (or /var/mnt/storage.nvlog/tftpboot/ on ACM7000series devices). Unchecking Enable TFTP (FTP) service will disable the TFTP (FTP) service.
DNS Relay Checking Enable DNS Server/Relay enables the DNS relay feature so clients can be configured with the console server’s IP for their DNS server setting, and the console server will forward the DNS queries to the real DNS server.
Web Terminal Checking Enable Web Terminal allows web browser access to the system command line shell via Manage > Terminal.
4. Specify alternate port numbers for Raw TCP, direct Telnet/SSH and
unauthenticated Telnet/SSH services. The console server uses specific ranges
for the TCP/IP ports for the various access
services that users can use to access devices attached to serial ports (as
covered in Chapter 3 Configure Serial Ports). The administrator can set
alternate ranges for these services and these secondary ports will be used in
addition to the defaults.
The default TCP/IP base port address for Telnet access is 2000, and the range
for Telnet is IP Address: Port (2000 + serial port #) i.e. 2001 2048. If an
administrator were to set 8000 as a secondary base for Telnet, serial port #2
on the console server can be Telnet accessed at IP
Address:2002 and at IP Address:8002. The default base for SSH is 3000; for Raw
TCP is 4000; and for RFC2217 it is 5000
5. Other services can be enabled and configured from this menu by selecting Click here to configure:
Nagios Access to the Nagios NRPE monitoring daemons
NUT
Access to the NUT UPS monitoring daemon
SNMP Enables snmp in the console server. SNMP is disabled by default
NTP
6. Click Apply. A confirmation message appears: Message Changes to configuration succeeded
The Services Access settings can be set to allow or block access. This specifies which enabled services administrators can use over each network interface to connect to the console server and through the console server to attached serial and network connected devices.
18
User Manual
1. Select the Service Access tab on the System > Services page.
2. This displays the enabled services for the console server’s network
interfaces. Depending on the particular console server model the interfaces
displayed may include: · Network interface (for the principal Ethernet
connection) · Management LAN / OOB Failover (second Ethernet connections) ·
Dialout /Cellular (V90 and 3G modem) · Dial-in (internal or external V90
modem) · VPN (IPsec or Open VPN connection over any network interface)
3. Check/uncheck for each network which service access is to be enabled
/disabled The Respond to ICMP echoes (i.e. ping) service access options that
can be configured at this stage. This allows the console server to respond to
incoming ICMP echo requests. Ping is enabled by default. For increased
security, you should disable this service when you complete initial
configuration You can allow serial port devices to be accessed from nominated
network interfaces using Raw TCP, direct Telnet/SSH, unauthenticated
Telnet/SSH services, etc.
4. Click Apply Web Management Settings The Enable HSTS checkbox enables
strict HTTP strict transport security. HSTS mode means that a StrictTransport-
Security header should be sent over HTTPS transport. A compliant web browser
remembers this header, and when asked to contact the same host over HTTP
(plain) it will automatically switch to
19
Chapter 2: System Configuration
HTTPS before attempting HTTP, as long as the browser has accessed the secure
site once and seen the S-T-S header.
Brute Force Protection Brute force protection (Micro Fail2ban) temporarily
blocks source IPs that show malicious signs, such as too many password
failures. This may help when the device’s network services are exposed to an
untrusted network such as the public WAN and scripted attacks or software
worms are attempting to guess (brute force) user credentials and gain
unauthorized access.
Brute Force Protection may be enabled for the listed services. By default, once protection is enabled 3 or more failed connection attempts within 60 seconds from a specific source IP trigger it to be banned from connecting for a configurable time period. Attempt limit and Ban timeout may be customized. Active Bans are also listed and may be refreshed by reloading the page.
NOTE
When running on an untrusted network, consider using a variety of strategies
are used to lock down remote access. This includes SSH public key
authentication, VPN, and Firewall Rules to
allowlist remote access from trusted source networks only. See the Opengear
Knowledge Base for details.
2.5 Communications Software
You have configured access protocols for the administrator client to use when
connecting to the console server. User clients also use these protocols when
accessing console server serial attached devices and network attached hosts.
You need communications software tools set up on the administrator and user
client’s computer. To connect you may use tools such as PuTTY and SSHTerm.
20
User Manual
Commercially available connectors couple the trusted SSH tunneling protocol
with popular access tools such as Telnet, SSH, HTTP, HTTPS, VNC, RDP to
provide point-and-click secure remote management access to all the systems and
devices being managed. Information on using connectors for browser access to
the console server’s Management Console, Telnet/SSH access to the console
server command line, and TCP/UDP connecting to hosts that are network
connected to the console server can be found in Chapter 5. Connectors can be
installed on Windows PCs, Mac OS X and on most Linux, UNIX and Solaris
systems.
2.6 Management Network Configuration
Console servers have additional network ports that can be configured to
provide management LAN access and/or failover or out-of-band access. 2.6.1
Enable the Management LAN Console servers can be configured so the second
Ethernet port provides a management LAN gateway. The gateway has firewall,
router and DHCP server features. You need to connect an external LAN switch to
Network 2 to attach hosts to this management LAN:
NOTE The second Ethernet port can be configured as either a Management LAN
gateway port or as an OOB/Failover port. Ensure you did not allocate NET2 as
the Failover Interface when you configured the principal Network connection on
the System > IP menu.
21
Chapter 2: System Configuration
To configure the Management LAN gateway: 1. Select the Management LAN
Interface tab on the System > IP menu and uncheck Disable. 2. Configure the IP
Address and Subnet Mask for the Management LAN. Leave the DNS fields blank. 3.
Click Apply.
The management gateway function is enabled with default firewall and router
rules configured so the Management LAN is only accessible by SSH port
forwarding. This ensures the remote and local connections to Managed devices
on the Management LAN are secure. The LAN ports can also be configured in
bridged or bonded mode or manually configured from the command line. 2.6.2
Configure the DHCP server The DHCP server enables the automatic distribution
of IP addresses to devices on the Management LAN that are running DHCP
clients. To enable the DHCP server:
1. Click System > DHCP Server. 2. On the Network Interface tab, Check Enable
DHCP Server.
22
User Manual
3. Enter the Gateway address to be issued to the DHCP clients. If this field
is left blank, the console server’s IP address is used.
4. Enter the Primary DNS and Secondary DNS address to issue the DHCP clients.
If this field is left blank, console server’s IP address is used.
5. Optionally enter a Domain Name suffix to issue DHCP clients. 6. Enter the
Default Lease time and Maximum Lease time in seconds. This is the amount of
time
that a dynamically assigned IP address is valid before the client must request
it again. 7. Click Apply The DHCP server issues IP addresses from specified
address pools: 1. Click Add in the Dynamic Address Allocation Pools field. 2.
Enter the DHCP Pool Start Address and End Address. 3. Click Apply.
23
Chapter 2: System Configuration
The DHCP server also supports pre-assigning IP addresses to be allocated to
specific MAC addresses and reserving IP addresses to be used by connected
hosts with fixed IP addresses. To reserve an IP address for a particular host:
1. Click Add in the Reserved Addresses field. 2. Enter the Hostname, the
Hardware Address (MAC) and the Statically Reserved IP address for
the DHCP client and click Apply.
When DHCP has allocated hosts addresses, it is recommended to copy these into
the pre-assigned list so the same IP address is reallocated in the event of a
reboot.
24
User Manual
2.6.3 Select Failover or broadband OOB Console servers provide a failover
option so in the event of a problem using the main LAN connection for
accessing the console server an alternate access path is used. To enable
failover:
1. Select the Network Interface page on the System > IP menu 2. Select the
Failover Interface to be used in the event of an outage on the main network.
3. Click Apply. Failover becomes active after you specify the external sites
to be probed to trigger failover and set up the failover ports.
2.6.4 Aggregating the network ports By default, the console server’s
Management LAN network ports can be accessed using SSH tunneling /port
forwarding or by establishing an IPsec VPN tunnel to the console server. All
the wired network ports on the console servers can be aggregated by being
bridged or bonded.
25
User Manual
· By default, Interface Aggregation is disabled on the System > IP > General
Settings menu · Select Bridge Interfaces or Bond Interfaces
o When bridging is enabled, network traffic is forwarded across all Ethernet
ports with no firewall restrictions. All the Ethernet ports are all
transparently connected at the data link layer (layer 2) so they retain their
unique MAC addresses
o With bonding, the network traffic is carried between the ports but present
with one MAC address
Both modes remove all the Management LAN Interface and Out-of-Band/Failover
Interface functions and disable the DHCP Server · In aggregation mode all
Ethernet ports are collectively configured using the Network Interface menu
25
Chapter 2: System Configuration
2.6.5 Static routes Static routes provide a very quick way to route data from
one subnet to different subnet. You can hard code a path that tells the
console server/router to get to a certain subnet using a certain path. This
may be useful for accessing various subnets at a remote site when using the
cellular OOB connection.
To add to the static route to the route table of the System:
1. Select the Route Settings tab on the System > IP General Settings menu.
2. Click New Route
3. Enter a Route Name for the route.
4. In the Destination Network/Host field, enter the IP address of the
destination network/host that the route provides access to.
5. Enter a value in the Destination netmask field that identifies the
destination network or host. Any number between 0 and 32. A subnet mask of 32
identifies a host route.
6. Enter Route Gateway with the IP address of a router that will routes
packets to the destination network. This may be left blank.
7. Select the Interface to use to reach the destination, may be left as None.
8. Enter a value in the Metric field that represents the metric of this
connection. Use any number equal to or greater than 0. This only has to be set
if two or more routes conflict or have overlapping targets.
9. Click Apply.
NOTE
The route details page provides a list of network interfaces and modems to which a route can be bound. In the case of a modem, the route will be attached to any dialup session established via that device. A route can be specified with a gateway, an interface or both. If the specified interface is not active, routes configured for that interface will not be active.
26
User Manual 3. SERIAL PORT, HOST, DEVICE & USER CONFIGURATION
The console server enables access and control of serially-attached devices and
network-attached devices (hosts). The administrator must configure access
privileges for each of these devices and specify the services that can be used
to control the devices. The administrator can also set up new users and
specify each user’s individual access and control privileges.
This chapter covers each of the steps in configuring network connected and
serially attached devices: · Serial Ports setting up protocols used serially
connected devices · Users & Groups setting up users and defining the access
permissions for each of these users · Authentication this is covered in more
detail in Chapter 8 · Network Hosts configuring access to local network
connected computers or appliances (hosts) · Configuring Trusted Networks –
nominate IP addresses that trusted users access from · Cascading and
Redirection of Serial Console Ports · Connecting to power (UPS, PDU, and IPMI)
and environmental monitoring (EMD) devices · Serial Port Redirection using
the PortShare windows and Linux clients · Managed Devices – presents a
consolidated view of all the connections · IPSec enabling VPN connection ·
OpenVPN · PPTP
3.1 Configure Serial Ports
The first step in configuring a serial port is to set the Common Settings such
as the protocols and the RS232 parameters that are to be used for the data
connection to that port (e.g. baud rate). Select what mode the port is to
operate in. Each port can be set to support one of these operating modes:
· Disabled mode is the default, the serial port is inactive
27
Chapter 3:
Serial Port, Host, Device & User Configuration
· Console server mode enables general access to serial console port on the
serially attached devices
· Device mode sets the serial port up to communicate with an intelligent
serial controlled PDU, UPS or Environmental Monitor Devices (EMD)
· Terminal Server mode sets the serial port to await an incoming terminal
login session · Serial Bridge mode enables the transparent interconnection of
two serial port devices over a
network.
1. Select Serial & Network > Serial Port to display serial port details 2. By
default, each serial port is set in Console server mode. Click Edit next to
the port to be
reconfigured. Or click Edit Multiple Ports and select which ports you wish to
configure as a group. 3. When you have reconfigured the common settings and
the mode for each port, set up any remote syslog (see the following sections
for specific information). Click Apply 4. If the console server has been
configured with distributed Nagios monitoring enabled, use Nagios Settings
options to enable nominated services on the Host to be monitored 3.1.1 Common
Settings There are a number of common settings that can be set for each serial
port. These are independent of the mode in which the port is being used. These
serial port parameters must be set so they match the serial port parameters on
the device you attach to that port:
28
User Manual
· Type in a label for the port · Select the appropriate Baud Rate, Parity, Data Bits, Stop Bits and Flow Control for each port
· Set the Port Pinout. This menu item appears for IM7200 ports where pin-out for each RJ45 serial port can be set as either X2 (Cisco Straight) or X1 (Cisco Rolled)
· Set the DTR mode. This allows you to choose if DTR is always asserted or only asserted when there is an active user session
· Before proceeding with further serial port configuration, you should connect the ports to the serial devices they will be controlling and ensure they have matching settings
3.1.2
Console Server Mode
Select Console server Mode to enable remote management access to the serial
console that is attached to this serial port:
Logging Level This specifies the level of information to be logged and
monitored.
29
Chapter 3: Serial Port, Host, Device & User Configuration
Level 0: Disable logging (default)
Level 1: Log LOGIN, LOGOUT and SIGNAL events
Level 2: Log LOGIN, LOGOUT, SIGNAL, TXDATA and RXDATA events
Level 3: Log LOGIN, LOGOUT, SIGNAL and RXDATA events
Level 4: Log LOGIN, LOGOUT, SIGNAL and TXDATA events
Input/RXDATA is data received by the Opengear device from the connected serial
device, and output/TXDATA is data sent by the Opengear device (e.g. typed by
the user) to the connected serial device.
Device consoles typically echo back characters as they are typed so TXDATA
typed by a user is subsequently received as RXDATA, displayed on their
terminal.
NOTE: After prompting for a password, the connected device sends * characters
to prevent the password from being displayed.
Telnet When the Telnet service is enabled on the console server, a Telnet
client on a user’s computer can connect to a serial device attached to this
serial port on the console server. Because Telnet communications are
unencrypted, this protocol is only recommended for local or VPN tunneled
connections.
If the remote communications are being tunneled with a connector, Telnet can
be used for securely accessing these attached devices.
NOTE
In console server mode, users can use a connector to set up secure Telnet connections thatare SSH tunneled from their client computers to the serial port on the console server. Connectors can be installed on Windows PCs and most Linux platforms and it enables secure Telnet connections to be selected with point-and-click.
To use a connector to access consoles on the console server serial ports, configure the connector with the console server as a gateway, and as a host, and enable Telnet service on Port (2000 + serial port #) i.e. 20012048.
You can also use standard communications packages like PuTTY to set a direct Telnet or SSH connection to the serial ports.
NOTE In Console server mode, when you connect to a serial port you connect via pmshell. To generate a BREAK on the serial port, type the character sequence ~b. If you’re doing this over OpenSSH type ~~b.
SSH
It is recommended that you use SSH as the protocol when users connect to the console server
(or connect through the console server to the attached serial consoles) over the Internet or any
other public network.
For SSH access to the consoles on devices attached to the console server serial ports, you can use a connector. Configure the connector with the console server as a gateway, and as a host, and enable SSH service on Port (3000 + serial port #) i.e. 3001-3048.
You can also use common communications packages, like PuTTY or SSHTerm to SSH connect to port address IP Address _ Port (3000 + serial port #) i.e. 30013048
SSH connections can be configured using the standard SSH port 22. The serial port being accessed is identified by appending a descriptor to the username. This syntax supports:
30
User Manual
This syntax enables users to set up SSH tunnels to all serial ports with a
single IP port 22 having to be opened in their firewall/gateway
NOTE In console server mode, you connect to a serial port via pmshell. To
generate a BREAK on the serial port, type the character sequence ~b. If you’re
doing this over OpenSSH, type ~~b.
TCP
RAW TCP allows connections to a TCP socket. While communications programs like PuTTY
also support RAW TCP, this protocol is usually used by a custom application
For RAW TCP, the default port address is IP Address _ Port (4000 + serial port
) i.e. 4001 4048
RAW TCP also enables the serial port to be tunneled to a remote console server, so two serial port devices can transparently interconnect over a network (see Chapter 3.1.6 Serial Bridging)
RFC2217 Selecting RFC2217 enables serial port redirection on that port. For
RFC2217, the default port address is IP Address _ Port (5000 + serial port #)
i.e. 5001 5048
Special client software is available for Windows UNIX and Linux that supports
RFC2217 virtual com ports, so a remote host can monitor and manage remote
serially attached devices as though they are connected to the local serial
port (see Chapter 3.6 Serial Port Redirection for details)
RFC2217 also enables the serial port to be tunneled to a remote console
server, so two serial port devices can transparently interconnect over a
network (see Chapter 3.1.6 Serial Bridging)
Unauthenticated Telnet This enables Telnet access to the serial port without authentication credentials. When a user accesses the console server to Telnet to a serial port, they are given a login prompt. With unauthenticated Telnet, they connect directly through to the port without any console server login challenge. If a Telnet client does prompt for authentication, any entered data allows connection.
31
Chapter 3: Serial Port, Host, Device & User Configuration
This mode is used with an external system (such as conserver) managing user
authentication and access privileges at the serial device level.
Logging into a device connected to the console server may require
authentication.
For Unauthenticated Telnet the default port address is IP Address _ Port (6000
- serial port #) i.e. 6001 6048
Unauthenticated SSH This enables SSH access to the serial port without
authentication credentials. When a user accesses the console server to Telnet
to a serial port, they are given a login prompt. With unauthenticated SSH they
connect directly through to the port without any console server login
challenge.
This mode is used when you have another system managing user authentication
and access privileges at the serial device level but wish to encrypt the
session across the network.
Logging into a device connected to the console server may require
authentication.
For Unauthenticated Telnet the default port address is IP Address _ Port (7000
- serial port #) i.e. 7001 7048
The: method of port access (as described in the above SSH section) always requires authentication.
Web Terminal This enables web browser access to the serial port via Manage > Devices: Serial using the Management Console’s built in AJAX terminal. Web Terminal connects as the currently authenticated Management Console user and does not re-authenticate. See section 12.3 for more details.
IP Alias
Enable access to the serial port using a specific IP address, specified in CIDR format. Each serial port can be assigned one or more IP aliases, configured on a per-network-interface basis. A serial port can, for example, be made accessible at both 192.168.0.148 (as part of the internal network) and 10.10.10.148 (as part of the Management LAN). It is also possible to make a serial port available on two IP addresses on the same network (for example, 192.168.0.148 and 192.168.0.248).
These IP addresses can only be used to access the specific serial port, accessible using the standard protocol TCP port numbers of the console server services. For example, SSH on serial port 3 would be accessible on port 22 of a serial port IP alias (whereas on the console server’s primary address it is available on port 2003).
This feature can also be configured via the multiple port edit page. In this case the IP addresses are applied sequentially, with the first selected port getting the IP entered and subsequent ones getting incremented, with numbers being skipped for any unselected ports. For example, if ports 2, 3 and 5 are selected and the IP alias 10.0.0.1/24 is entered for the Network Interface, the following addresses are assigned:
Port 2: 10.0.0.1/24
Port 3: 10.0.0.2/24
Port 5: 10.0.0.4/24
IP Aliases also support IPv6 alias addresses. The only difference is that addresses are hexadecimal numbers, so port 10 may correspond to an address ending in A, and 11 to one ending in B, rather than 10 or 11 as per IPv4.
32
User Manual
Encrypt Traffic / Authenticate Enable trivial encryption and authentication of
RFC2217 serial communications using Portshare (for strong encryption use VPN).
Accumulation Period Once a connection has been established for a particular
serial port (such as a RFC2217 redirection or Telnet connection to a remote
computer), any incoming characters on that port are forwarded over the network
on a character by character basis. The accumulation period specifies a period
of time that incoming characters are collected before being sent as a packet
over the network
Escape Character Change the character used for sending escape characters. The
default is ~. Replace Backspace Substitute the default backspace value of
CTRL+? (127) with CTRL+h (8). Power Menu The command to bring up the power
menu is ~p and enables the shell power command so a
user can control the power connection to a managed device from command line
when they are Telnet or SSH connected to the device. The managed device must
be set up with both its Serial port connection and Power connection
configured.
Single Connection This limits the port to a single connection so if multiple
users have access privileges for a particular port only one user at a time can
access that port (i.e. port snooping is not permitted).
33
Chapter 3: Serial Port, Host, Device & User Configuration
3.1.3 Device (RPC, UPS, Environmental) Mode This mode configures the selected
serial port to communicate with a serial controlled Uninterruptable Power
Supply (UPS), Remote Power Controller / Power Distribution Units (RPC) or
Environmental Monitoring Device (Environmental)
1. Select the desired Device Type (UPS, RPC, or Environmental)
2. Proceed to the appropriate device configuration page (Serial & Network >
UPS Connections, RPC Connection or Environmental) as detailed in Chapter 7.
3.1.4 ·
Terminal Server Mode
Select Terminal Server Mode and the Terminal Type (vt220, vt102, vt100, Linux
or ANSI) to enable a getty on the selected serial port
The getty configures the port and wait for a connection to be made. An active
connection on a serial device is indicated by the raised Data Carrier Detect
(DCD) pin on the serial device. When a connection is detected, the getty
program issues a login: prompt, and invokes the login program to handle the
system login.
NOTE Selecting Terminal Server mode disables Port Manager for that serial
port, so data is no longer logged for alerts etc.
34
User Manual
3.1.5 Serial Bridging Mode With serial bridging, the serial data on a
nominated serial port on one console server is encapsulated into network
packets and transported over a network to a second console server where it is
represented as serial data. The two console servers act as a virtual serial
cable over an IP network. One console server is configured to be the Server.
The Server serial port to be bridged is set in Console server mode with either
RFC2217 or RAW enabled. For the Client console server, the serial port to be
bridged must be set in Bridging Mode:
· Select Serial Bridging Mode and specify the IP address of the Server console
server and the TCP port address of the remote serial port (for RFC2217
bridging this will be 5001-5048)
· By default, the bridging client uses RAW TCP. Select RFC2217 if this is the
console server mode you have specified on the server console server
· You can secure the communications over the local Ethernet by enabling SSH.
Generate and upload keys.
3.1.6 Syslog In addition to inbuilt logging and monitoring which can be
applied to serial-attached and network-attached management accesses, as
covered in Chapter 6, the console server can also be configured to support the
remote syslog protocol on a per serial port basis:
· Select the Syslog Facility/Priority fields to enable logging of traffic on
the selected serial port to a syslog server; and to sort and act on those
logged messages (i.e. redirect them / send alert email.)
35
Chapter 3: Serial Port, Device and User Configuration
For example, if the computer attached to serial port 3 should never send
anything out on its serial console port, the administrator can set the
Facility for that port to local0 (local0 .. local7 are meant for site local
values), and the Priority to critical. At this priority, if the console server
syslog server does receive a message, it raises an alert. See Chapter 6. 3.1.7
NMEA Streaming The ACM7000-L can provide GPS NMEA data streaming from the
internal GPS /cellular modem. This data stream presents as a serial data
stream on port 5 on the ACM models.
The Common Settings (baud rate etc.) are ignored when configuring the NMEA
serial port. You can specify the Fix Frequency (i.e. this GPS fix rate
determines how often GPS fixes are obtained). You can also apply all the
Console Server Mode, Syslog and Serial Bridging settings to this port.
You can use pmshell, webshell, SSH, RFC2217 or RawTCP to get at the stream:
For example, using the Web Terminal:
36
User Manual
3.1.8 USB Consoles
Console servers with USB ports support USB console connections to devices from
a wide range of vendors, including Cisco, HP, Dell and Brocade. These USB
ports can also function as plain RS-232 serial ports when a USB-to-serial
adapter is connected.
These USB ports are available as regular portmanager ports and are presented numerically in the web UI after all RJ45 serial ports.
The ACM7008-2 has eight RJ45 serial ports on the rear of the console server and four USB ports on the front. In Serial & Network > Serial Port these are listed as
Port # Connector
1
RJ45
2
RJ45
3
RJ45
4
RJ45
5
RJ45
6
RJ45
7
RJ45
8
RJ45
9
USB
10 USB
11 USB
12 USB
If the particular ACM7008-2 is a cellular model, port #13 — for the GPS — will also be listed.
The 7216-24U has 16 RJ45 serial ports and 24 USB ports on its rear-face as well as two front-facing USB ports and (in the cellular model) a GPS.
The RJ45 serial ports are presented in Serial & Network > Serial Port as port numbers 116. The 24 rearfacing USB ports take port numbers 1740, and the front-facing USB ports are listed at port numbers 41 and 42 respectively. And, as with the ACM7008-2, if the particular 7216-24U is a cellular model, the GPS is presented at port number 43.
The common settings (baud rate, etc.) are used when configuring the ports, but some operations may not work depending on the implementation of the underlying USB serial chip.
3.2 Add and Edit Users
The administrator uses this menu selection to create, edit and delete users
and to define the access permissions for each of these users.
37
Chapter 3: Serial Port, Device and User Configuration
Users can be authorized to access specified services, serial ports, power devices and specified networkattached hosts. These users can also be given full administrator status (with full configuration and management and access privileges).
Users can be added to groups. Six groups are set up by default:
admin
Provides unlimited configuration and management privileges.
pptpd
Allows access to the PPTP VPN server. Users in this group have their password stored in clear text.
dialin
Allows dialin access via modems. Users in this group have their password stored in clear text.
ftp
Allows ftp access and file access to storage devices.
pmshell
Sets default shell to pmshell.
users
Provides users with basic management privileges.
The admin group provides members full administrator privileges. The admin user
can access the console server using any of the services which have been
enabled in System > Services They can also access any of the connected Hosts
or serial port devices using any of the services that have been enabled for
these connections. Only trusted users should have administrator access
The user group provides members with limited access to the console server and
connected hosts and serial devices. These users can only access the Management
section of the Management Console menu and they have no command line access to
the console server. They can only access those Hosts and serial devices that
have been checked for them, using services that have been enabled
Users in the pptd, dialin, ftp or pmshell groups have restricted user shell
access to the nominated managed devices but they will not have any direct
access to the console server. To add this the users must also be a member of
the users or admin groups
The administrator can set up additional groups with specific power device,
serial port and host access permissions. Users in these additional groups
don’t have any access to the Management Console menu nor do they have any
command line access to the console server.
38
User Manual
The administrator can set up users with specific power device, serial port and
host access permissions who are not a member of any groups. These users don’t
have any access to the Management Console menu nor command line access to the
console server. 3.2.1 Set up new group To set up new groups and new users, and
to classify users as members of particular groups:
1. Select Serial & Network > Users & Groups to display all groups and users
2. Click Add Group to add a new group
3. Add a Group name and Description for each new group, and nominate the
Accessible Hosts, Accessible Ports and Accessible RPC Outlets that users in
this new group will be able to access
4. Click Apply 5. The administrator can Edit or Delete any added group 3.2.2
Set up new users To set up new users, and to classify users as members of
particular groups: 1. Select Serial & Network > Users & Groups to display all
groups and users 2. Click Add User
39
Chapter 3: Serial Port, Device and User Configuration
3. Add a Username for each new user. You may also include information related
to the user (e.g. contact details) in the Description field. The Username can
contain from 1 to 127 alphanumeric characters and the characters “-” “_” and
“.”.
4. Specify which Groups you wish the user to be a member of 5. Add a
confirmed Password for each new user. All characters are allowed. 6. SSH pass-
key authentication can be used. Paste the public keys of authorized
public/private
keypairs for this user in the Authorized SSH Keys field 7. Check Disable
Password Authentication to only allow public key authentication for this user
when using SSH 8. Check Enable Dial-Back in the Dial-in Options menu to allow
an out-going dial-back connection
to be triggered by logging into this port. Enter the Dial-Back Phone Number
with the phone number to call-back when user logs in 9. Check Accessible Hosts
and/or Accessible Ports to nominate the serial ports and network connected
hosts you wish the user to have access privileges to 10. If there are
configured RPCs, check Accessible RPC Outlets to specify which outlets the
user is able to control (i.e. Power On/Off) 11. Click Apply. The new user will
be able to access the accessible Network Devices, Ports and RPC Outlets. If
the user is a group member, they can also access any other device/port/outlet
accessible to the group
40
User Manual
There are no limits on the number of users you can set up or the number of
users per serial port or host. Multiple users can control/monitor the one port
or host. There are no limits on the number of groups and each user can be a
member of a number of groups. A user does not have to be a member of any
groups, but if the user is a member of the default user group, they will not
be able to use the Management Console to manage ports. While there are no
limits, the time to re-configure increases as the number and complexity
increases. We recommend the aggregate number of users and groups be kept under
250. The administrator can also edit the access settings for any existing
users:
· Select Serial & Network > Users & Groups and click Edit to modify the user
access privileges · Click Delete to remove the user · Click Disable to
temporarily block access privileges
3.3 Authentication
See Chapter 8 for authentication configuration details.
3.4 Network Hosts
To monitor and remotely access a locally networked computer or device
(referred to as a Host) you must identify the Host:
1. Selecting Serial & Network > Network Hosts presents all the network
connected Hosts that have been enabled for use.
2. Click Add Host to enable access to a new Host (or select Edit to update
the settings for existing Host)
41
Chapter 3: Serial Port, Device and User Configuration
3. If the Host is a PDU or UPS power device or a server with IPMI power
control, specify RPC (for IPMI and PDU) or UPS and the Device Type. The
administrator can configure these devices and enable which users have
permission to remotely cycle power, etc. See Chapter 7. Otherwise leave the
Device Type set to None.
4. If the console server has been configured with distributed Nagios
monitoring enabled, you will also see Nagios Settings options to enable
nominated services on the Host to be monitored.
5. Click Apply. This creates the new Host and also create a new managed
device with the same name.
3.5 Trusted Networks
The Trusted Networks facility gives you an option to nominate IP addresses
that users must be located at, to have access to console server serial ports:
42
User Manual
1. Select Serial & Network > Trusted Networks 2. To add a new trusted
network, select Add Rule. In the absence of Rules, there are no access
limitations as to the IP address at which users can be located.
3. Select the Accessible Ports that the new rule is to be applied to
4. Enter the Network Address of the subnet to be permitted access
5. Specify the range of addresses that are to be permitted by entering a
Network Mask for that permitted IP range e.g.
· To permit all the users located with a particular Class C network connection
to the nominated port, add the following Trusted Network New Rule:
Network IP Address
204.15.5.0
Subnet Mask
255.255.255.0
· To permit only one user located at a specific IP address to connect:
Network IP Address
204.15.5.13
Subnet Mask
255.255.255.255
· To allow all the users operating from within a specific range of IP addresses (say any of the thirty addresses from 204.15.5.129 to 204.15.5.158) to be permitted connection to the nominated port:
Host /Subnet Address
204.15.5.128
Subnet Mask
255.255.255.224
6. Click Apply
43
Chapter 3: Serial Port, Device and User Configuration
3.6 Serial Port Cascading
Cascaded Ports enables you to cluster distributed console servers so a large
number of serial ports (up to 1000) can be configured and accessed through one
IP address and managed through the one Management Console. One console server,
the Primary, controls other console servers as Node units and all the serial
ports on the Node units appear as if they are part of the Primary. Opengear’s
clustering connects each Node to the Primary with an SSH connection. This is
done using public key authentication, so the Primary can access each Node
using the SSH key pair (rather than using passwords). This ensures secure
authenticated communications between Primary and Nodes enabling theNode
console server units to be distributed locally on a LAN or remotely around the
world.
3.6.1 Automatically generate and upload SSH keys To set up public key
authentication you must first generate an RSA or DSA key pair and upload them
into the Primary and Node console servers. This can be done automatically from
the Primary:
44
User Manual
1. Select System > Administration on Primary’s Management Console
2. Check Generate SSH keys automatically. 3. Click Apply
Next you must select whether to generate keys using RSA and/or DSA (if unsure,
select only RSA). Generating each set of keys require two minutes and the new
keys destroy old keys of that type. While the new generation is underway,
functions relying on SSH keys (e.g. cascading) may stop functioning until they
are updated with the new set of keys. To generate keys:
1. Check boxes for the keys you wish to generate. 2. Click Apply
3. Once the new keys have been generated, click the link Click here to
return. The keys are uploaded
to the Primary and connected Nodes.
3.6.2 Manually generate and upload SSH keys Alternately if you have an RSA or
DSA key pair you can upload them to the Primary and Node consoleservers. To
upload the key public and private key pair to the Primary console server:
1. Select System > Administration on the Primary’s Management Console
2. Browse to the location you have stored RSA (or DSA) Public Key and upload
it to SSH RSA (DSA) Public Key
3. Browse to the stored RSA (or DSA) Private Key and upload it to SSH RSA
(DSA) Private Key 4. Click Apply
45
Chapter 3: Serial Port, Device and User Configuration
Next, you must register the Public Key as an Authorized Key on the Node. In
the case of one Primary withmultiple Nodes, you upload one RSA or DSA public
key for each Node.
1. Select System > Administration on the Node’s Management Console 2. Browse
to the stored RSA (or DSA) Public Key and upload it to Node’s SSH Authorized
Key
3. Click Apply The next step is to Fingerprint each new Node-Primary
connection. This step validates that you are establishing an SSH session to
who you think you are. On the first connection the Node receives a fingerprint
from the Primary used on all future connections: To establish the fingerprint
first log in the Primary server as root and establish an SSH connection to
theNode remote host:
ssh remhost Once the SSH connection has been established, you are asked to
accept the key. Answer yes and the fingerprint is added to the list of known
hosts. If you are asked to supply a password, there was problem uploading
keys. 3.6.3 Configure the Nodes and their serial ports Begin setting up the
Nodes and configuring Node serial ports from the Primary console server:
1. Select Serial & Network > Cascaded Ports on the Primary’s Management
Console: 2. To add clustering support, select Add Node
You can’t add Nodes until you have generated SSH keys. To define and configure
a Node:
46
User Manual
1. Enter the remote IP Address or DNS Name for the Node console server 2.
Enter a brief Description and a short Label for the Node 3. Enter the full
number of serial ports on the Node unit in Number of Ports 4. Click Apply.
This establishes the SSH tunnel between the Primary and the new Node
The Serial & Network > Cascaded Ports menu displays all the nodes and the port
numbers that have been allocated on the Primary. If the Primary console server
has 16 ports of its own, ports 1-16 are preallocated to the Primary, so the
first node added is assigned port number 17 onwards. Once you have added all
the Node console servers, the Node serial ports and the connected devices are
configurable and accessible from the Primary’s Management Console menu and
accessible through the Primary’s IP address.
1. Select the appropriate Serial & Network > Serial Port and Edit to
configure the serial ports on the
Node.
2. Select the appropriate Serial & Network > Users & Groups to add new users
with access privileges
to the Node serial ports (or to extend existing users access privileges).
3. Select the appropriate Serial & Network > Trusted Networks to specify
network addresses that
can access nominated node serial ports. 4. Select the appropriate Alerts &
Logging > Alerts to configure Node port Connection, State
Changeor Pattern Match alerts. The configuration changes made on the Primary
are propagated out to all the nodes when you click Apply.
3.6.4 Managing Nodes The Primary is in control of the Node serial ports. For
example, if change a user access privileges or edit any serial port setting on
the Primary, the updated configuration files are sent out to each Node in
parallel.Each Node makes changes to their local configurations (and only makes
changes that relate to its particular serial ports). You can use the local
Node Management Console to change the settings on any node serial port (such
as alter the baud rates). These changes are overwritten next time the Primary
sends out a configuration file update. While the Primary is in control of all
node serial port related functions, it is not primary over the node network
host connections or over the Node Console Server system. Node functions such
as IP, SMTP & SNMP Settings, Date &Time, DHCP server must be managed by
accessing each node directly and these functions are not over written when
configuration changes are propagated from the Primary. The Node’s Network Host
and IPMI settings must be configured at each node.
47
Chapter 3: Serial Port, Device and User Configuration
The Primary’s Management Console provides a consolidated view of the settings
for its own and the entireNode’s serial ports. The Primary does not provide a
fully consolidated view. For example, if you want to find out who is logged in
to cascaded serial ports from the primary, you’ll see that Status > Active
Users only displays those users active on the Primary’s ports, so you may need
to write custom scripts to providethis view.
3.7 Serial Port Redirection (PortShare)
Opengear’s Port Share software delivers the virtual serial port technology
your Windows and Linux applications need to open remote serial ports and read
the data from serial devices that are connected to your console server.
PortShare is supplied free with each console server and you are licensed to
install PortShare on one or more computers for accessing any serial device
connected to a console server port. PortShare for Windows The
portshare_setup.exe can be downloaded from the ftp site. See the PortShare
User Manual and Quick Start for details on installation and operation.
PortShare for Linux The PortShare driver for Linux maps the console server
serial port to a host try port. Opengear has released the portshare-serial-
client as an open source utility for Linux, AIX, HPUX, SCO, Solaris and
UnixWare. This utility can be downloaded from the ftp site. This PortShare
serial port redirector allows you to use a serial device connected to the
remote console server as if it were connected to your local serial port. The
portshare-serial-client creates a pseudo tty port, connects the serial
application to the pseudo tty port, receives data from the pseudo tty port,
transmits it to the console server through network and receives data from the
console server through network and transmits it to the pseudo-tty port. The
.tar file can be downloaded from the ftp site. See the PortShare User Manual
and Quick Start for details on installation and operation.
48
User Manual
3.8 Managed Devices
The Managed Devices page presents a consolidated view of all the connections
to a device that can be accessed and monitored through the console server. To
view the connections to the devices, select Serial & Network > Managed Devices
This screen displays all the managed devices with their Description/Notes and
lists of all the configured Connections:
· Serial Port # (if serially connected) or · USB (if USB connected) · IP
Address (if network connected) · Power PDU/outlet details (if applicable) and
any UPS connections Devices such as servers may have more than one power
connection (e.g. dual power supplied) and more than one network connection
(e.g. for BMC/service processor). All users can view these managed device
connections by selecting Manage > Devices. Administrators can also edit and
add/delete these managed devices and their connections. To edit an existing
device and add a new connection: 1. Select Edit on the Serial & Network >
Managed Devices and click Add Connection 2. Select the connection type for the
new connection (Serial, Network Host, UPS or RPC) and select
the connection from the presented list of configured unallocated
hosts/ports/outlets
49
Chapter 3: Serial Port, Device and User Configuration
To add a new network connected managed device: 1. The Administrator adds a new
network connected managed device using Add Host on the Serial & Network >
Network Host menu. This automatically creates a corresponding new managed
device. 2. When adding a new network connected RPC or UPS power device, you
set up a Network Host, designate it as RPC or UPS. Go to RPC Connections or
UPS Connections to configure the relevant connection. Corresponding new
managed device with the same Name /Description as the RPC/UPS Host is not
created until this connection step is completed.
NOTE The outlet names on the newly created PDU are Outlet 1 and Outlet 2. When
you connect a particular managed device that draws power from the outlet, the
outlet takes the name of the powered managed device.
To add a new serially connected managed device: 1. Configure the serial port
using the Serial & Network > Serial Port menu (See Section 3.1 Configure
Serial Port) 2. Select Serial & Network > Managed Devices and click Add Device
3. Enter a Device Name and Description for the managed device
4. Click Add Connection and select Serial and the Port that connects to the managed device
5. To add a UPS/RPC power connection or network connection or another serial connection click Add Connection
6. Click Apply
NOTE
To set up a serially connected RPC UPS or EMD device, configure the serial port, designate it as a Device, and enter a Name and Description for that device in the Serial & Network > RPC Connections (or UPS Connections or Environmental). This creates a corresponding new managed device with the same Name /Description as the RPC/UPS Host. The outlet names on this newly created PDU are Outlet 1and Outlet 2. When you connect a managed device that draws power from the outlet, the outlet takes the name of the powered managed Device.
3.9 IPsec VPN
The ACM7000, CM7100, and IM7200 include Openswan, a Linux implementation of
the IPsec (IP Security) protocols, which can be used to configure a Virtual
Private Network (VPN). The VPN allows multiple sites or remote administrators
to access the console server and managed devices securely over the Internet.
50
User Manual
The administrator can establish encrypted authenticated VPN connections
between console servers distributed at remote sites and a VPN gateway (such as
Cisco router running IOS IPsec) on their central office network:
· Users at the central office can securely access the remote console servers
and connected serial console devices and machines on the Management LAN subnet
at the remote location as though they were local
· All these remote console servers can be monitored with a CMS6000 on the
central network · With serial bridging, serial data from controller at the
central office machine can be securely
connected to the serially controlled devices at the remote sites The road
warrior administrator can use a VPN IPsec software client to remotely access
the console server and every machine on the Management LAN subnet at the
remote location
Configuration of IPsec is quite complex so Opengear provides a GUI interface
for basic set up as described below. To enable the VPN gateway:
1. Select IPsec VPN on the Serial & Networks menu
2. Click Add and complete the Add IPsec Tunnel screen 3. Enter any
descriptive name you wish to identify the IPsec Tunnel you are adding such as
WestStOutlet-VPN
51
Chapter 3: Serial Port, Device and User Configuration
4. Select the Authentication Method to be used, either RSA digital signatures
or a Shared secret (PSK) o If you select RSA you are asked to click here to
generate keys. This generates an RSA public key for the console server (the
Left Public Key). Locate the key to be used on the remote gateway, cut and
paste it into the Right Public Key
o If you select Shared secret, enter a Pre-shared secret (PSK). The PSK must
match the PSK configured at the other end of the tunnel
5. In Authentication Protocol select the authentication protocol to be used.
Either authenticate as part of ESP (Encapsulating Security Payload) encryption
or separately using the AH (Authentication Header) protocol.
52
User Manual
6. Enter a Left ID and Right ID. This is the identifier that the Local
host/gateway and remote host/gateway use for IPsec negotiation and
authentication. Each ID must include an @ and can include a fully qualified
domain name ( e.g. left@example.com)
7. Enter the public IP or DNS address of this Opengear VPN gateway as the
Left Address. You can leave this blank to use the interface of the default
route
8. In Right Address enter the public IP or DNS address of the remote end of
the tunnel (only if the remote end has a static or DynDNS address). Otherwise
leave this blank
9. If the Opengear VPN gateway is serving as a VPN gateway to a local subnet
(e.g. the console server has a Management LAN configured) enter the private
subnet details in Left Subnet. Use the CIDR notation (where the IP address
number is followed by a slash and the number of `one’ bits in the binary
notation of the netmask). For example, 192.168.0.0/24 indicates an IP address
where the first 24 bits are used as the network address. This is the same as
255.255.255.0. If the VPN access is only to the console server and to its
attached serial console devices, leave Left Subnet blank
10. If there is a VPN gateway at the remote end, enter the private subnet
details in Right Subnet. Use the CIDR notation and leave blank if there is
only a remote host
11. Select Initiate Tunnel if the tunnel connection is to be initiated from
the Left console server end. This can only be initiated from the VPN gateway
(Left) if the remote end is configured with a static (or DynDNS) IP address
12. Click Apply to save changes
NOTE Configuration details set up on the console server (referred to as the
Left or Local host) must match the set up entered when configuring the Remote
(Right) host/gateway or software client. See http://www.opengear.com/faq.html
for details on configuring these remote ends
3.10 OpenVPN
The ACM7000, CM7100, and IM7200 with firmware V3.2 and later include OpenVPN.
OpenVPN uses the OpenSSL library for encryption, authentication, and
certification, which means it uses SSL/TSL (Secure Socket Layer/Transport
Layer Security) for key exchange and can encrypt both data and control
channels. Using OpenVPN allows for the building of cross-platform, point-to-
point VPNs using either X.509 PKI (Public Key Infrastructure) or custom
configuration files. OpenVPN allows secure tunneling of data through a single
TCP/UDP port over an unsecured network, thus providing secure access to
multiple sites and secure remote administration to a console server over the
Internet. OpenVPN also allows the use of Dynamic IP addresses by both the
server and client thus providing client mobility. For example, an OpenVPN
tunnel may be established between a roaming windows client and an Opengear
console server within a data center. Configuration of OpenVPN can be complex
so Opengear provides a GUI interface for basic set up as described below. More
detailed information is available at http://www.openvpn.net
3.10.1 Enable the OpenVPN 1. Select OpenVPN on the Serial & Networks menu
53
Chapter 3: Serial Port, Device and User Configuration
2. Click Add and complete the Add OpenVPN Tunnel screen 3. Enter any
descriptive name you wish to identify the OpenVPN Tunnel you are adding, for
example
NorthStOutlet-VPN
4. Select the authentication method to be used. To authenticate using
certificates select PKI (X.509 Certificates) or select Custom Configuration to
upload custom configuration files. Custom configurations must be stored in
/etc/config.
NOTE If you select PKI, establish: Separate certificate (also known as a
public key). This Certificate File is a .crt file type Private Key for the
server and each client. This Private Key File is a .key file type
Primary Certificate Authority (CA) certificate and key which is used to sign
each of the server
andclient certificates. This Root CA Certificate is a *.crt file type For a
server, you may also need dh1024.pem (Diffie Hellman parameters). See
http://openvpn.net/easyrsa.html for a guide to basic RSA key management. For
alternative authentication methods see
http://openvpn.net/index.php/documentation/howto.html#auth.
5. Select the Device Driver to be used, either Tun-IP or Tap-Ethernet. The
TUN (network tunnel) and TAP (network tap) drivers are virtual network drivers
that support IP tunneling and Ethernet tunneling, respectively. TUN and TAP
are part of the Linux kernel.
6. Select either UDP or TCP as the Protocol. UDP is the default and preferred
protocol for OpenVPN. 7. Check or uncheck the Compression button to enable or
disable compression. 8. In Tunnel Mode, nominate whether this is the Client or
Server end of the tunnel. When running as
a server, the console server supports multiple clients connecting to the VPN
server over the same port.
54
User Manual
3.10.2 Configure as Server or Client
1. Complete the Client Details or Server Details depending on the Tunnel Mode
selected. o If Client has been selected, the Primary Server Address is the
address of the OpenVPN Server. o If Server has been selected, enter the IP
Pool Network address and the IP Pool Network mask for the IP Pool. The network
defined by the IP Pool Network address/mask is used to provide the addresses
for connecting clients.
2. Click Apply to save changes
55
Chapter 3: Serial Port, Device and User Configuration
3. To enter authentication certificates and files, select the Manage OpenVPN
Files tab. Upload or browse to relevant authentication certificates and files.
4. Apply to save changes. Saved files are displayed in red on the right-hand
side of the Upload button.
5. To enable OpenVPN, Edit the OpenVPN tunnel
56
User Manual
6. Check the Enabled button. 7. Apply to save changes NOTE Make sure that the
console server system time is correct when working with OpenVPN to avoid
authentication issues.
8. Select Statistics on the Status menu to verify that the tunnel is
operational.
57
Chapter 3: Serial Port, Device and User Configuration
3.10.3 Windows OpenVPN Client and Server set up This section outlines the
installation and configuration of a Windows OpenVPN client or a Windows
OpenVPN server and setting up a VPN connection to a console server. Console
servers generate Windows client config automatically from the GUI for Pre-
shared Secret (Static Key File) configurations.
Alternately OpenVPN GUI for Windows software (which includes the standard
OpenVPN package plus a Windows GUI) can be downloaded from http://openvpn.net.
Once installed on the Windows machine, an OpenVPN icon is added to the
Notification Area located in the right side of the taskbar. Right click on
this icon to start and stop VPN connections, edit configurations, and view
logs.
When the OpenVPN software begins running, the C:Program FilesOpenVPNconfig
folder is scanned for .opvn files. This folder is rechecked for new
configuration files whenever the OpenVPN GUI icon is rightclicked. Once
OpenVPN is installed, create a configuration file:
58
User Manual
Using a text editor, create an xxxx.ovpn file and save in C:Program
FilesOpenVPNconfig. For example, C:Program FilesOpenVPNconfigclient.ovpn
An example of an OpenVPN Windows client configuration file is shown below:
description: IM4216_client client proto udp verb 3 dev tun remote
192.168.250.152 port 1194 ca c:\openvpnkeys\ca.crt cert
c:\openvpnkeys\client.crt key c:\openvpnkeys\client.key nobind persist-key
persist-tun comp-lzo
An example of an OpenVPN Windows Server configuration file is shown below:
server 10.100.10.0 255.255.255.0 port 1194 keepalive 10 120 proto udp mssfix
1400 persist-key persist-tun dev tun ca c:\openvpnkeys\ca.crt cert
c:\openvpnkeys\server.crt key c:\openvpnkeys\server.key dh
c:\openvpnkeys\dh.pem comp-lzo verb 1 syslog IM4216_OpenVPN_Server
The Windows client/server configuration file options are:
Options #description: Client server proto udp proto tcp mssfix <max. size>
verb
dev tun dev tap
Description This is a comment describing the configuration. Comment lines
start with#’ and are ignored by OpenVPN. Specify whether this will be a client or server configuration file. In the server configuration file, define the IP address pool and netmask. For example, server 10.100.10.0 255.255.255.0 Set the protocol to UDP or TCP. The client and server must use the same settings. Mssfix sets the maximum size of the packet. This is only useful for UDP if problems occur. Set log file verbosity level. Log verbosity level can be set from 0 (minimum) to 15 (maximum). For example, 0 = silent except for fatal errors 3 = medium output, good for general usage 5 = helps with debugging connection problems 9 = verbose, excellent for troubleshooting Select
dev tun’ to create a routed
IP tunnel or `dev tap’ to create an Ethernet tunnel. The client and server
must use the same settings.
59
Chapter 3: Serial Port, Device and User Configuration
remote
http-proxy
cert
key
dh
The hostname/IP of OpenVPN server when operating as a client. Enter either the
DNS hostname or the static IP address of the server. The UDP/TCP port of the
server. Keepalive uses ping to keep the OpenVPN session alive. ‘Keepalive 10
120′ pings every 10 seconds and assumes the remote peer is down if no ping has
been received over a 120 second time period. If a proxy is required to access
the server, enter the proxy server DNS name or IP and port number. Enter the
CA certificate file name and location. The same CA certificate file can be
used by the server and all clients. Note: Ensure each ’ in the directory path is replaced with
\’. For example, c:openvpnkeysca.crt will become
c:\openvpnkeys\ca.crt Enter the client’s or server’s certificate file name and
location. Each client should have its own certificate and key files. Note:
Ensure each ’ in the directory path is replaced with
\’. Enter the file
name and location of the client’s or server’s key. Each client should have its
own certificate and key files. Note: Ensure each ’ in the directory path is replaced with
\’. This is used by the server only. Enter the path to the key
with the Diffie-Hellman parameters. `Nobind’ is used when clients do not need
to bind to a local address or specific local port number. This is the case in
most client configurations. This option prevents the reloading of keys across
restarts. This option prevents the close and reopen of TUN/TAP devices across
restarts. Select a cryptographic cipher. The client and server must use the
same settings.
Enable compression on the OpenVPN link. This must be enabled on both the
client and the server. By default, logs are located in syslog or, if running
as a service on Window, in Program FilesOpenVPNlog directory.
To initiate the OpenVPN tunnel following the creation of the client/server configuration files: 1. Right click on the OpenVPN icon in the Notification Area 2. Select the newly created client or server configuration. 3. Click Connect
4. The log file is displayed as the connection is established
60
User Manual
5. Once established, the OpenVPN icon displays a message indicating a
successful connection and assigned IP. This information, as well as the time
the connection was established, is available by scrolling over the OpenVPN
icon.
3.11 PPTP VPN
Console servers include a PPTP (Point-to-Point Tunneling Protocol) server.
PPTP is used for communications over a physical or virtual serial link. The
PPP endpoints define a virtual IP address to themselves. Routes to networks
can be defined with these IP addresses as the gateway, which results in
traffic being sent across the tunnel. PPTP establishes a tunnel between the
physical PPP endpoints and securely transports data across the tunnel.
The strength of PPTP is its ease of configuration and integration into
existing Microsoft infrastructure. It is generally used for connecting single
remote Windows clients. If you take your portable computer on a business trip,
you can dial a local number to connect to your Internet access service
provider (ISP) and create a second connection (tunnel) into your office
network across the Internet and have the same access to your corporate network
as if you were connected directly from your office. Telecommuters can also set
up a VPN tunnel over their cable modem or DSL links to their local ISP.
61
Chapter 3: Serial Port, Device and User Configuration
To set up a PPTP connection from a remote Windows client to your Opengear
appliance and local network:
1. Enable and configure the PPTP VPN server on your Opengear appliance 2. Set
up VPN user accounts on the Opengear appliance and enable the appropriate
authentication 3. Configure the VPN clients at the remote sites. The client
does not require special software as
the PPTP Server supports the standard PPTP client software included with
Windows NT and later 4. Connect to the remote VPN 3.11.1 Enable the PPTP VPN
server 1. Select PPTP VPN on the Serial & Networks menu
2. Select the Enable check box to enable the PPTP Server 3. Select the
Minimum Authentication Required. Access is denied to remote users attempting
to
connect using an authentication scheme weaker than the selected scheme. The
schemes are described below, from strongest to weakest. · Encrypted
Authentication (MS-CHAP v2): The strongest type of authentication to use; this
is
the recommended option · Weakly Encrypted Authentication (CHAP): This is the
weakest type of encrypted password
authentication to use. It is not recommended that clients connect using this
as it provides very little password protection. Also note that clients
connecting using CHAP are unable to encrypt traffic
62
User Manual
· Unencrypted Authentication (PAP): This is plain text password
authentication. When using this type of authentication, the client password is
transmitted unencrypted.
· None 4. Select the Required Encryption Level. Access is denied to remote
users attempting to connect
that are not using this encryption level. 5. In Local Address enter IP address
to assign to the server’s end of the VPN connection 6. In Remote Addresses
enter the pool of IP addresses to assign to the incoming client’s VPN
connections (e.g. 192.168.1.10-20). This must be a free IP address or range of
addresses from the network that remote users are assigned while connected to
the Opengear appliance 7. Enter the desired value of the Maximum Transmission
Unit (MTU) for the PPTP interfaces into the MTU field (defaults to 1400) 8. In
the DNS Server field, enter the IP address of the DNS server that assigns IP
addresses to connecting PPTP clients 9. In the WINS Server field, enter the IP
address of the WINS server that assigns IP addresses to connecting PPTP client
10. Enable Verbose Logging to assist in debugging connection problems 11.
Click Apply Settings 3.11.2 Add a PPTP user 1. Select Users & Groups on the
Serial & Networks menu and complete the fields as covered in section 3.2. 2.
Ensure the pptpd group has been checked, to allow access to the PPTP VPN
server. Note – users in this group have their passwords stored in clear text.
3. Keep note of the username and password for when you need to connect to the
VPN connection 4. Click Apply
63
Chapter 3: Serial Port, Device and User Configuration
3.11.3 Set up a remote PPTP client Ensure the remote VPN client PC has
Internet connectivity. To create a VPN connection across the Internet, you
must set up two networking connections. One connection is for the ISP, and the
other connection is for the VPN tunnel to the Opengear appliance. NOTE This
procedure sets up a PPTP client in the Windows Professional operating system.
The steps
may vary slightly depending on your network access or if you are using an
alternate version of Windows. More detailed instructions are available from
the Microsoft web site. 1. Login to your Windows client with administrator
privileges 2. From the Network & Sharing Center on the Control Panel select
Network Connections and create a new connection
64
User Manual
3. Select Use My Internet Connection (VPN) and enter the IP Address of the
Opengear appliance To connect remote VPN clients to the local network, you
need to know the username and password for the PPTP account you added, as well
as the Internet IP address of the Opengear appliance. If your ISP has not
allocated you a static IP address, consider using a dynamic DNS service.
Otherwise you must modify the PPTP client configuration each time your
Internet IP address changes.
65
Chapter 3: Serial Port, Device and User Configuration
3.12 Call Home
All console servers include the Call Home feature which initiates the setup of
a secure SSH tunnel from the console server to a centralized Opengear
Lighthouse. The console server registers as a candidate on the Lighthouse.
Once accepted there it becomes a Managed Console Server.
Lighthouse monitors the Managed Console Server and administrators can access
the remote Managed Console Server through the Lighthouse. This access is
available even when the remote console server is behinda third-party firewall
or has a private non-routable IP addresses.
NOTE
Lighthouse maintains public key authenticated SSH connections to each of its Managed Console Servers. These connections are used for monitoring, directing and accessing the Managed Console Servers and the managed devices connected to the Managed Console Server.
To manage Local Console Servers, or console servers that are reachable from the Lighthouse, the SSHconnections are initiated by Lighthouse.
To manage Remote Console Servers, or console servers that are firewalled, not routable, or otherwise unreachable from the Lighthouse, the SSH connections are initiated by the Managed ConsoleServer via an initial Call Home connection.
This ensures secure, authenticated communications and enables Managed Console Servers units to be distributed locally on a LAN, or remotely around the world.
3.12.1 Set up Call Home candidate To set up the console server as a Call Home
management candidate on the Lighthouse:
1. Select Call Home on the Serial & Network menu
2. If you have not already generated or uploaded an SSH key pair for this
console server, do so before proceeding
3. Click Add
4. Enter the IP address or DNS name (e.g. the dynamic DNS address) of the
Lighthouse.
5. Enter the Password that you configured on the CMS as the Call Home
Password.
66
User Manual
6. Click Apply These steps initiate the Call Home connection from the console
server to the Lighthouse. This creates an SSHlistening port on the Lighthouse
and sets the console server up as a candidate.
Once the candidate has been accepted on the Lighthouse an SSH tunnel to the
console server is redirected backacross the Call Home connection. The console
server has become a Managed Console Server and the Lighthouse can connect to
and monitor it through this tunnel. 3.12.2 Accept Call Home candidate as
Managed Console Server on Lighthouse This section gives an overview on
configuring the Lighthouse to monitor console Lighthouse servers that are
connected via Call Home. For more details see the Lighthouse User Guide:
1. Enter a new Call Home Password on the Lighthouse. This password is used
for accepting
Call Homeconnections from candidate console servers
2. The Lighthouse can be contacted by the console server it must either have
a static IP
address or, ifusing DHCP, be configured to use a dynamic DNS service
The Configure > Managed Console Servers screen on the Lighthouse shows the
status of
local andremote Managed Console Servers and candidates.
The Managed Console Servers section shows the console servers being monitored
by the
Lighthouse.The Detected Console Servers section contains:
o The Local Console Servers drop-down which lists all the console servers
which are on the
same subnet as the Lighthouse, and are not being monitored
67
Chapter 3: Serial Port, Device and User Configuration
o The Remote Console Servers drop-down which lists all the console servers
that have established a Call Home connection and are not being monitored (i.e.
candidates). You can click Refresh to update
To add a console server candidate to the Managed Console Server list, select
it from the Remote Console Servers drop-down list and click Add. Enter IP
Address and SSH Port (if these fields have not been auto-completed) and enter
a Description and unique Name for the Managed Console server you are adding
Enter the Remote Root Password (i.e. System Password that has been set on this
Managed Console server). This password is used by the Lighthouse to propagate
auto generated SSH keys and isnot stored. Click Apply. The Lighthouse sets up
secure SSH connections to and from the Managed Console Server and retrieves
its Managed Devices, user account details and configured alerts 3.12.3 Calling
Home to a generic central SSH server If you are connecting to a generic SSH
server (not Lighthouse) you may configure Advanced settings: · Enter the SSH
Server Port and SSH User. · Enter the details for the SSH port forward(s) to
create
By selecting Listening Server, you may create a Remote port forward from the
Server to this unit, or a Local port forward from this unit to the Server:
68
User Manual
· Specify a Listening Port to forward from, leave this field blank to allocate
an unused port · Enter the Target Server and Target Port that will be the
recipient of forwarded connections
3.13 IP Passthrough
IP Passthrough is used to make a modem connection (e.g. the internal cellular
modem) appear like a regular Ethernet connection to a third-party downstream
router, allowing the downstream router to use the modem connection as a
primary or backup WAN interface.
The Opengear device provides the modem IP address and DNS details to the
downstream device over DHCP and passes network traffic to and from the modem
and router.
While IP Passthrough turns an Opengear into a modem-to-Ethernet half bridge,
some layer 4 services (HTTP/HTTPS/SSH) may be terminated at the Opengear
(Service Intercepts). Also, services running on the Opengear can initiate
outbound cellular connections independent of the downstream router.
This allows the Opengear to continue to be used for out-of-band management and
alerting and also be managed via Lighthouse, while in IP Passthrough mode.
3.13.1 Downstream Router Setup To use failover connectivity on the downstream
router (aka Failover to Cellular or F2C), it must have two or more WAN
interfaces.
NOTE Failover in IP Passthrough context is performed by the downstream router,
and the built-in out-ofband failover logic on the Opengear is not available
while in IP Passthrough mode.
Connect an Ethernet WAN interface on the downstream router to the Opengear’s
Network Interface or Management LAN port with an Ethernet cable.
Configure this interface on the downstream router to receive its network
settings via DHCP. If failover is required, configure the downstream router
for failover between its primary interface and the Ethernet port connected to
the Opengear.
3.13.2 IP Passthrough Pre-Configuration Prerequisite steps to enable IP
Passthrough are:
1. Configure the Network Interface and where applicable Management LAN
interfaces with static network settings. · Click Serial & Network > IP. · For
Network Interface and where applicable Management LAN, select Static for the
Configuration Method and enter the network settings (see the section entitled
Network Configuration for detailed instructions). · For the interface
connected to the downstream router, you may choose any dedicated private
network this network only exists between the Opengear and downstream router
and is not normally accessible. · For the other interface, configure it as you
would per normal on the local network. · For both interfaces, leave Gateway
blank.
2. Configure the modem in Always On Out-of-band mode.
69
Chapter 3: Serial Port, Device and User Configuration
· For a cellular connection, click System > Dial: Internal Cellular Modem. ·
Select Enable Dial-Out and enter carrier details such as APN (see section
Cellular Modem
Connection for detailed instructions). 3.13.3 IP Passthrough Configuration To
configure IP Passthrough:
· Click Serial & Network > IP Passthrough and check Enable. · Select the
Opengear Modem to use for upstream connectivity. · Optionally, enter the MAC
Address of downstream router’s connected interface. If MAC address is
not specified, the Opengear will passthrough to the first downstream device
requesting a DHCP address. · Select the Opengear Ethernet Interface to use for
connectivity to the downstream router.
· Click Apply. 3.13.4 Service Intercepts These allow the Opengear to continue
to provide services, for example, for out-of-band management when in IP
Passthrough mode. Connections to the modem address on the specified intercept
port(s) are handled by the Opengear rather than passed through to the
downstream router.
· For the required service of HTTP, HTTPS or SSH, check Enable · Optionally
modify the Intercept Port to an alternate port (e.g. 8443 for HTTPS), this is
useful if you
want to continue to allow the downstream router to remain accessible via its
regular port. 3.13.5 IP Passthrough Status Refresh the page to view the Status
section. It displays the modem’s External IP Address being passed through, the
Internal MAC Address of the downstream router (only populated when the
downstream router accepts the DHCP lease), and the overall running status of
the IP Passthrough service. You may be alerted to the failover status of the
downstream router by configuring a Routed Data Usage Check under Alerts &
Logging > Auto-Response. 3.13.6 Caveats Some downstream routers may be
incompatible with the gateway route. This can happen when IP Passthrough is
bridging a 3G cellular network where the gateway address is a point-to-point
destination address and no subnet information is available. The Opengear sends
a DHCP netmask of 255.255.255.255. Devices normally construe this as a single
host route on the interface, but some older downstream devices may have
issues.
70
User Manual
Intercepts for local services will not work if the Opengear is using a default
route other than the modem. Also, they will not work unless the service is
enabled and access to the service is enabled (see System > Services, under the
Service Access tab find Dialout/Cellular).
Outbound connections originating from Opengear to remote services are
supported (e.g. sending SMTP email alerts, SNMP traps, getting NTP time, IPSec
tunnels). There is a small risk of connection failure should both the Opengear
and the downstream device try to access the same UDP or TCP port on the same
remote host at the same time when they have randomly chosen the same
originating local port number.
3.14 Configuration over DHCP (ZTP)
Opengear devices can be provisioned during their initial boot from a DHCPv4 or
DHCPv6 server using config-over-DHCP. Provisioning on untrusted networks can
be facilitated by providing keys on a USB flash drive. The ZTP functionality
can also be used to perform a firmware upgrade on initial connection to the
network, or to enroll into a Lighthouse 5 instance.
Preparation The typical steps for configuration over a trusted network are:
1. Configure a same-model Opengear device. 2. Save its configuration as an
Opengear backup (.opg) file. 3. Select System > Configuration Backup > Remote
Backup. 4. Click Save Backup. A backup configuration file — model-name_iso-
format-date_config.opg — is downloaded from the Opengear device to the local
system. You can save the configuration as an xml file: 1. Select System >
Configuration Backup > XML Configuration. An editable field containing the
configuration file in XML format appears. 2. Click into the field to make it
active. 3. If you are running any browser on Windows or Linux, right-click and
choose Select All from the
contextual menu or press Control-A. Right-click and choose Copy from the
contextual menu or press Control-C. 4. If you are using any browser on macOS,
choose Edit > Select All or press Command-A. Choose Edit > Copy or press
Command-C. 5. In your preferred text-editor, create a new empty document,
paste the copied data into the empty document and save the file. Whatever
file-name you choose, it must include the .xml filename suffix. 6. Copy the
saved .opg or .xml file to a public-facing directory on a file server serving
at least one of the following protocols: HTTPS, HTTP, FTP or TFTP. (Only HTTPS
can be used if the connection between the file server and a to-be-configured
Opengear device travels over an untrusted network.). 7. Configure your DHCP
server to include a `vendor specific’ option for Opengear devices. (This will
be done in a DHCP server-specific way.) The vendor specific option should be
set to a string containing the URL of the published .opg or .xml file in the
step above. The option string must not exceed 250 characters and it must end
in either .opg or .xml.
71
Chapter 3: Serial Port, Device and User Configuration
8. Connect a new Opengear device, either factory-reset or Config-Erased, to
the network and apply power. It may take up to 5 minutes for the device to
reboot itself.
Example ISC DHCP (dhcpd) server configuration
The following is an example DHCP server configuration fragment for serving an
.opg configuration image via the ISC DHCP server, dhcpd:
option space opengear code width 1 length width 1; option opengear.config-url
code 1 = text; class “opengear-config-over-dhcp-test” {
match if option vendor-class-identifier ~~ “^Opengear/”; vendor-option-space
opengear; option opengear.config-url “https://example.com/opg/${class}.opg”; }
This setup can be modified to upgrade the configuration image using the
opengear.image-url option, and providing a URI to the firmware image.
Setup when the LAN is untrusted If the connection between the file server and
a to-be-configured Opengear device includes an untrusted network, a two-handed
approach can mitigate the issue.
NOTE This approach introduces two physical steps where trust can be difficult,
if not impossible, to establish completely. First, the custody chain from the
creation of the data-carrying USB flash drive to its deployment. Second, the
hands connecting the USB flash drive to the Opengear device.
· Generate an X.509 certificate for the Opengear device.
· Concatenate the certificate and its private key into a single file named
client.pem.
· Copy client.pem onto a USB flash drive.
· Set up an HTTPS server such that access to the .opg or .xml file is
restricted to clients that can provide the X.509 client certificate generated
above.
· Put a copy of the CA cert that signed the HTTP server’s certificate — ca-
bundle.crt — onto the USB flash drive bearing client.pem.
· Insert the USB flash drive into the Opengear device before attaching power
or network.
· Continue the procedure from `Copy the saved .opg or .xml file to a public-
facing directory on a file server’ above using the HTTPS protocol between the
client and server.
Prepare a USB drive and create the X.509 certificate and private key
· Generate the CA certificate so the client and server Certificate Signing
Requests (CSRs) can be signed.
cp /etc/ssl/openssl.cnf . # mkdir -p exampleCA/newcerts # echo 00 >
exampleCA/serial # echo 00 > exampleCA/crlnumber # touch exampleCA/index.txt #
openssl genrsa -out ca.key 8192 # openssl req -new -x509 -days 3650 -key
ca.key -out demoCA/cacert.pem
-subj /CN=ExampleCA # cp demoCA/cacert.pem ca-bundle.crt
This procedure generates a certificate called ExampleCA but any allowed
certificate name can be used. Also, this procedure uses openssl ca. If your
organization has an enterprise-wide, secure CA generation process, that should
be used instead.
72
User Manual
· Generate the server certificate.
openssl genrsa -out server.key 4096 # openssl req -new -key server.key -out
server.csr -subj /CN=demo.example.com # openssl ca -days 365 -in server.csr
-out server.crt
-keyfile ca.key -policy policy_anything -batch -notext
NOTE The hostname or IP address must be the same string used in the serving
URL. In the example above, the hostname is demo.example.com.
· Generate the client certificate.
openssl genrsa -out client.key 4096 # openssl req -new -key client.key -out
client.csr -subj /CN=ExampleClient # openssl ca -days 365 -in client.csr -out
client.crt
-keyfile ca.key -policy policy_anything -batch -notext # cat client.key client.crt > client.pem
· Format a USB flash drive as a single FAT32 volume.
· Move the client.pem and ca-bundle.crt files onto the flash drive’s root
directory.
Debugging ZTP issues Use the ZTP log feature to debug ZTP issues. While the
device is attempting to perform ZTP operations, log information is written to
/tmp/ztp.log on the device.
The following is an example of the log file from a successful ZTP run.
cat /tmp/ztp.log Wed Dec 13 22:22:17 UTC 2017 [5127 notice] odhcp6c.eth0:
restoring config via DHCP Wed Dec 13 22:22:17 UTC 2017 [5127 notice]
odhcp6c.eth0: waiting 10s for network to settle Wed Dec 13 22:22:27 UTC 2017
[5127 notice] odhcp6c.eth0: NTP skipped: no server Wed Dec 13 22:22:27 UTC
2017 [5127 info] odhcp6c.eth0: vendorspec.1 =
‘http://[fd07:2218:1350:44::1]/tftpboot/config.sh’ Wed Dec 13 22:22:27 UTC
2017 [5127 info] odhcp6c.eth0: vendorspec.2 (n/a) Wed Dec 13 22:22:27 UTC 2017
[5127 info] odhcp6c.eth0: vendorspec.3 (n/a) Wed Dec 13 22:22:27 UTC 2017
[5127 info] odhcp6c.eth0: vendorspec.4 (n/a) Wed Dec 13 22:22:27 UTC 2017
[5127 info] odhcp6c.eth0: vendorspec.5 (n/a) Wed Dec 13 22:22:28 UTC 2017
[5127 info] odhcp6c.eth0: vendorspec.6 (n/a) Wed Dec 13 22:22:28 UTC 2017
[5127 info] odhcp6c.eth0: no firmware to download (vendorspec.2) backup-url:
trying http://[fd07:2218:1350:44::1]/tftpboot/config.sh … backup-url: forcing
wan config mode to DHCP backup-url: setting hostname to acm7004-0013c601ce97
backup-url: load succeeded Wed Dec 13 22:22:36 UTC 2017 [5127 notice]
odhcp6c.eth0: successful config load Wed Dec 13 22:22:36 UTC 2017 [5127 info]
odhcp6c.eth0: no lighthouse configuration (vendorspec.3/4/5/6) Wed Dec 13
22:22:36 UTC 2017 [5127 notice] odhcp6c.eth0: provisioning completed, not
rebooting
Errors are recorded in this log.
3.15 Enrollment into Lighthouse
Use Enrollment into Lighthouse to enroll Opengear devices into a Lighthouse
instance, providing centralized access to console ports, and allowing central
configuration of the Opengear devices.
See the Lighthouse User Guide for instructions for enrolling Opengear devices
into Lighthouse.
73
Chapter 3: Serial Port, Device and User Configuration
3.16 Enable DHCPv4 Relay
A DHCP relay service forwards the DHCP packets between clients and remote DHCP
servers. DHCP relay service can be enabled on an Opengear console server, so
that its listens for DHCP clients on designated lower interfaces, wraps and
forwards their messages up to DHCP servers using either normal routing, or
broadcast directly onto designated upper interfaces. The DHCP relay agent thus
receives DHCP messages and generates a new DHCP message to send out on another
interface. In the steps below, the console servers can connect to circuit-ids,
Ethernet or cell modems using DHCPv4 Relay service.
DHCPv4 Relay + DHCP Option 82 (circuit-id) Infrastructure – Local DHCP server,
ACM7004-5 for relay, any other devices for clients. Any device with LAN role
can be used as a relay. In this example, the 192.168.79.242 is the address for
the client’s relayed interface (as defined in the DHCP server configuration
file above) and the 192.168.79.244 is the relay box’s upper interface address,
and enp112s0 is the downstream interface of the DHCP server.
1 Infrastructure – DHCPv4 Relay + DHCP Option 82 (circuit-id)
Steps on the DHCP Server 1. Setup local DHCP v4 server, in particular, it
should contain a “host” entry as below for the DHCP client: host cm7116-2-dac
{ # hardware ethernet 00:13:C6:02:7E:41; host-identifier option agent.circuit-
id “relay1”; fixed-address 192.168.79.242; } Note: the “hardware ethernet”
line is commented off, so that the DHCP server will make use of the “circuit-
id” setting to assign an address for relevant client. 2. Re-start DHCP Server
to reload its changed configuration file. pkill -HUP dhcpd
74
User Manual
3. Manually add a host route to the client “relayed” interface (the interface
behind the DHCP relay, not other interfaces the client may also have:
sudo ip route add 192.168.79.242/32 via 192.168.79.244 dev enp112s0 This will
help avoid the asymmetric routing issue when the client and DHCP server would
like to access each other via the client’s relayed interface, when the client
has other interfaces in the same subnet of the DHCP address pool.
Note: This step is a must-have to support the dhcp server and client able to
access each other.
Steps on the Relay box – ACM7004-5
1. Setup WAN/eth0 in either static or dhcp mode (not unconfigured mode). If
in static mode, it must have an IP address within the address pool of the DHCP
server.
2. Apply this config through CLI (where 192.168.79.1 is DHCP server address)
config -s config.services.dhcprelay.enabled=on config -s
config.services.dhcprelay.lowers.lower1.circuit_id=relay1 config -s
config.services.dhcprelay.lowers.lower1.role=lan config -s
config.services.dhcprelay.lowers.total=1 config -s
config.services.dhcprelay.servers.server1=192.168.79.1 config -s
config.services.dhcprelay.servers.total=1 config -s
config.services.dhcprelay.uppers.upper1.role=wan config -s
config.services.dhcprelay.uppers.total=1
3. The lower interface of the DHCP relay must have a static IP address within
the address pool of the DHCP server. In this example, giaddr = 192.168.79.245
config -s config.interfaces.lan.address=192.168.79.245 config -s
config.interfaces.lan.mode=static config -s
config.interfaces.lan.netmask=255.255.255.0 config -d
config.interfaces.lan.disabled -r ipconfig
4. Wait a short while for the client to acquire a DHCP lease via the relay.
Steps on the Client (CM7116-2-dac in this example or any other OG CS)
1. Plug in the client’s LAN/eth1 to the relay’s LAN/eth1 2. Configure the
client’s LAN to get IP address via DHCP as per usual 3. Once the clie
References
- accounts.myco.intranet.com
- Action.sh
- Opengear FTP
- Business VPN For Secure Networking | OpenVPN
- RSA Key Management | OpenVPN
- How To Guide: Set Up & Configure OpenVPN Client/server VPN | OpenVPN
- test.sh
- Releases
- Homepage - GroundWork
- Service Name and Transport Protocol Port Number Registry
- Nagios Open Source | Nagios Open Source
- Documentation | Nagios Open Source
- Network UPS Tools - Documentation
- Secure Remote Access and IT Infrastructure Management
- Secure Remote Access and IT Infrastructure Management
- Secure Remote Access and IT Infrastructure Management
- Business VPN For Secure Networking | OpenVPN
- PADL Software dba Lukktone · GitHub
- rsyslog - The rocket-fast system for log processing
- Linux Tutorial - Using PPP and Linux
- Opengear FTP
- Product Selector - Opengear
- ISC DHCP - ISC
Read User Manual Online (PDF format)
Read User Manual Online (PDF format) >>