Raritan CC-SG, Administrator'S Manual

Page 1: ...CommandCenter Secure Gateway CC SG Administrator Guide Release 3 1 Copyright 2007 Raritan Inc CCA 0D E January 2007 255 80 5140 00...

Page 2: ...This page intentionally left blank...

Page 3: ...CC Rules These limits are designed to provide reasonable protection against harmful interference in a commercial installation This equipment generates uses and can radiate radio frequency energy and i...

Page 4: ...ritan products which require Rack Mounting please follow these precautions Operation temperature in a closed rack environment may be greater than room temperature Do not exceed the rated maximum ambie...

Page 5: ...lements 14 Device Setup 15 Discover and Add Devices 15 Create Groups 18 Add Device Groups and Node Groups 18 User Management 21 Add User Groups and Users 21 Chapter 4 Creating Associations 25 Associat...

Page 6: ...e 65 Node Profile 65 Node and Interface Icons 65 Nodes and Interfaces Overview 66 About Nodes 66 About Interfaces 66 Add Node 67 Add an Interface 67 Connect to a Node 73 Edit an Interface 73 Delete an...

Page 7: ...to CC SG 110 LDAP General Settings 111 LDAP Advanced Settings 112 LDAP Certificate Settings 113 Add a TACACS Module 114 TACACS General Settings 115 Add a RADIUS Module 116 RADIUS General Settings 117...

Page 8: ...ondary CC SG Node 167 Remove Primary CC SG Node 167 Recover a Failed CC SG Node 168 Set Advanced Settings 168 Configure Security 169 Remote Authentication 169 Secure Client Connections 169 Login Setti...

Page 9: ...y 215 CC SG Communication Channels 217 CC SG and Raritan Devices 217 CC SG Clustering 217 Access to Infrastructure Services 218 PC Clients to CC SG 218 PC Clients to Nodes 219 CC SG Client for IPMI iL...

Page 10: ...ure 23 Delete Category Window 29 Figure 24 Association Manager Screen 29 Figure 25 Add Element Window 30 Figure 26 Edit Element Window 30 Figure 27 Delete Element Window 31 Figure 28 The Devices Tree...

Page 11: ...Figure 74 Chat Session for a Node 76 Figure 75 The Users Tree 77 Figure 76 Add User Groups Screen 79 Figure 77 The Policies Tab on the Add User Group Screen 80 Figure 78 Editing the Selected Group 81...

Page 12: ...Node Creation Report 132 Figure 131 Query Port Screen 133 Figure 132 Query Port Report 134 Figure 133 Active Ports Report 134 Figure 134 CC NOC Synchronization Report 135 Figure 135 Enter Maintenance...

Page 13: ...fication Manager 178 Figure 183 Task Manager 180 Figure 184 Add CC NOC Configuration Screen 182 Figure 185 CC SG Commands via SSH 185 Figure 186 Listing Devices on CC SG 188 Figure 187 Access SX Devic...

Page 14: ...IGURES Figure 211 Displaying CC SG Processes in Diagnostic Console 209 Figure 212 NTP not configured in CC SG GUI 210 Figure 213 NTP running on the CC SG GUI 210 Figure 214 CC SG Deployment Elements 2...

Page 15: ...by normal access users who need to access a node managed by CC SG The Access Client does not allow the use of administration functions Associations are the relationship between categories elements of...

Page 16: ...oot a target in your network KVM and Serial devices can be accessed via these in band applications RemoteDesktop Viewer SSH Client RSA Client VNC Viewer IPMI Servers Intelligent Platform Management In...

Page 17: ...iagnostics only and is not a replacement for the browser based GUI to configure and operate CC SG Please refer to Chapter 12 Advanced Administration for additional information Note Users can be connec...

Page 18: ...n list The IP addresses are stored in a properties file that is saved to your desktop 6 If the CC SG is configured for secure browser connections you must check the Secure Socket Layer SSL checkbox If...

Page 19: ...he Desktop Integration window when you installed the thick client you can double click the shortcut icon on your desktop to launch the thick client and access CC SG If you do not have a shortcut icon...

Page 20: ...nt icons Ports are grouped under their parent devices Click the and signs to expand or collapse the tree Click a port to view the Port Profile Right click a port and select Connect to connect to that...

Page 21: ...re and applications Confirm IP Address 1 On the Administration menu click Configuration to open the Configuration Manager screen 2 Click the Network Setup tab Figure 4 Confirm IP Address 3 Check that...

Page 22: ...ick the Time zone drop down arrow to select the time zone in which you are operating CC SG b To set the date and time via NTP Check the Enable Network Time Protocol checkbox at the bottom of the windo...

Page 23: ...tem Maintenance menu click Maintenance Mode and then click Enter Maintenance Mode 5 In the Enter Maintenance Mode screen type the message that will display to users who will be logged off CC SG and th...

Page 24: ...ility Matrix on http www raritan com support On the Support page click Firmware Upgrades and then click CommandCenter Secure Gateway 4 Click the Application name drop down arrow and select the applica...

Page 25: ...owered down Users logged into CC SG via a web browser or SSH will not receive a message when the CC SG unit is powered down 3 If you must remove the AC power cord let the power down process finish com...

Page 26: ...12 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE This page intentionally left blank...

Page 27: ...ning Associations discovering and adding devices to CC SG creating device groups and node groups creating user groups assigning policies and privileges to user groups and adding users Once you have co...

Page 28: ...ed Location and Elements named for each server s location such as Philadelphia New York and New Orleans Create Categories and Elements 1 In the Guided Setup window the default panel is Create Categori...

Page 29: ...o search for and discover devices in your network and add those devices to CC SG When adding devices you may select one element per category to be associated with the device Important Ensure that no o...

Page 30: ...omplete a confirmation message pops up Click OK in the confirmation message 8 If CC SG has discovered devices of the specified type and in the specified address range the devices display in a table in...

Page 31: ...lapse before timeout between the device and CC SG 15 If you are adding a Dominion SX device check the Local access Allowed checkbox if you want to allow local access to the device Clear the Local acce...

Page 32: ...oups of similar devices and nodes rather than managing each device or node individually Add Device Groups and Node Groups 1 The Devices Groups Manager panel opens when you click Continue at the end of...

Page 33: ...se from each list d Check the Create Full Access Policy for Group checkbox if you want to create a policy for this device group that allows access to all nodes and devices in the group at all times wi...

Page 34: ...nd then click Go Describe Nodes a Click the Describe Nodes tab in the Add Nodes Groups panel In the Describe Nodes tab you create a table of rules that describe the nodes you want to assign to the gro...

Page 35: ...which devices and nodes the members of the user group can view and modify Policies are based on Categories and Elements When you have created the user groups you can define individual users and add th...

Page 36: ...ou can specify whether you want the user group to have access to In band and Out of band nodes and to Power Management functions Check the checkboxes that correspond to the types of access you want to...

Page 37: ...nd then click Add User in the Guided Tasks tree view in the left panel to open the Add User panel 12 In the Username field type the name that the user you want to add will use to log in to CC SG 13 Ch...

Page 38: ...up to which you want to assign the user from the list 21 If you want to add another user click Apply to save this user and then repeat the steps in this section to add additional users 22 When you hav...

Page 39: ...created using this example You can customize the CC SG to organize and display your servers however you like Figure 19 CC SG Association Example Association Terminology Read the following definitions...

Page 40: ...and elements to control user access to servers For example the category element pair Location New York can be used to create a Policy to control user access to servers in New York Other examples of ty...

Page 41: ...gurations individually Please refer to Chapter 3 Configuring CC SG with Guided Setup for additional information Association Manager only allows you to work with associations and does not automate any...

Page 42: ...the Category Name field Edit Category 1 On the Associations menu click Association The Association Manager screen appears 2 Click the Category Name drop down arrow and select the category you want to...

Page 43: ...ciation Manager screen appears 2 Click the Category Name drop down arrow and select the category you want to delete 3 Click Delete in the Category panel of the screen to delete the category The Delete...

Page 44: ...category whose element you want to edit 3 Select the element to be edited from the Element For Category list and then click Edit in the Elements For Category panel The Edit Element window appears Figu...

Page 45: ...r Category panel The Delete Element window appears Figure 27 Delete Element Window 4 Click Yes to delete the element or No to close the window The element name is removed from the Element For Category...

Page 46: ...32 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE This page intentionally left blank...

Page 47: ...nu that appears Note To configure iLO RILOE devices IPMI devices Dell DRAC devices IBM RSA devices or other generic devices use the Add Node menu and add these items as a connection interface Please r...

Page 48: ...es tree to view a tool tip containing information about the device or port ICON MEANING Device available KVM port available or connected KVM port inactive Serial port available Serial port unavailable...

Page 49: ...ce at the bottom of the Devices Tree type a search string in Search For Device field then press ENTER Wildcards are supported in the search string WILDCARD DESCRIPTION Indicates any character Indicate...

Page 50: ...me used to log onto this device in the Username field If you followed the Raritan Digital Solutions Deployment Guide to prepare your devices to add to CC SG type the username for the CC SG Administrat...

Page 51: ...guring this device click Apply to add this device and open a new blank Add Device screen that allows you to continue adding devices Or click OK to add this device without continuing to a new Add Devic...

Page 52: ...to Chapter 4 Creating Associations for additional information 10 When you are done configuring this device click Apply to add this device and open a new blank Add Device screen that allows you to con...

Page 53: ...you want to add Figure 34 Adding a Discovered Device 8 Type the user name and password that were created specifically for CC SG in the device in the Username and Password fields to allow CC SG to auth...

Page 54: ...e device has been modified Edit PowerStrip Device You can edit a Managed PowerStrip device to rename it modify its properties and view outlet configuration status 1 Click the Devices tab and select th...

Page 55: ...delete 2 On the Devices menu click Device Manager and then click Delete Device The Delete Device screen appears Figure 36 Delete Device Screen 3 Click OK to delete the device or Cancel to exit withou...

Page 56: ...the device to CC SG You must configure ports before any Out of Band interfaces using those ports can be added to nodes Configure a Serial Port 1 Click the Devices tab and select a serial device from t...

Page 57: ...Type a node name in the Node Name field to create a new node with an Out of Band interface from this port For ease of use name the node after the target that is connected to the port This means that...

Page 58: ...Figure 39 Configure Ports Screen Click a column header to sort the ports by that attribute in ascending order Click the header again to sort the ports in descending order 3 Click the Configure button...

Page 59: ...elect the correct application based on your browser select Auto Detect 7 Click OK to add the port Edit Ports You can edit ports to change the name or access application associated with existing config...

Page 60: ...to delete the selected port A Port Deleted Successfully window confirms that port has been deleted Device Management Once a device has been added to CC SG several management functions besides configur...

Page 61: ...SG a message will alert you and ask if you want to proceed Please refer to Chapter 2 Accessing CC SG for additional information Click Yes to upgrade the device 5 A Restart message appears Click Yes t...

Page 62: ...ice to another or multiple devices Note Configuration can only be copied between Dominion SX units that have the same number of ports 1 Click the Devices tab and select the device whose configuration...

Page 63: ...hen click Ping Device The Ping Device screen appears showing the result of the ping Figure 47 Ping Device Screen Pause Management You can pause a device to temporarily suspend CC SG control of it with...

Page 64: ...ower port that is providing management of the PowerStrip 1 In the Devices tree select a PowerStrip device 2 On the Devices menu click Device Power Manager The Device Power Manager screen appears 3 The...

Page 65: ...the Devices menu click Device Manager and then click Topological View The Topological View for the selected device appears Figure 49 Topological View 3 Navigate the Topological View in the same way yo...

Page 66: ...mplete before the user s session with the device is terminated All other operations will be terminated immediately 1 Click the Devices tab and select the device you want to disconnect one or more user...

Page 67: ...ured ports are nested under their parent devices To change the way the ports are displayed click the Devices menu then Port Sorting Options Select By Port Name or By Port Status to arrange the ports w...

Page 68: ...reflect the selected custom view 5 Click Set Default if you want the selected custom view to be displayed when logging into CC SG 6 Check Is System Wide to make this the default view for all users wh...

Page 69: ...w The Custom View screen appears 3 Click the Name drop down arrow in the Custom View panel and select the custom view to be edited Click Edit An Edit Custom View window appears 4 Type a new custom vie...

Page 70: ...onal information on using P2 SC Admin After adding the Paragon System device the Paragon System includes the P2 SC device connected UMT units and connected IP Reach units to CC SG it will appear in th...

Page 71: ...access Remote User Station Administration 1 Click the Device tab and then select the Paragon II System Controller 2 Right click the Paragon II System Controller and then click Remote User Station Adm...

Page 72: ...nd remove device groups When you add a new device group you can create a full access policy for the group Please refer to Chapter 8 Policies for additional information Add Device Group 1 On the Associ...

Page 73: ...devices The Describe Devices tab allows you to specify rules that describe devices and the devices whose parameters follow those rules will be added to the group Select Devices a Click the Select Devi...

Page 74: ...s equal to LIKE used for find the Element in a name and is not equal to Element Select a value for the Category attribute to be compared against Only elements associated with the selected category wil...

Page 75: ...belong to the engineering department or be located in Philadelphia use the OR operator to join the two Rule0 Rule1 We will make this comparison first by enclosing it parentheses Rule0 Rule1 Finally s...

Page 76: ...ay in the left panel Select the Device Group whose name you want to edit The Device Group Details panel appears 3 If you want to edit the device group name type a new name for the device group in the...

Page 77: ...k Device Groups The Device Groups Manager window opens Figure 61 Device Groups Manager Screen 2 Existing device groups display in the left panel Select the device group you want to delete The Device G...

Page 78: ...64 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 4 The Delete Device Group panel appears Click Delete Figure 63 Delete Device Group Panel 5 Click Yes in the confirmation message that displays...

Page 79: ...status are sorted alphabetically within their availability grouping To switch between sorting methods right click the tree click Node Sorting Options then click By Node Name or By Node Status Node Pro...

Page 80: ...r to Chapter 3 Configuring CC SG with Guided Setup or Chapter 5 Adding Devices and Device Groups Add a Device for additional information Node Names Node names must be unique CC SG will prompt you with...

Page 81: ...is node Please refer to Chapter 4 Creating Associations for additional information For each Category listed click the Element drop down menu and then select the element you want to apply to the node f...

Page 82: ...tem to create a KVM connection to an HP server through an iLO or RILOE interface Out of Band Connections KVM Select this item to create a KVM connection to a node through a Raritan KVM device KX KX101...

Page 83: ...ddress or Hostname for this interface in the IP Address Hostname field 2 If necessary type a TCP Port for this connection in the TCP Port field 3 Type a username for this connection in the Username fi...

Page 84: ...tect 2 Click the Raritan Device Name drop down menu and select the Raritan device providing access to this node Note a device must be added to CC SG first before appearing in this list 3 Click the Rar...

Page 85: ...CC SG before the appropriate options are available 2 Click the Power Strip Name drop down menu and select the Power Strip that provides power to the node The power strip must be configured in CC SG be...

Page 86: ...e a username for this interface in the Username field 6 If necessary type a password for this interface in the Password field 7 Click OK add the interface to the node You will be returned to the Add N...

Page 87: ...en appears 3 In the Interfaces table click the name of the interface you want to connect with Alternatively 1 In the Nodes tab click the symbol next to the node you want to connect to expanding the li...

Page 88: ...lete the interface Ping a Node You can ping a node from CC SG to make sure that the connection is active 1 Click the Nodes tab and then select the node you want to ping 2 On the Nodes menu select Ping...

Page 89: ...sign a value to double click the Element field next to it The field turns into a drop down menu b Click the drop down menu and select the desired Element value Select None if you do not want to use th...

Page 90: ...eft field and press the Enter key or click Send The message will appear in the chat upper left field for all users to see 4 Click Clear to clear any message you have typed in the new message field but...

Page 91: ...rectory users groups and policies Please refer to Chapter 8 Policies still need to be created on CC SG Configuring CC SG to use external authentication is covered in Chapter 9 Remote Authentication Th...

Page 92: ...ystem Administrators Group The System Administrators group has full administrative and access privileges Unlike the CC Super User group you can change the privileges and add or delete members CC Users...

Page 93: ...ileges the user group will have Select the interface types the user group can use to access nodes Select policies which describe what nodes the user group can access To create a new user group 1 On th...

Page 94: ...to the Selected Policies list Policies in the Selected Policies list will allow or deny users access to the node or devices controlled by this policy 9 Repeat this step to add additional policies to t...

Page 95: ...up Uncheck a privilege to remove it from the group 7 In the Node Access area click the drop down menu for each kind of interface you want this group to have access through and select Control 8 Click t...

Page 96: ...he group After clicking OK a status message will appear to confirm the successful deletion of the group Add User Add users to a group to assign the user access privileges in CC SG A User s ability to...

Page 97: ...want to specify how often the user will be forced to change their password a If checked in the Expiration Period Days field type the number of days that the user will be able to use the same password...

Page 98: ...assigned password the next time they log in 8 In the Email address field type a new email address to add or change the user s configured email address This will be used to send the user notifications...

Page 99: ...up list Select the users you want to add from this column and then click the button to move them to the Users in group list 5 Click the button to move all users not in the group to the Users in group...

Page 100: ...n Group group Other User and User Group Functions My Profile My Profile allows all users to view details about their account change some details and customize usability settings It is the only way for...

Page 101: ...are done editing your profile click OK to save the changes or Cancel to exit without saving Logout Users This command can be used to log active users out of CC SG It can also be used to log out all a...

Page 102: ...r Manager then Bulk Copy The Bulk Copy screen appears Figure 86 Bulk Copy Screen 5 In the All Users list select the users that will be adopting the privileges and polices of the user in the Username f...

Page 103: ...he group If you completed Guided Setup refer Chapter 3 Configuring CC SG with Guided Setup a number of basic policies may already have been created Now you may want to apply these policies to existing...

Page 104: ...The Node Groups Manager window displays A list of existing node groups is displayed on the left while details about selected node group displays in the main panel Figure 88 The Node Group Manager 1 A...

Page 105: ...ck Node Group The Node Groups Manager window displays 2 On the Groups menu select Add A template for a node group will appear 3 In the Group name field type a name for a node group you want to create...

Page 106: ...Selected list Nodes in the Selected list will be added to the group 4 If you want to remove a node from the group select the node name in the Selected list and then click Remove 5 You can search for a...

Page 107: ...ble here Also included are Node Name and Interface Operator Select a comparison operation to be performed between the Category and Element items Three operators are available is equal to LIKE used for...

Page 108: ...le0 in the Short Expression field Another example If you want to describe a group of nodes that belong to the engineering department OR are located in Philadelphia and specify that all of the machines...

Page 109: ...he Node Group List to the left The details of that node will appear in the Node Groups window 3 Refer to the instructions in the Select Nodes or Describe Nodes sections above for details on how to con...

Page 110: ...en created they can become the basis for creating an access policy a rule that states whether users can or cannot access the nodes or devices in the group or device group and what times this rule is i...

Page 111: ...lly receive Control rights when the Deny policy is not in effect Edit a Policy When you edit a policy the changes do not affect users who are currently logged in to CC SG The changes will go into effe...

Page 112: ...Write or Read only permission If you want to define this policy to deny Virtual Media Permission select Deny 10 Click Update to save the changes to the policy and then click Yes in the confirmation me...

Page 113: ...lts in a failed login attempt 4 If authentication is successful local authorization is performed CC SG checks if the user name entered matches a group that has been created in CC SG or imported from A...

Page 114: ...component dc Specifying a DN for Netscape LDAP and eDirectory LDAP should follow this structure user id uid organizational unit ou organization o Username When authenticating CC SG users on an AD serv...

Page 115: ...e AD user groups and assign AD users to them before starting this process Also make sure that you have configured the CC SG DNS and Domain Suffix in Configuration Manager Please refer to Chapter 12 Co...

Page 116: ...onfigured in the Configuration Manager section of CC SG Please refer to Chapter 12 Configuration Manager for additional information 3 Check Anonymous Bind if you want to connect to the AD server witho...

Page 117: ...server is listening The default port is 389 If you are using secure connections for LDAP step 3 below you may need to change this port The standard port for secure LDAP connections is 636 3 Check Secu...

Page 118: ...o connect to the AD server Only check Use Bind when the user logging in from the applet has permissions to perform search queries in the AD server 7 Check Use Bind After Search to use the username and...

Page 119: ...and objectclass group as the Filter then all entries that are in the Groups entry and are of type group will be returned 4 Click Next to proceed The Trusts tab opens AD Trust Settings In the Trusts t...

Page 120: ...oup Settings and AD Trust Settings for additional information 4 If you change the connection information click Test Connection to test the connection to the AD server using the given parameters You sh...

Page 121: ...all to select all user groups for import Click Deselect all to deselect all selected user groups 5 In the Policies column click the field and then select a CC SG access policy from the list to assign...

Page 122: ...user groups that have been imported into CC SG and refreshes the CC SG local cache The CC SG local cache contains all domain controllers for each domain all user groups for all modules and the user in...

Page 123: ...omain Important CC SG will still be in Maintenance Mode after upgrading to 3 1 Therefore you must login with the CC Super User account to perform this action The default CC Super User account for syst...

Page 124: ...s on generating a report containing information about AD user groups please refer to Chapter 10 Generating Reports AD User Group Report Add LDAP Netscape Module to CC SG Once CC SG starts and a userna...

Page 125: ...n the permissions of each object 6 If you are not using anonymous binding type a username in the User name field Type a Distinguished Name DN to specify the credentials used to query the LDAP server F...

Page 126: ...p down menu and select the default encryption of user passwords 4 Type the user attribute and group membership attribute parameters in the User Attribute and Group Membership Attribute fields These va...

Page 127: ...e PARAMETER NAME OPEN LDAP PARAMETERS IP Address Hostname Directory Server IP Address User Name CN Valid user id O Organization Password Password User Base O accounts O Organization User Filter object...

Page 128: ...se refer to Chapter 7 Adding and Managing Users and User Groups for additional information on adding users who will be remotely authenticated 1 On the Administration menu click Security The Security M...

Page 129: ...s please refer to Terminology Acronyms in Chapter 1 Introduction Figure 108 TACACS General Settings 2 Type the port number on which the TACACS server is listening in the Port Number field The default...

Page 130: ...to Chapter 7 Adding and Managing Users and User Groups for additional information on adding users who will be remotely authenticated 1 On the Administration menu click Security The Security Manager sc...

Page 131: ...ation Using RADIUS By using an RSA RADIUS Server that supports two factor authentication in conjunction with an RSA Authentication Manager CC SG can make use of two factor authentication schemes with...

Page 132: ...ck the Authorization checkbox if you want CC SG to use the server for authorization of users Only AD servers can be used for authorization 4 Click Update to save your changes Establish Order of Extern...

Page 133: ...G It captures actions such as adding editing or deleting devices or ports and other modifications CC SG maintains an Audit Trail of the following events When CC SG is launched When CC SG is stopped Wh...

Page 134: ...he log files used in the report Click Close to close the report Error Log Report CC SG stores error messages in a series of Error Log files which can be accessed and used to help troubleshoot problems...

Page 135: ...rt page to a CSV file or click Save All to save all records Click Print to print the records that are displayed in the current report page or Print All to print all records Click Close to close the wi...

Page 136: ...e field If you want to limit the report to a particular IP address s activities type the user s IP address in the User IP address field 4 Click OK to run the report The report is generated displaying...

Page 137: ...troubleshooting 1 On the Reports menu click Availability Report The Availability Report is generated Figure 118 Availability Report Click Manage Report Data to save or print the report Click Save to s...

Page 138: ...d Figure 119 Active Users Report To disconnect a user from an active session in CC SG select the user name you want to disconnect and then click Logout Click Manage Report Data to save or print the re...

Page 139: ...n unlock users from this report Please refer to Chapter 12 Advanced Administration Lockout Settings for additional information on lockout settings 1 On the Reports menu click Users and then click Lock...

Page 140: ...The Password Expiration field displays the number of days that the user can use the same password before being forced to change it Please refer to Chapter 7 Adding and Managing Users and User Groups...

Page 141: ...s In Groups report is generated Figure 122 Users In Groups Report Click Manage Report Data to save or print the report Click Save to save the records that are displayed in the current report page to a...

Page 142: ...h the user group the list of nodes that satisfy the node group rule or the list of devices that satisfy the device group rule AD User Group Report The AD User Group report displays all users in groups...

Page 143: ...ort displays data on devices currently managed by CC SG 1 On the Reports menu click Devices and then click Asset Management Report The Asset Management report is generated for all devices 2 If you wan...

Page 144: ...an also filter the report to include only data about nodes that correspond to a specified node group interface type device type or device 1 On the Reports menu click Nodes and then click Node Asset Re...

Page 145: ...Report The Active Nodes report includes the name and type of each active interface the current user a timestamp and the user IP address for each node with an active connection You can view the active...

Page 146: ...and End Date fields Click each component of the default date month day year hour minute second to select it and then click the up and down arrows to reach the desired number 3 Check the Potential Dup...

Page 147: ...nnection to target server is in place but the port has not been configured Unused Port is unavailable physical connection to target server is not in place and the port has not been configured Availabl...

Page 148: ...orts Click Configure next to a New or Unused port in the report to configure it Click Close to close the report Active Ports Report The Active Ports report displays out of band ports that are currentl...

Page 149: ...s displayed you can select a particular Report Type such as Active Ports Report or Report Owner or change the start and end dates in the Reports generated between fields by clicking each component of...

Page 150: ...base select the target you want to purge and then click Purge If you want to purge the entire list of targets from the CC SG database click Purge All Click Manage Report Data to save or print the repo...

Page 151: ...C SG is in Maintenance Mode Please refer Chapter 12 Advanced Administration Task Manager for additional information on scheduled tasks When CC SG exits Maintenance Mode scheduled tasks will be execute...

Page 152: ...nd event reports stored on CC SG o CC SG firmware files Stored firmware files used for updating the CC SG server itself o Device firmware files Stored firmware files used for updating Raritan devices...

Page 153: ...pe of backup the date of the backup the description what CC SG version it was made from and the size of the backup file Figure 137 Restore CommandCenter Screen 2 If you want to restore from a backup s...

Page 154: ...allows users time to complete their work and log off 6 In the Broadcast Message field type a message to notify other CC SG users that a restore will occur 7 Click Restore After clicking Restore CC SG...

Page 155: ...le to default values 1 On the System Maintenance menu click Reset Figure 139 Reset CC SG Screen 2 Type your CC SG password 3 Either accept the current Broadcast message or edit to create one of your o...

Page 156: ...ot be able to upgrade CC SG without performing this action Please refer to the Maintenance Mode section of this chapter for additional information 2 Once CC SG is in maintenance mode on the System Mai...

Page 157: ...redirected to the login screen Users cannot log back in until you restart CC SG as described in the next section Restarting CC SG after Shutdown After shutting down CC SG use one of these two methods...

Page 158: ...144 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE This page intentionally left blank...

Page 159: ...tup The message of the day setup screen appears 2 Check Display Message of the Day for All Users if you want the message to be displayed to all users after they log in 3 Select Message of the Day Cont...

Page 160: ...tion Manager to add edit or delete an application Adding an Application 1 Click Add in the Applications section of the Applications tab The Add Applications dialog window appears Figure 145 Adding an...

Page 161: ...ers in the Details area as necessary 3 Click Edit The Edit Applications window appears Figure 146 Edit Applications Window 4 If necessary select additional Raritan devices the application will functio...

Page 162: ...tion of an Interface or Port Type 1 Select the row for an Interface or Port Type 2 Double click the Application listed on that row The value becomes a drop down menu Note that grayed out values are no...

Page 163: ...hen new firmware versions become available they are posted on the Raritan website 1 On the Administration menu click Firmware The Firmware Manager screen appears Figure 148 Firmware Manager Screen 2 C...

Page 164: ...5 Click Close to close the Firmware Manager screen Configuration Manager The Configuration Manager is where several of the CC SG core settings such as the network configuration are administered Networ...

Page 165: ...de only one NIC is active at a given point of time and only one network IP address assignment is possible Figure 152 Primary Backup Network Typically both NICs are attached to the same LAN sub network...

Page 166: ...cially if firewalls are involved If additional routes are needed they can be added in Diagnostic Console Please refer to Editing Static Routes Network Interfaces later in this chapter for additional i...

Page 167: ...ick the Logs tab Figure 154 Configuration Manager Logs Screen 3 To assign an external log server for CC SG to use type the IP address into the Server Address field under Primary Server 4 Click the Lev...

Page 168: ...for confirmation 4 Click Yes to clear CC SG s log of events Note The Audit Trail and Error Log reports are based off of CC SG s internal log If you purge CC SG s internal log these two reports will al...

Page 169: ...and then click the Day in the calendar area Time use the up and down arrows to set the Hour Minutes and Seconds and then click the Time zone drop down arrow to select the time zone in which you are o...

Page 170: ...address of the client that will dial into CC SG in the Client Address field 4 If you are using call back dialing type the call back number that CC SG dials to connect to the client in the Client Phon...

Page 171: ...tection flag For example type at c for a SoftK56 Data Fax modem This is necessary to tell Windows not to close the started Modem connection process when the modem connection is closed from the other d...

Page 172: ...umber used to connect to CC SG and then click Next This is NOT the dial back number that was configured as the Client phone under the Modem tab in Configuration Manager on CC SG Figure 162 Phone Numbe...

Page 173: ...asks 3 Right click the CommandCenter connection and then click Properties 4 Click the Security tab Figure 163 Specify Dial up Script 5 Click the Show terminal window 6 Click Run script and then click...

Page 174: ...work Tasks 3 Double click the CommandCenter connection Figure 164 Connecting to CC SG 4 Type a username of ccclient and password of cbupass Figure 165 Entering username and password 5 If not filled in...

Page 175: ...the Modem tab in Configuration Manager on CC SG and login to CC SG Connection Mode When connected to a node you have the option to pass data back and forth directly with that node Direct Mode or to ro...

Page 176: ...ct to a device via your CC SG unit c Click the Both radio button if you want to connect to some devices directly but others through Proxy Mode Then specify settings for the devices you wish to connect...

Page 177: ...SNMP manager on the network Only a CC SG Administrator trained in handling an SNMP infrastructure should configure CC SG to work with SNMP CC SG also supports SNMP GET SET operations with third party...

Page 178: ...ferent categories System Log traps which include notifications for the status of the CC unit itself such as a hard disk failure and Application Log traps for notifications generated by events in the C...

Page 179: ...sions originating on the Primary CC SG node will terminate The devices connected to the Primary CC SG unit will recognize that the Primary node is not responding and will respond to requests initiated...

Page 180: ...d then clicking Add CommandCenter Figure 170 Cluster Configuration Screen 3 Type a name for this cluster in Cluster Name If you do not provide a name now a default name will be provided such as cluste...

Page 181: ...ion message appears on your screen 7 On the Administration menu click Cluster Configuration to view the updated Cluster Configuration table Note If the Primary and Secondary Nodes lose communication w...

Page 182: ...gs of a cluster configuration 1 Select the Primary node just created 2 Click Advanced The Advanced Settings window appears Figure 172 Cluster Configuration Advanced Settings 3 For Time Interval enter...

Page 183: ...G 1 On the Administration menu click Security The Security Manager screen appears 2 Click the General tab Figure 173 Secure Client Connections 3 Check the Requires AES Encryption between Client and Se...

Page 184: ...be configured with the following criteria Minimum Password Length All passwords must contain a minimum number of characters Click the drop down menu and select the minimum length of passwords Passwor...

Page 185: ...iled login attempts before lockout and after lockout is not configurable To configure user Lockout 1 Check Lockout Enabled 2 The default number of failed login attempts before a user is locked out is...

Page 186: ...d Service Agreement A message can be configured to appear to the left of the login fields on the login screen This is intended for use as a Restricted Service Agreement or a statement users agree to u...

Page 187: ...in Portal With Restricted Service Agreement Certificate Options in this window can be used to generate a certificate signing request also CSR or certification request A CSR is a message sent from an a...

Page 188: ...ficate and Private Key and submit it by clicking Export Generate Certificate Signing Request The following explains how to generate a CSR and a private key on CC SG The CSR will be submitted to the Ce...

Page 189: ...save it with a cer extension 5 Using an ASCII editor for example Notepad copy and paste the Private Key into a file and save it as a text file 6 Submit the CSR file cer saved in Step 4 to the Certifi...

Page 190: ...aste both root and subroot certificate into one file and then import it Generate Self Signed Certificate Request Click the Generate Self Signed Certificate option button and then click Generate The Ge...

Page 191: ...new item to the list specify a range to apply the rule to by typing the starting IP value in the Starting IP field and the ending IP value in the Ending IP field 5 Click the Group drop down arrow to s...

Page 192: ...heckbox 3 Type the SMTP host in the SMTP host field For hostname rules please refer to Terminology Acronyms in Chapter 1 Introduction 4 Type a valid SMTP port number in the SMTP port field 5 Type a va...

Page 193: ...es not apply to device groups Outlet Port Power Management Power On Off Recycle Outlet ports Generate all Reports HTML or CSV format Purge Logs Scheduling Sequential Tasks You may want to schedule tas...

Page 194: ...select the Start time at which the task should begin Periodic Use the up and down arrows to select the Start time at which the task should begin Type the number of times the task should be executed i...

Page 195: ...efer to Chapter 7 Adding and Managing Users and User Groups for additional information To add another email address click Add type the email address in the window that appears and then click OK By def...

Page 196: ...protection against automated interception Add a CC NOC Note To create a valid connection the time settings on both the CC NOC and CC SG should be synchronized The best method of achieving this synchr...

Page 197: ...in the CC NOC range If CC SG range does not overlap the range configured in CC NOC then CC NOC will not return any target device information at all To stop CC NOC from monitoring a device it can be u...

Page 198: ...lete the process If the process does not complete within 5 minutes it times out and data is not saved in CC SG and any stored certificates are deleted Retry the procedure again go to Step 1 in Add a C...

Page 199: ...client user belongs Administrators who use SSH to access CC SG cannot logout a CC Super User SSH user but are able to log out all other SSH client users including System Administrators To access CC SG...

Page 200: ...spaces it should be surrounded by quotes copydevice b backup_id source_device_host target_device_host Copy device configuration disconnect u username p port_id id connection_id Close port connection e...

Page 201: ...ser upgradedevice id device_id host Upgrade device firmware exit Exit SSH session Typing the command followed by the h switch displays help for that command such as listfirmwares h Command Tips The fo...

Page 202: ...strative commands supported by the SX device are available Note Before you connect ensure that the SX device has been added to the CC SG 1 Type listdevices to ensure the SX has been added to CC SG Fig...

Page 203: ...Band Interface 3 Once connected to the node type the default Escape keys of followed by a dot At the prompt that displays you can enter specific commands or aliases as described below COMMAND ALIAS D...

Page 204: ...ics and restarting CC SG The Diagnostic Console admin account is separate and distinct from the admin account and password used in the CC SG administrator s Director Client and the html based Access C...

Page 205: ...nputs or screen navigation All other inputs are ignored The following table describes the statuses for CC SG and the CC SG database STATUS DESCRIPTION CC SG Status Up CC SG is available CC SG Status D...

Page 206: ...owever it may not work in all SSH clients or on the KVM console PRESS TO CTRL C or CTRL Q To exit Diagnostic Console CTRL L Clear screen and redraw the information but the information itself is not up...

Page 207: ...Screen with the contents of the System Buffer Save as Default Puts the current Admin Console Screen into System Buffer Has no effect on the Active Message display Make Active Replaces the current Acti...

Page 208: ...l Admin or Field Support access Figure 194 Edit Diagnostic Console Configuration 4 Click Save at the bottom of the screen or press the TAB key until Save is selected and then press Enter Editing Netwo...

Page 209: ...l be automatically populated once you save and you exit and re enter Admin Console If you choose Static type an IP Address required Netmask required Default Gateway optional Primary DNS optional and S...

Page 210: ...trip time so that effectively not more than one unanswered probes present in the network Minimal interval is 200 msec 4 Optionally type values for how many seconds the ping command will execute how ma...

Page 211: ...d or hop count exceeded events occur Editing Static Routes Network Interfaces In Static Routes you can view the current IP routing table and modify add or delete routes Careful use and placement of st...

Page 212: ...File names are either preceded by a timestamp indicating how recently the logfile has received new data or the file size of the logfile Timestamps are s seconds m minutes h hours and d days File size...

Page 213: ...etrieved and forwarded to Raritan Technical Support Access to the contents of this package is not available to customer Exported logfiles will be available for up to 10 days and then the system will a...

Page 214: ...of this Admin Console session use the TOP utility to dynamically monitor system resources Figure 200 Displaying Information 7 If desired you can filter the log file with a regular expression Type e t...

Page 215: ...ile 9 Select F1 to get help on all LogViewer options Pressing CTRL C and CTRL Q terminates this LogViewer session Restarting CC SG Admin You can restart CC SG which will log off all current CC SG user...

Page 216: ...Admin This option will reboot the entire CC SG which simulates a power cycle Users will not receive a notification CC SG SSH and Diagnostic Console users including this session will be logged off Any...

Page 217: ...unit To power off the CC SG 1 Click Operation Admin and then click CC SG System Power OFF 2 Either click Power OFF the CC SG or press ENTER to remove AC power from the CC SG Confirm the power down ope...

Page 218: ...l reset all or parts of the CC SG system back to their factory default values All active CC SG users will be logged off without notification and SNMP processing will stop It is highly recommended that...

Page 219: ...Clients to Out of Band nodes Inactivity Timer 1800 the time before idle sessions are logged out Modem Setting 10 0 0 1 10 0 0 2 none the setting for the modem Server IP Address Client IP Address and c...

Page 220: ...change the password which should be done via the Account Configuration menu The operation in these menus only applies to Diagnostic Console accounts status and admin and passwords it has no effect on...

Page 221: ...rs can be the same in the new password relative to the old MinLEN is the minimum length of characters required in the password Specify how many Digits Upper case letters Lower case letters and Other s...

Page 222: ...hentication token required or access is allowed and no password is required Do not lock out both the Admin and FS1 accounts at the same time or you cannot use Diagnostic Console Min Days The minimum n...

Page 223: ...en as shown above The status of both md0 and md1 arrays are UU Displaying Top Display Utilities This option displays the list of processes and their attributes that are currently running on CC SG as w...

Page 224: ...eration Utilities and then click NTP Status Display 2 The NTP Daemon can only be configured in the CC SG administrator s Director Client If NTP is not enabled and configured properly the following wil...

Page 225: ...entium III 1 GHz Memory 512 MB Network Interfaces 2 10 100 Ethernet RJ45 Hard Disk Controller 2 40 GB IDE 7200 rpm RAID 1 CD ROM Drive CD ROM 40x Read Only Environmental Requirements OPERATING Humidit...

Page 226: ...AMD Opteron 146 Memory 2 GB Network Interfaces 2 10 100 1000 Ethernet RJ45 Hard Disk Controller 2 80 GB SATA 7200 rpm RAID 1 CD ROM Drive DVD ROM Environmental Requirements OPERATING Humidity 8 90 RH...

Page 227: ...tel PRO 1000 PT Dual Port Server Adapter Hard Disk Controller 2 WD740ADFD SATA 74GB 10K RPM 16MB cache CD ROM Drive DVD ROM Environmental Requirements OPERATING Humidity 5 90 non condensing Altitude S...

Page 228: ...214 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE This page intentionally left blank...

Page 229: ...are to be enforced by the network Executive Summary In the sections below a very complete and thorough analysis of the communications and port usage by CC SG and its associated components is provided...

Page 230: ...IDE Figure 214 CC SG Deployment Elements Internet Unsecured Network CC SG Cluster Peer CC Clients Internal Network Firewall CC NOC CC Clients Raritan Device Serial KVM Out of Band Node Access In Band...

Page 231: ...t Number and Protocol used by CC SG Indicates if the port is Configurable which means the GUI or Diagnostic Console provides a field where you can change the port number to a different value from the...

Page 232: ...SG CC SG 3232 TCP no Access to Infrastructure Services The CC SG can be configured to use several industry standard services like DHCP DNS and NTP In order for CC SG to communicate with these optiona...

Page 233: ...ther The PC client connects directly to the target either via a Raritan device or In Band access which is called Direct Mode Or if the PC client connects to the target through CC SG which acts as an a...

Page 234: ...ther blocked The ports currently in use are 1088 1098 2222 4444 4445 8009 8083 and 8093 In addition to these ports CC SG may have a couple of TCP and UDP ports in the 32xxx or higher range open Extern...

Page 235: ...erver shut the connection abruptly when given a long username followed by a password Traditionally port 23 is used for telnet services However CC SG uses this port for SSH V2 Diagnostic Console sessio...

Page 236: ......

Page 237: ...ent Bulk Copy User Management User Group Manager Add User Group User Management Editing user groups User Management Via User Group Profile Delete User Group User Management Assign Users to Group User...

Page 238: ...start Device Device Port and Node Management or Device Configuration and Upgrade Management Ping Device Device Port and Node Management or Device Configuration and Upgrade Management Pause Management...

Page 239: ...gement or Device Configuration and Upgrade Management Port Manager Connect Device Port and Node Management Configure Ports Device Port and Node Management Bookmark Port Device Port and Node Management...

Page 240: ...Device Port and Node Management Via the Node Profile Delete Node Device Port and Node Management interfaceName In Band Access or Out of Band Access Disconnect In Band Access or Out of Band Access Powe...

Page 241: ...Band Access or Node Out of Band Access or Node Power Control Tree View Any of the following Device Port and Node Management or Node In Band Access or Node Out of Band Access or Node Power Control Ass...

Page 242: ...ers User Management Locked Out Users CC Setup and Control User Data To view all user data User Management To view your own user data None Users in Groups User Management Group Data User Security Manag...

Page 243: ...ce Port and Node Management User Management and User Security Management Message of the Day Setup CC Setup and Control Applications CC Setup and Control Firmware CC Setup and Control Configuration CC...

Page 244: ...MENU MENU ITEM REQUIRED PRIVILEGE DESCRIPTION Exit Maintenance Mode CC Setup and Control View None Window None Help None None means that no particular privilege is required Any user who has access to...

Page 245: ...eviceFirmware CC SG detected a device with incompatible firmware ccDeviceUpgrade CC SG has upgraded the firmware on a device ccEnterMaintenanceMode CC SG entered Maintenance Mode ccExitMaintenanceMode...

Page 246: ...232 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE...

Page 247: ...er If you have problems adding devices ensure the devices have the correct firmware versions If the network interface cable is disconnected between the device and CC SG wait for the configured heartbe...

Page 248: ...234 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE...

Page 249: ...cation Manager 6 1 on Windows Server 2003 RSA Secure ID SID700 hardware token Earlier RSA product versions should also work with CC SG but they have not been verified Setup Requirements Proper configu...

Page 250: ...236 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE...

Page 251: ...access possible Generic answer Yes as long as PDA has a Java enabled browser and supports 128 bit or lower strength for some geographies SSL encryption Call Raritan Tech Support for further informatio...

Page 252: ...re some design guidelines for large scale systems Any constraints or assumptions Raritan provides two models for server scalability the datacenter model and the network model The datacenter model uses...

Page 253: ...d list Sometimes I receive a No longer logged in message when I click any menu in CC SG after leaving my workstation idle for a period of time Why CC SG times each user session If no activity happens...

Page 254: ...if the administrator is logged in on the console other access is denied Finally from the console the administrator can also disable the network interfaces when if necessary to block all other access N...

Page 255: ...horization be achieved via RADIUS TACACS LDAP LDAP and TACACS are used for remote authentication only not authorization User Experience Regarding console management via network port or local serial po...

Page 256: ...242 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE...

Page 257: ...UTS 243 Appendix H Keyboard Shortcuts The following keyboard shortcuts can be used in the Director Client OPERATION KEYBOARD SHORTCUT Refresh F5 Print panel Ctrl P Help F1 Insert row in Associations t...

Page 258: ...Raritan Osaka 1 15 8 Nishihonmachi Nishi ku Osaka 550 0005 Japan Tel 81 6 4391 7752 Fax 81 6 4391 7761 Email sales raritan co jp Website Raritan co jp Asia Pacific Headquarters Raritan Taiwan 5F 121...