Raritan Engineering CC-SG manual

CommandCenter ® Secure Gateway CC-SG Administrator Guide Release 3.0 Copyright © 2006 Raritan, Inc. CCA-0B-E May 2006 255-80-5140-00[...]

This page intentionally left blank.[...]

Copyright and Tradem ark Information This document contains proprietary information that is protected by copyright. All rights reserved. No part of this document may be phot ocopied, reproduced, or tr anslated into another language without express prior written consent of Raritan, Inc. © Copyright 2006 Raritan, CommandCenter, Ra ritanConsole, Domi[...]

Safety Guidelines To avoid potentially fatal shock hazard a nd possible damage to Raritan equipm ent: • Do not use a 2-wire power cord in any product configuration. • Test AC outlets at your computer and monitor for proper polarity and ground ing. • Use only with grounded outlets at both the com puter and monitor. When using a backup UPS, pow[...]

C ONTENTS i Content s Chapter 1: Introduction ....................................................................................................1 Prerequisi tes .............................................................................................................................. 1 Intended A udience .......................................[...]

ii C ONTENTS Copy Device C onfigurat ion .............................................................................................................. 57 Upgrade De vice ................................................................................................................. .............. 57 Ping De vice ..................................[...]

C ONTENTS iii Edit Po licy ...................................................................................................................................... 111 Delete Policy .................................................................................................................. ................ 112 Chapter 9: Configuring Remote Auth[...]

iv C ONTENTS Inactivity Timer Configur ation ................................................................................................. ....... 164 Time/Date Conf igurat ion ................................................................................................................ 165 Modem Config uration ...............................[...]

C ONTENTS v CC-SG & SNMP ................................................................................................................... ......... 234 CC-SG & CC-NOC ................................................................................................................. ....... 234 CC-SG Intern al Ports ........................[...]

vi F IGURES Figur es Figure 1 CC-SG Front View ...................................................................................................... ................... 1 Figure 2 CC-SG - Rear Panel .................................................................................................... .................. 1 Figure 3 Security Alert Wind[...]

F IGURES vii Figure 52 Add Device Selecti on Screen .......................................................................................... .......... 51 Figure 53 Add Device Screen for Po werStrip..................................................................................... ........ 51 Figure 54 Add Device Scre en for Rarit an Devi ces .[...]

viii F IGURES Figure 105 Configure Ports Screen for IP MI Se rver .............................................................................. ..... 84 Figure 106 Conf igure Outlet Port Sc reen ........................................................................................ ........... 85 Figure 107 Delete Port Screen.....................[...]

F IGURES ix Figure 158 Generate Certific ate Signing Req uest Sc reen ....................................................................... 132 Figure 159 Certificat e Reques t Generat ed............................................................................................... 132 Figure 160 Generate Self Signed Cert ificate Windo w ........[...]

x F IGURES Figure 211 Confi guration Settings Device Settings Screen...................................................................... 174 Figure 212 Confi guration Settings Device Settings Screen...................................................................... 175 Figure 213 Security Ma nager General Screen ...............................[...]

F IGURES xi Figure 264 Selecting Network Interface Conf iguration ........................................................................... .. 209 Figure 265 Editing Ne t work Inte rfaces .......................................................................................... ........... 210 Figure 266 Ping ing a Ta rget........................[...]

[...]

C HAPTER 1: I NTRODUCTION 1 Chapter 1: Introduction Congratulations on your purchase of Co mmandC enter Secure Gateway (CC-SG), Raritan’s convenient and secure method for managing various UNIX servers, firewalls, routers, load balancers, Power Management devices, and Windows servers. CC-SG provides central management and admi nistration, using a [...]

2 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Product Features and Benefits • Seamless Management CC-SG offers seamless management of Dominion series and Paragon ® management appliances through Paragon remote User St ations (UST1R/UST2R) – leverage your embedded base with a CC-SG to draw substantial incremental value: − Constantl[...]

C HAPTER 1: I NTRODUCTION 3 • Comprehensive Logging − Logs events locally. − Can use an external syslog server for even t logs (events are immediately posted or exported) and the ability to have other Ra ritan products use it as a syslog server. − Provides full auditing and tracking capabilities. − Keeps an audit trail for tracking user a[...]

4 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE • CIM (Computer Interface Module)—is the hardware used to connect a target server and a Raritan device. Each target requires a CIM, except for the Dominion KX101 which is attached directly to one target and therefore, does not require a CIM. Targets servers should be powered on and conne[...]

C HAPTER 1: I NTRODUCTION 5 • Ports —are connection points between a Raritan Device and a target system or server. Or, a port can be a device that is directly connected to a LAN/CC-SG via In-band access. In CC- SG, you click on a port to access and manage th e target. The port is essentially the destination system and should be named appropriat[...]

6 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE New 3.0 Features These administrator features are now available in CC-SG 3.0: Note : If viewing a PDF file, click on the page number to navigate to the location i n the document where the feature is described. F EATURE LOCATION Import of Categories, Devices, Ports from CSV File Page 45 Suppo[...]

C HAPTER 2: A CCESSING CC-SG 7 Chapter 2: Accessing CC-SG Once you have configured CC-SG with an IP address and have defined at least one user, as described in Raritan’s CommandCenter Secure Gateway Setup Guide , the CC-SG unit can be placed at its final destination. Make all n ecessary hardware connections to make the unit operational. You can a[...]

8 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE 2. You will be warned if you are using an unsupported Java Runtim e Environment version on your machine. From the window that pops up, select whether you will download the correct JRE version from the CC-SG server (if available) , download it from the Sun Microsystems web site, or continue w[...]

C HAPTER 2: A CCESSING CC-SG 9 Standalone Client Access The standalone CC-SG client allows you to co nnect to CC-SG servers by launching a Java application instead of running an applet through a Web browser. 1. Install the standalone CC-SG client lo cated on the included CD ROM onto your PC. 2. Double-click on the CC Application icon on your deskto[...]

10 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE 3. Click Update Configuration to submit the changes. A confirmation window asks if you wish to restart CC-SG in order to apply changes. 4. Click OK to log out from your current session and restart CC-SG. 5. Access CC-SG using the new IP address. Check and Upgrade CC-SG Firmware Version Note[...]

C HAPTER 2: A CCESSING CC-SG 11 2. Select an application from the pull-down menu and note the number in the version field. If the firmware needs upgrading, see the previous section Check and Upgrade CC-SG Firmware Version and continue to step 3. 3. Select the application name that needs to be upgraded. 4. Click Browse . Figure 10 CC-SG Application [...]

12 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE To access a remote target device that is connected via a serial port, click on the appropriate device in the Devices selection tree, under the Devices tab. If the port is configured for a console application, a Security Warning appears, indicating that the console applet is a signed applet [...]

C HAPTER 2: A CCESSING CC-SG 13 Power Down CC-SG If running CC-SG on the V1 platform and if it loses AC power while it is up and running, the V1 unit remembers its last power state. Once AC power is restored, the V1 unit automatically reboots. However, if a V1 unit loses AC power when it is turned OFF, the V1 unit will remain powered off when AC po[...]

14 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Note: To make ports easier to find, right-click on the tree and select the desired listing method under Port Sorting Options . Ports sorted by name will be liste d alphabetically; ports sorted by status will be grouped in the order of: Available Ports, Busy Ports, Unavailable Ports, and lis[...]

C HAPTER 2: A CCESSING CC-SG 15 Main Window Components Figure 13 CC-SG Application Window The CC-SG menu bar displays all operations and configuration commands. Active commands are based upon the privileges of the user, as establis hed by the CC-SG Administrator. The user’s privileges also determine the ports and devices th at appear in the Ports[...]

16 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Configuring CC-SG Manager Components In order to use CC-SG effectively, you must co mplete the following configuration steps, as described in this and the next chapter: • Configure and install Dominion series and IP-Reach appliances (both serial and KVM devices). − Configure the devices[...]

C HAPTER 2: A CCESSING CC-SG 17 Compatibility Matrix The Compatibility Matrix lists the firmware versi ons of Raritan devices and software versions of applications that are compatible with the curre nt version of CC-SG. To view the Compatibility Matrix, on the Devices menu, click Compatibility Matrix . Figure 14 Compatibility Matrix CC-SG checks ag[...]

18 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE[...]

C HAPTER 3: E XAMPLE C ONFIGURATION W ORKFLOW 19 Chapter 3: Example Configuration Workflow Create Associations The Association Wizard guides you t hrough steps to create categories and their associated elements. Th e Wizard then automatically creates a por t group for each element and a policy for each port group. 1. On the Associations menu, click[...]

20 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE 2. After reading the overview, click Next . The Create Category and Elements screen of the Wizard appears. Figure 16 Association Wizard - Category and Elements Screen 3. Type the name of a category you wish to organize your ports by (for example: Location ) in the Category field. 4. Type th[...]

C HAPTER 3: E XAMPLE C ONFIGURATION W ORKFLOW 21 5. To create another category, click Add Another Category and repeat steps 3 and 4. To review categories and elements you have created, click Previous or Next to cycle through them. Figure 17 Adding Another Category 6. When you are done creating categories, click Next at the bottom of the screen. The[...]

22 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE 8. CC-SG will show a progress bar while it is crea ting the associations, port groups and policies. When this is complete, the Association Wizard Summary screen appears displaying the list what was created. Click Done to exit the wizard. Figure 19 Association Wizard - Summary Screen The Ass[...]

C HAPTER 3: E XAMPLE C ONFIGURATION W ORKFLOW 23 4. Click Next to proceed. The Add Device description screen appears. Depending on the type of device you selected, you will see slightly different Add Device screens. Figure 21 Add Device PowerStrip Figure 22 Add Device SX 5. Type the device name in the Device Name field. Do not use spaces. 6. Type t[...]

24 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Device Created successfully message confirms that device has be en added. This step is very important. Make sure you select the correct asso ciations and elements for the device. Some devices such as SX may take up to a minute to add. 9. Repeat steps 1 through 8 to add additional devices. C[...]

C HAPTER 3: E XAMPLE C ONFIGURATION W ORKFLOW 25 3. Click Configure next to the serial port line item you wish to configure. The Configure Serial Port screen appears. Figure 24 Configure Serial Ports 4. Type a port name in Port Name field. Typically, you should name the port after the target server the device connects to, for example, NYC_MsSrv1 . [...]

26 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE KVM Port 1. Click on the Devices tab and select a KVM device, for example, Dominion KX, from the Devices tree. 2. On the Devices menu, click Port Manager , and then click Configure Ports . Alternatively, you can right-click on the device and select Configure Ports . The Configure Ports scre[...]

C HAPTER 3: E XAMPLE C ONFIGURATION W ORKFLOW 27 5. Click on the Application Name drop-down menu and select name. This application, for example, Raritan Remote Console (RRC), is used to manage the target s ystem. All ports should use RRC except for those on an SX. 6. Select the associated cate gory and element from the Port Associations table by do[...]

28 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE 5. If using local authentication, ty pe the new password into the Password field (6-16 character s, alphanumeric characters and underscores). 6. If using local authentication, re-type password in Retype Password field. 7. Type a dial back number in the Dial Back Number field, if needed. 8. [...]

C HAPTER 3: E XAMPLE C ONFIGURATION W ORKFLOW 29 2. On the Users menu, click Add User Group . Alternatively, right-c lick on a user group and select Add User Group . The Add User Group screen appears. Figure 28 Add User Group Scree n 3. Type the group nam e in the User Group Name field (1-16 characters, alphanumeric characters and underscores). 4. [...]

30 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Create/Edit Port Groups CC-SG uses port groups to control user access. Po licies can be applied to specific user groups that allow only access to those ports specified in the port group. For example, if you wanted to restrict user access to only UNIX ports, you would create a port group tha[...]

C HAPTER 3: E XAMPLE C ONFIGURATION W ORKFLOW 31 6. If needed, enter the Boolean logic to apply additional rules in the Validate panel. Example: use (Rule0 & Rule1) for AND or use (Rule0 | Rule1) for OR. Additional combinations can be used. 7. Click Validate then Update . 8. Click Close to close Port Groups Manager screen. 9. Repeat steps 1 thr[...]

32 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Sundays, and Custom to manually choose the days policy to be applied. If you choose Custom, check on the days of the week to apply the policy. 9. Click on a Permission value to select a permission type: Deny, or Control . 10. Click Update to add the policy. The Update Policy window appears.[...]

C HAPTER 3: E XAMPLE C ONFIGURATION W ORKFLOW 33 6. Click OK to add the policy or policies to the group. A Group Policies Updated successfully message confirms that policies have been updated. 7. Repeat steps 1 through 6 to edit other groups ’ policies. Add Users to User Group You now need to add users or drag and drop an ex isting user to the us[...]

34 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE 12. Type an email address for this user in the Email Address field, if desired. 13. Click OK to add this user to the system. A User Crea ted successfully message indicates the user has been added to the system. 14. Drag the new user icon to the desired user group. 15. Repeat steps 1 through[...]

C HAPTER 4: C REATING A SSOCIATIONS 35 Chapter 4: Creating Associations Associations CC-SG provides powerful, highly customizable organizational capabilities. Associations provide this organizational capability and are used to or ganize your equipment. For example, you may have Raritan devices that manage target servers in a New York data center an[...]

36 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Other examples of typical Association configura tions of Category and Elem ents are as follows: C ATEGORY E LEMENTS Location New York City, Philadelphia, DC1 OS Type Unix, Windows, Linux Department Sales, IT, Engineering Port Type KVM, Serial, Power Association configurations should be kept[...]

C HAPTER 4: C REATING A SSOCIATIONS 37 • Devices —are Raritan products such as Domi nion KX116, Dominion SX48, Dominion KSX440, IP-Reach, Paragon II System Controller, Paragon II UMT832 with USTIP, etc. that are managed by CC-SG. These devices control the target servers and sy stems that are connected to them. • Ports —are connection points[...]

38 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Add Category 1. On the Associations menu, click Association Manager . The Association Manager screen appears. Figure 36 Association Manager Screen 2. Click Add in the Category panel to add a new category. The Add Category window appears. Figure 37 Add Category Window 3. Type a category name[...]

C HAPTER 4: C REATING A SSOCIATIONS 39 Edit Category 1. On the Associations menu, click Association Manager . The Association Manager screen appears. 2. Click on the Category Name drop-down arrow and select the category to be edi ted. 3. Click Edit in the Category panel of the screen to edit the category. The Edit Category window appears. Figure 38[...]

40 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Add Element 1. On the Associations menu, click Association Manager. The Associations Manager screen appears. Figure 40 Association Manager Screen 2. Click Add in the Element for Category panel to add a new element. The Add Element window appears. Figure 41 Add Element Window 3. Type the new[...]

C HAPTER 4: C REATING A SSOCIATIONS 41 Edit Element 1. On the Associations menu, click Association Manager. The Association Manager screen appears. 2. Select the element to be edited from the Element For Category list and click Edit in the Elements For Category panel. The Edit Element window appears. Figure 42 Edit Element Window 3. Type the new na[...]

42 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Association Wizard The Association Wizard guides you t hrough steps to create categories and their associated elements , as described in the Association Manager section above, then automates the creation of related Port Groups and Policies for those elements. 1. On the Associations menu, cl[...]

C HAPTER 4: C REATING A SSOCIATIONS 43 5. If you wish to create another category, click Add Another Category and repeat steps 3 and 4. Figure 46 Adding Another Category 6. When you are done creating categories, click Next at the bottom of the screen. The Confirm Choices screen of the Wizard appears. Figure 47 Association Wizard - Confirm Choices 7.[...]

44 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE 8. CC-SG will show a progress bar while it is crea ting the associations, port groups and policies. When this is complete, the Association Wizard Summary screen appears displaying the list what was created. Click Done to exit the wizard. Figure 48 Association Wizard - Summary Screen 9. The [...]

C HAPTER 4: C REATING A SSOCIATIONS 45 Import Categories, Devices, Ports from CSV File To expedite configuration, you can import pre-de fined categories, elements of those categories, and the ports and devices to which the categories apply from a CSV file. After importing, you can have CC-SG validate the file to ensure the file was formatted proper[...]

46 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE CSV File Format The entries in the CSV file are case-sensitive and each row in the CSV file has this format: {tag},{value}[,{value},….] TAG S UBSEQUENT FIELDS COMMENTS CATEGORY Category Name,ValueType, Applicability Value Type is String or Integer; Applicability is Device, Port, Both CATE[...]

C HAPTER 4: C REATING A SSOCIATIONS 47 Once successfully imported, yo u should see so mething like: Figure 50 Analysis Report Screen If necessary, refer to Appendix F: Troubleshooting for problem resolution.[...]

48 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE[...]

C HAPTER 5: ADDING DEVICES AND DEVICE G ROUPS 49 Chapter 5: Adding Devi ces and Device Groups Device Manager Device Manager commands allow you to configur e Dominion series and IP-Reach units and their individual ports. From a CC-SG perspective, conn ection to a remote target device is made via a serial or KVM port. You can configure the system on [...]

50 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Device Icons I CON M EANING Device available Port available KVM port connected – in current user session Port paused – because device is paused Port unavailable – because device is unavailable Port busy – other user connected to port Serial port available – not connected Serial po[...]

C HAPTER 5: ADDING DEVICES AND DEVICE G ROUPS 51 Add Device Use this command to add a new device to the system. 1. Click on the Devices tab. 2. On the Devices menu, click Device Manager , and then click Add Device . The Add Device selection screen appears. Figure 52 Add Device Selection Screen 3. Click on the Device Type drop-down arrow and select [...]

52 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Figure 54 Add Device Screen for Raritan Devices Figure 55 Add Device Screen for iLO, RILOE[...]

C HAPTER 5: ADDING DEVICES AND DEVICE G ROUPS 53 Figure 56 Add Device Screen for IPMI Server (v 1.5) Figure 57 Add Device Screen for Generic Device 5. Type the new device name in the Device name field. 6. Type the IP Address or Hostname of the new device in the Device IP or Hostname field. For hostname rules, see Terminology/Acronyms in Chapter 1: [...]

54 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE KX Devices with Encryption CC-SG supports adding and ma naging Dominion KX devices, such as KX101, that have been configured with: • SSL authentication and no data encryption • SSL authentication and data encryption • SSL authentication and SSL data encryption • No authentication an[...]

C HAPTER 5: ADDING DEVICES AND DEVICE G ROUPS 55 Delete Device 1. Click on the Devices tab and select a device from Devices tree. 2. On the Devices menu, click Device Manager , and then click Delete Device . The Delete Device screen appears. Figure 59 Delete Device Screen 3. Click OK to delete the device or Cancel to exit without deleting. A Device[...]

56 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Backup Device C onfiguration Use this command to back up all user configura tion and system configuratio n files. If anything happens to your system, you can restore your previous configuratio ns from memory. Note : Only for Dominion SX 2.5 devices or later, network settings, such as IP add[...]

C HAPTER 5: ADDING DEVICES AND DEVICE G ROUPS 57 Copy Device Configuration This command allows you to copy configurations from one device to another or multiple devices. Note: Configuration can only be copied between Dominion SX units and DSX units that have the same number of ports. 1. Click on the Devices tab and select the device whose configura[...]

58 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE If the firmware version of the device is not co mpatible with CC-SG, a message will alert you and ask if you want to proceed (please see Chapter 2: Accessing CC-SG for additional information). Click Yes to upgrade the device, or No to cancel the operation. 5. A Re start message appears; cli[...]

C HAPTER 5: ADDING DEVICES AND DEVICE G ROUPS 59 Pause Device You can pause a device to temporarily suspend CC-SG’s control of it without losing an y of the configuration data stored within the CC-SG Server. 1. Click on the Devices tab and select a device from the Devices tree. 2. On the Devices menu, click Device Manager , and then click Pause M[...]

60 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Custom View You can customize the Devices tree by organizing devices to appear in a particular format. You might want to view devices by Country, by Time Zone, or by any other option that helps you differentiate between them. Set up a Custom View using the next few sessions. Please also see[...]

C HAPTER 5: ADDING DEVICES AND DEVICE G ROUPS 61 Add Custom View 1. Click on the Devices tab. 2. On the Devices menu, click Change View, and then click Custom View . The Custom View screen appears. 3. In the Custom View panel, click Add . An Add Custom View window appears. Figure 69 Add Custom View Window 4. Type a new custom view name and click OK[...]

62 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE 5. In the Custom View Details panel, click on the drop-down arrow at the bottom of the panel. This list contains categories that you can use to filter custom views. Select a detail from the drop-down list and click Add to add the detail to t he Custom View Details panel. Select as many deta[...]

C HAPTER 5: ADDING DEVICES AND DEVICE G ROUPS 63 Topological View Use the Topological View command to view the structural setup of all the connected appliances in your configuration. 1. Click on the Devices tab and select a device from the Devices tree. 2. On the Devices menu, click Topological View. The Topologi cal View for the selected device ap[...]

64 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Special Access to Paragon II System Devices Paragon II System Controller (P2-SC) Paragon II System Integration users can add thei r P2-SC devices to the CC-SG Devices tree and configure them via the P2-SC Admin application from within CC-SG. For more detailed directions on using P2-SC Admin[...]

C HAPTER 5: ADDING DEVICES AND DEVICE G ROUPS 65 IP-Reach and UST-IP Administration You can also perform administrative diagnosti cs on IP-Reach and UST-IP devices connected to your Paragon System setup directly from the CC-SG interface. After adding the Paragon System device to CC-SG, it appears in the Devices tree. Right-click on the device icon [...]

66 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Device Power Manager Before using the Device Power Manager view, make a physical connection of a PowerStrip to a Dominion SX or Dominion KSX unit. When you add the PowerStrip device, define this connection in CC-SG. Once the PowerStrip is added, you can associate it with the Dominion SX ser[...]

C HAPTER 5: ADDING DEVICES AND DEVICE G ROUPS 67 Discover Devices Use this command to initiate a search for all devices on your system. The search will automatically detect all newly attached, and prev iously existing Raritan devices on your network, including Paragon, P2-SC, IP-Reach, Dominion KX, Dominion KSX units, IPMI servers, and CC-SGs. Afte[...]

68 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE 7. Select a device from the list and click Add to add the device to CC-SG or click Close to exit without adding the device. If you clicked Add , the Add Device screen appears. Figure 81 Add Device Screen 8. Type the user name and password (that were cr eated specifically for CC-SG in the de[...]

C HAPTER 5: ADDING DEVICES AND DEVICE G ROUPS 69 Device Group Manager Use the Device Groups Manager screen to add, edit, assign, and remove device groups and the rules that govern them. First add a Device Group, then add a Device Rule(s) to make working with and viewing devices easier. Add Device Group 1. On the Associations menu, click Groups Mana[...]

70 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Edit Device Group Name 1. On the Associations menu, click Groups Manager , and then click Device Group Manager . The Device Group Manager screen appears. Figure 84 Device Groups Manager Screen 2. Click on the Groups drop-down arrow and select the group to be edited from the list. Click Edit[...]

C HAPTER 5: ADDING DEVICES AND DEVICE G ROUPS 71 Delete Device Group 1. On the Associations menu, click Groups Manager , and then click Device Group Manager . The Device Groups Manager screen appears. Figure 86 Device Groups Manager Screen 2. Click on the Group Names drop down arrow and select the de vice group to be deleted. Click Delete and the D[...]

72 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Important: You can combine the applicati on of two or more rules by using operators such as ‘&’ meaning ‘and’ or ‘ ⎜ ’ (vertical ba r that shares the <> key on your keyboard) meaning ‘or.’ Note: When you select a category, make sure you select a proper operator [...]

C HAPTER 5: ADDING DEVICES AND DEVICE G ROUPS 73 Search for Devices CC-SG can search for a device name that satisfies the text entered in the search box. Searches are case-insensitive. 1. Click on the Devices tab. Figure 91 Search for Devices 2. At the bottom of the window, enter a search string in Search For Device . 3. Click Go or press ENTER . N[...]

74 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Examples are as follows: E XAM PLE D ESCRIPTION KX? Locates KX1, and KXZ, but not KX1Z . KX* Locates KX1, KX, KX1, and KX1Z . KX[0-9][0-9] T Locates KX95T, KX66T, but not KXZ and KX5PT . Disconnect Users Administrators can terminate any user's sessi on with a device. This includes user[...]

C HAPTER 6: C ONFIGURING P ORTS AND P ORT G ROUPS 75 Chapter 6: Configuring Ports and Port Groups This chapter discusses how to configure and edit ports and port groups. Procedures on how t o use ports (connect, disconnect, bookmark ports, search for ports, create views, use port power management, use port chat) are described in Raritan’s Command[...]

76 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE When you click on the Ports tab, the Ports tree displays information ab out the Ports connected with CC-SG. Clicking on a port causes the View Port screen to appear. Ports are arr anged alphabetically by name, or grouped by availability status. Ports arranged by status are sorted alphabetic[...]

C HAPTER 6: C ONFIGURING P ORTS AND P ORT G ROUPS 77 Port Icons For easier identification, different ports have diffe rent icons in the tree. In addition, availability status of each port also has a different icon. Fo r a description of what the icons represent, please see the table below. I CON M EANING Device available Port available Ghosted Port[...]

78 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Configure Port Configure a Serial Port Click on the Devices tab and select a serial device from the Devices tree. 1. On the Devices menu, click Port Manager , and then click Configure Ports . The Configure Ports screen appears. Figure 94 Configure Ports Screen 2. To make ports easier to fin[...]

C HAPTER 6: C ONFIGURING P ORTS AND P ORT G ROUPS 79 3. Click the Configure button that corresponds to the se rial port line item you wish to co nfigure. The Configure Serial Port screen appears. Figure 95 Configure Serial Ports Screen 4. Type a port name in Port Name field. For ease of use, you should name the port after the server that is connect[...]

80 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE 11. Click In-Band Parameters if you want to allow in-ba nd access for this Serial port. Figure 97 In-Band Parameters 12. Click on the In-band application drop-down arr ow and select either RemoteDeskto p Viewer , SSH Client , VNC Viewer . Type the IP address of the target associated with th[...]

C HAPTER 6: C ONFIGURING P ORTS AND P ORT G ROUPS 81 Configure a KVM Port 1. Click on the Devices tab and select a KVM device from the Devices tree. 2. On the Devices menu, click Port Manager , and then click Configure Ports . The Configure Ports screen appears. Figure 98 Configure Ports Screen 3. To make ports easier to find, click on a colum n he[...]

82 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE 5. Type a port name in the Port Na me field. For ease of use, you should nam e the port after the server that is connected to the port. 6. Click on the Application Name drop-down arrow and either use the default application as configured in Application Manager or sel ect another application[...]

C HAPTER 6: C ONFIGURING P ORTS AND P ORT G ROUPS 83 Configure a Generic Port with In-Band Access In-band access to Generic devices, such as hubs , Windows servers, CISCO routers, can be managed with one of th ese in-band applications: • Windows Remote Desktop (RDP) • Secure Shell (SSH) • Virtual Network Computer (VNC) 1. Click on the Devices[...]

84 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE 7. Type a Target Username that the application will use as a Start-up parameter. If a target name is supplied, then only a password is required when accessing a target. 8. Select the associated category and element from the Port Associations table. 9. Click OK to configure the Generic port [...]

C HAPTER 6: C ONFIGURING P ORTS AND P ORT G ROUPS 85 3. Click the Configure button that corresponds to the outlet port line item you wish to configure. A Configure Outlet Port screen appears. Figure 106 Configure Outlet Port Screen 4. Type the port name in the Port Name field. For ease of use, you should nam e th e port after the server that is con[...]

86 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Delete Ports Delete a port to remove the port entry from the Ports tree and Cancel all accessibility of the remote target device. 1. Click on the Ports tab and select a port to be deleted. 2. On the Devices menu, click Port Manager , and then click Delete Port . The Delete Port screen appea[...]

C HAPTER 6: C ONFIGURING P ORTS AND P ORT G ROUPS 87 Bulk Copy To save time, use the Bulk Copy co mmand to duplicate Port names or associations to other ports. 1. Click on the Ports tab and select a port whose data you want to copy to another. 2. On the Ports menu, click Bulk Copy . The Bulk Copy screen appears. Figure 108 Bulk Copy Screen 3. In th[...]

88 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Edit Port Edit a Serial Po rt 1. Click on the Ports tab and select a serial port to be edited. 2. On the Ports menu, click Edit Port . The Edit Serial Port screen appears. Figure 109 Edit Serial Port Screen 3. Type the new port name in the Port Name field. 4. Click on the Application Name d[...]

C HAPTER 6: C ONFIGURING P ORTS AND P ORT G ROUPS 89 Edit a KVM Port 1. Click on the Ports tab and select a KVM port to be edited. 2. On the Ports menu, click Edit Port . The Edit KVM Port screen appears. Figure 110 Edit KVM Port Screen 3. Type a new port name in the Port Name field. 4. Click on the Application Name drop-down arrow and select an ap[...]

90 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Edit a Generic Port 1. Click on the Ports tab and select a Generic port to be edited. 2. On the Ports menu, click Edit Port . The Edit Generic Port screen appears. Figure 111 Edit Generic Port Screen 3. Type a new port name in the Port Name field. 4. Click on the In-band application name dr[...]

C HAPTER 6: C ONFIGURING P ORTS AND P ORT G ROUPS 91 Port Group Manager Add Port Group 1. On the Associations menu, click Groups Manager and then click Port Group Manager . The Port Groups Manager screen appears. Figure 112 Port Groups Manager Screen 2. Click Add in the Group panel to add a new group. The Add Port Group window appears. Figure 113 A[...]

92 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Edit Port Group 1. On the Associations menu, click Groups Manager and then click Port Group Manager . The Port Groups Manager screen appears. 2. Click on the Group Name drop-down arrow and select a group to edit. Click Edit in the Group panel. The Edit Port Group window appears. Figure 114 [...]

C HAPTER 7: A DDING U SERS AND U SER G ROUPS 93 Chapter 7: Adding Users and User Groups User Manager commands are listed in the Users menu and allow you to define the CC-SG user list and assign user privileges for performing vari ous functions. CC-SG maintains a centralized user access list. Only an Ad ministrator (a user with Administrator privile[...]

94 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE 8. Check the Force Change Password on Next Login check box if you want this user to be forced to change password the next time he or she logs in to CC-SG. 9. Check the Force Change Password Periodically check box if you want th is user to have to change his or her password from time to time[...]

C HAPTER 7: A DDING U SERS AND U SER G ROUPS 95 5. Check the Force Change Password Periodically check box if you want th is user to have to change his or her password from time to time and specify an expiration period for this user’s password in the Expiration Period field. 6. Check the Force strong password check checkbox if you want to enforce [...]

96 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE 2. Type your old password in the Old Password field. 3. Type your new password in the Password field. You cannot re-use your old password. 4. Re-type your password in the Retype Password field. 5. Click OK to change your password or Cancel to exit without saving. A User Profile Updated Succ[...]

C HAPTER 7: A DDING U SERS AND U SER G ROUPS 97 Logoff User(s) Use this command to disconnect any logged-in user from CC-SG. 1. Click on the Users tab and select a user from the Users tree. Note : To select more than one user, hold the CTRL key and click on additional users. 2. On the Users menu, click Logoff User(s) . The Logoff Users scr een appe[...]

98 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Bulk Copy To save time, use the Bulk Copy command to dupl icate user profiles or port assign ments when creating new users. 1. Click on the Users tab and select a user from the Users tree whose properties you want to copy to another user(s). 2. On the Users menu, click Bulk Copy . The Bulk [...]

C HAPTER 7: A DDING U SERS AND U SER G ROUPS 99 Add User to Group To manage users with similar privileges, you can assign them to groups. When you add a user to any group, you are assigning the group’s privile ges to that user (please see the section Add User Group in this chapter for more information about groups). 1. Click on the Users tab and [...]

100 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Add User Group Use the Add User Group command to create specific groups and assign them different privileges, depending on the needs of your work enviro nment. Groups can help you keep y our system organized. Assign privileges, or features, to Groups upon creating them. These Select Privil[...]

C HAPTER 7: A DDING U SERS AND U SER G ROUPS 101 Edit User Group This command allows you to rename group and modify its Features. Important: Please remember that you must be an Administrator to modify User Groups. The category Users Not In Group c annot be modified. Members of that group have observation rights only. 1. Click on the Users tab and s[...]

102 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Apply (Edit) User Group Policies Groups can be assigned policies, or permissions, that allow them to view and/or control devices and ports. Depending on which policies are assi gned to them , groups might have: No Rights, Some Rights, Control Rights, or Full Adm inistration Rights. Policie[...]

C HAPTER 7: A DDING U SERS AND U SER G ROUPS 103 Delete User Group This command allows you to remove a group na me from the system. Users from the deleted group will be re-assigned to the category Users Not In Group , displayed at the base of the Users tree. 1. Click on the Users tab and select a group. 2. On the User menu, click Delete User Group [...]

104 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE 6. Click OK to assign users to the group or Cancel to exit without saving. A Users Assigned Successfully message confirms that users have been assigned. 7. Repeat steps 1 through 6 to assign users to other groups. Search for Users CC-SG can search for a user that satisfies the te xt entere[...]

C HAPTER 7: A DDING U SERS AND U SER G ROUPS 105 Supported Wildcards These wildcards are supported: W ILDCARD D ESCRIPTION ? Indicates any character. [-] Indicates a character in range. * Indicates zero or more char acters. Example: E XAM PLE D ESCRIPTION root? Locates root1, and root N, but not root 1N . ccroot* Locates ccroot2S X, cc root12KX . a[...]

106 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE[...]

C HAPTER 8: C REATING P OLICIES 107 Chapter 8: Creating Policies Controlling User Access with Policies Using policies to control user access to ports is entirely optional. You could decide to as sign all users to the default System Administrators user group, which grants full access to all configuration tasks, devices, ports, target systems and ser[...]

108 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE User Groups User groups are used to define a group of user s and CC-SG privileges they pos sess. When a user logs on, they will see the CC-SG interface. The user group privileges define what the user can do with CC-SG. The default System Administrators user group has access to all managed [...]

C HAPTER 8: C REATING P OLICIES 109 Policies Policies define what you can do, what you can do it to, and when you can do it. Policies allow specification of days and times, port/device access, and if it was granted control access (Read/Write), or deny access (None). Policies specify a port group or device group, which defines the ports or devices a[...]

110 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Policy Manager Policy Manager commands allow you to add, edit, delete, and assign policies to Device and Port groups. Policies give users rights to allow or deny access to groups. Please see Appendix C: Initial Setup Process Overview for more information on using policies. Add Policy 1. On[...]

C HAPTER 8: C REATING P OLICIES 111 10. Click Update to add the policy. The Update Policy window appears Figure 134 Update Policy Window 11. Click Yes to add the policy or No to close the window. 12. Click Close to close the Policy Manager screen. 13. Repeat steps 1 through 12 to add ot her policies. Edit Policy 1. On the Associations menu, click P[...]

112 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Delete Policy 1. On the Associations menu, click Policy Manager . The Policy Man ager screen appears. 2. Click on the Name drop-down arrow to select a po licy to be deleted. Click Delete to delete the policy. The Delete Policy window appears. Figure 137 Delete Appliance Policy Window 3. Cl[...]

C HAPTER 9: C ONFIGURING R EMOTE A UTHENTICATION 113 Chapter 9: Configuring Remote Authentication Authentication and Authorization Users of CC-SG can be locally authenticated and authorized on the CC-SG or remotely authenticated using the followi ng supported directory servers: • Microsoft Active Directory (AD) • Netscape’s Lightweight Direct[...]

114 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Establish Order of Authentication Databases The General properties allow you to set the orde r of your authentication databases. If the first checked option is unavailable, CC-SG will try the second, then the third, and so on, until it is successful. 1. On the Setup menu, click Security Ma[...]

C HAPTER 9: C ONFIGURING R EMOTE A UTHENTICATION 115 Base DN You also enter a Distinguished Name (DN) to sp ecify where the search for users begins. Enter a DN in the Base DN field to specify an Active Directory c ontainer in which the users can be found. For example, entering: ou=DCAdmins,ou=IT,dc=xyz,dc=com will search all users in the DCAdmins a[...]

116 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE 2. On the Active Directory server, set up your users under the Users organizational unit (ou). These users will log into the CC-SG but are au thenticated on the Active Directory server. Note that the display name of joe raritan can be different from the CC-SG login user name, for example j[...]

C HAPTER 9: C ONFIGURING R EMOTE A UTHENTICATION 117 Setup on CC-SG 1. On CC-SG, click Security Manager from the Setup menu. When the Security Manager screen appears, click Add External AA Server . 2. In the Add Module screen, select AD from the Module Type pulldown m enu. Figure 142 Specifying a Name for Active Directory Server 3. Specify a name f[...]

118 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE General Settings on CC-SG 1. Type the IP Address/Hostname of the Active Directory server. For hostname rules, se e Terminology/Acronyms in Chapter 1: Introduction . Figure 143 Specifying General Values for Active Directory Server 2. Check Anonymous Bind if you want to connect to the Active[...]

C HAPTER 9: C ONFIGURING R EMOTE A UTHENTICATION 119 Advanced Settings on CC-SG 1. If you want to configure adva nced settings, click on the Advanced tab. Figure 144 Specifying Advanced Values for Active Directory Server 2. Specify a port (default is 389 ) on which the Active Directory server is listening. 3. Optionally, check Secure Connection for[...]

120 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE 5. Specify a Base DN (directory level/entry) under which the authentication search query will be executed. E XAM PLE D ESCRIPTION dc=raritan,dc=com The search query for the user entry will be made over the whole directory structure. cn=Administrators,cn=Users,dc=rarit an,dc=com The search [...]

C HAPTER 9: C ONFIGURING R EMOTE A UTHENTICATION 121 Group Settings on CC-SG Use to retrieve groups from the AD server and import into CC-SG local database for authorization purposes. 1. Click on the Groups tab. Figure 145 Specifying Group Values for Active Directory Server 2. Specify a Base DN (directory level/entry) under which the groups, contai[...]

122 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE 5. On CC-SG, in the Security Manager screen, click Import Groups… to retrieve a list of us er group values stored on the Active Directory server. If any of the user groups are not already on the CC-SG, you can import them here and assign them an access policy. Figure 146 Importing Groups[...]

C HAPTER 9: C ONFIGURING R EMOTE A UTHENTICATION 123 10. Verify the policy of the group that was imported by clicking the Users tab, right-clicking on the group and selecting Edit User Group Policies . Look under Selected Policies to confirm the policy that the correct policy was assigned to the group. Figure 148 Viewing Policy of Imported Group 11[...]

124 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE LDAP (Netscape) Once the CC-SG applet is started and a user name and password are entered, a query is forwarded either through CC-SG or directly to the LDAP server. If the username and password match those in the LDAP directory, the user is authenticated. The user will then be authorized a[...]

C HAPTER 9: C ONFIGURING R EMOTE A UTHENTICATION 125 2. In Add Module screen, select LDAP from the pulldown menu, specify a name for the server, and click Next . Figure 151 Security Manager LDAP Screen Gen eral Tab 3. Type the IP address or hostname of the LDAP server in the IP Address/Hostname field. For hostname rules, see Terminology/Acronyms in[...]

126 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE 11. Click Test Connection to test the LDAP server using the given parameters. You sho u ld receive a confirmation of a successful connection. If not, review the settings carefully for errors and try again. 12. Click on the Advanced tab to set advanced configuration options f or the LDAP se[...]

C HAPTER 9: C ONFIGURING R EMOTE A UTHENTICATION 127 Sun One LDAP (iPlanet) Configuration Settings If using a Sun One LDAP server for remote auth entication, use this example for parameter settings: P ARAMETER N AME SUN O NE LDAP P ARAM ETERS IP Address/Hostname <Directory Server IP Address> User Name CN=<Valid user id> Password <Pas[...]

128 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE TACACS+ CC-SG users who are remotely authenticated by a TACACS+ server need to be created on the TACACS+ server and on CC-SG. The user’s user name on the TACACS+ server and on CC-SG must be the same, although the passwords may be different. Please see Chapter 7: Adding Users and User Gro[...]

C HAPTER 9: C ONFIGURING R EMOTE A UTHENTICATION 129 2. In the Add Module screen, select TACACS+ from the pulldown menu, specify a name fo r the server, and click Next . Figure 154 Specifying a TACACS+ Server 3. Type the IP address or hostname of the TACACS+ server in the IP Address/Hostname Name field. For hostname rules, see Terminology/Acronyms [...]

130 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE RADIUS CC-SG users who are remotely authenticated by a RADIUS server need to be created on the RADIUS server and on CC-SG. The u ser’s u ser name on the RADIUS server and on CC-SG must be the same, although the passwords may be different. Please see Chapter 7: Adding Users and User Group[...]

C HAPTER 9: C ONFIGURING R EMOTE A UTHENTICATION 131 3. Type the IP address or hostname of the RADIUS server in the IP Address/Hostname field. For hostname rules, see Terminology/Acronyms in Chapter 1: Introduction . 4. Type the port number in the Port Number field. 5. Type and confirm the shared key into the Shared Key field. 6. Click OK to update[...]

132 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Generate Certificate Signing Request The following explains how to generate a CS R and a private key on CC-SG. The CSR will be submitted to the Certificate Server who will issue a signed certificate. A root certificate will also be exported from the Certificate Server and saved in a file. [...]

C HAPTER 9: C ONFIGURING R EMOTE A UTHENTICATION 133 11. Type raritan in the Password field if the CSR was generated by CC-SG. If a different application generated the CSR, use that password for that application. Note : If the imported certificate is signed by a root and subroot CA (certificate authority), using only a root or subroot certificate w[...]

134 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE IP-ACL This feature restricts access to CC-SG based on IP addresses. Specify an IP-access control list (IP-ACL) by entering an IP address range, the grou p to which it applies, and an Allow/Deny privilege. 1. On the Setup menu, click Security Manager . When the Security Manager screen appe[...]

C HAPTER 10: G ENERATING R EPORTS 135 Chapter 10: Generating Reports Reports can be sorted by clicking on the column headers. Click on a column header such as User Name, Access Time, etc., to sort report data by that value. The data will refresh in ascending order alphabetically, numerically, or chronolo gically. Click on the column header again to[...]

136 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE 3. Click Manage Report Data… to save or print the report. Click Save to save the report to a location of your choice or Print to print the report. Figure 163 Manage Report Wi ndow 4. Click Close to close the Manage Report window. 5. Click Close to close the Active Users report. Active Po[...]

C HAPTER 10: G ENERATING R EPORTS 137 Asset Management Report The Asset Management report displays data on current devices. 1. On the Reports menu click Asset Management Report . The Asset Management report is generated. Figure 165 Asset Management Report 2. Click on the Device Type drop-down arrow to display a list of possible devices for which to[...]

138 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Audit Trail Report The Audit Trail report displays audit logs and access in CC-SG. It captures actions such as adding, editing, or deleting devices or ports, and other m odifications. CC-SG maintains an Audit Trail of the following events: • When CC-SG is launched • When CC-SG is stopp[...]

C HAPTER 10: G ENERATING R EPORTS 139 6. The Audit Trail report is generated, displaying data about sessions that occur red during the designated time period. Figure 167 Audit Trail Report 7. Click Manage Report Data… to save or print the report. Click Save to save the records that are displayed to a CSV file or click Save All to save all record [...]

140 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Error Log Report CC-SG stores error messages in a series of Error Log files, which can be brought up and used to help troubleshoot system problems. You can filter the search criteria by date, message ty pe, username, class, host, and level. Messages can be grouped by fatal, error and warni[...]

C HAPTER 10: G ENERATING R EPORTS 141 6. The Error Log report is generated, displayi ng data about sessions that occurred during the designated time period. Figure 169 Error Log Repo rt 7. Click Manage Report Data… to save or print the report. Click Save to save the records that are displayed to a CSV file or click Save All to save all record s. [...]

142 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Ping Report The Ping Report displa ys the status of all connec tions, showing devices by name and IP address. This report gives you the full accessibility picture for all devices on your system, and will supply information that could be useful in case troubleshooting is necessary. 1. On th[...]

C HAPTER 10: G ENERATING R EPORTS 143 Accessed Devices Report Run the Accessed Devices report to view inform ation about any accessed devices, when they were accessed, and the user who accessed them. Filte rs will help you define the search criteria for a more concise report. 1. On the Reports menu, click Accessed Devices . The Acces sed Devices sc[...]

144 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE 5. Click OK to run the report. Figure 172 Accessed Devices Report 6. The Accessed Devices report is generated, disp laying data about devices accessed during the designated time period. 7. Click Manage Report Data… to save or print the report. Click Save to save the records that are disp[...]

C HAPTER 10: G ENERATING R EPORTS 145 Group Data Report The Group Data report displays user, port, and de vice Group information. View user groups by name and description, view port groups by nam e , and view device groups by name, all in one screen. 1. On the Reports menu, click Group Data . The Groups report is generated. Use the scroll bars to s[...]

146 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE User Data Report The User Data report displays certain data on all users in the CC-SG database. From User Name field you can see names of users currently in sessi on and view details of users currently not in session. From Phone field you can see user dial back telephone number. From Enabl[...]

C HAPTER 10: G ENERATING R EPORTS 147 Users In Groups Report The Users In Group report displays data on users and the groups with which they are associated. 1. On the Reports menu, click Users In Groups . The Users In Groups report is generated. Use the scroll bar to scroll through the list and view all entries. Figure 175 Users In Groups Repor t 2[...]

148 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Query Port Report The Query Port Report displays all ports according to port status. 1. On the Reports menu, click Query Port . The Query Port screen appears. Figure 176 Query Port Report 2. Click on one or more checkboxes to custom i ze the port information you want to see in the report. [...]

C HAPTER 10: G ENERATING R EPORTS 149 View Stored Reports The View Stored Reports displays reports that were scheduled in the Task Manager  see section Task Manager in Chapter 12: Advanced Administration . 1. On the Reports menu, click View Stored Reports . Figure 177 View Stored Reports 2. Click Get R eports to view the entire list of all sched[...]

150 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Locked Out Users Report The Locked Out Users report displays users w ho are currently locked out of CC-SG. You can unlock them from this report. 1. On the Reports menu, click Locked Out Users . Figure 178 Locked Out Users Report 2. Highlight the user you want to unlock and click Unloc k Us[...]

C HAPTER 10: G ENERATING R EPORTS 151 CC-NOC Synchronization Report The CC-NOC Synchronization report lists all target s, along with their IP addresses, that the CC- SG subscribes to and are monitored by a CC-NOC given a particular discovery date. Any new targets that are discovered in the configur ed range are displayed here as well. See Add a CC-[...]

152 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE[...]

C HAPTER 11: S YSTEM M AINTENANCE 153 Chapter 11: System Maintenance Reset CC-SG Use the Reset CommandCenter comma nd to reset CC-SG database data – please note that this command will not reset system configuration data, such as the IP address of CC-SG. 1. On the Setup menu, click Reset CommandCenter. Figure 180 Reset CC-SG Screen 2. Type your CC[...]

154 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Restore CC-SG 1. On the Setup menu, click Restore CommandCenter. 2. When the Restore CommandCenter screen appears, choose if you want to click on the backup that you want to restore to your CC-SG unit, and then click OK . Figure 182 Restore CC-SG Scree n 3. When the Restore CommandCenter s[...]

C HAPTER 11: S YSTEM M AINTENANCE 155 Saving and Uploading Backup Files You can also save and load CC-SG backups to and from you r local PC using the Restore CommandCenter screen. 1. Click on the backup you wish to save to your PC, an d then click Download. 2. Specify a location to save your CC-SG backup file. 3. To upload a backup to a CC-SG unit,[...]

156 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Refresh CC-SG Display Any edits or modifications made to users, ports, categories, elements, and other system components are not reflected in the system until the database is updated. If you are logged in while another user is updating the database, you will not see these changes unless yo[...]

C HAPTER 11: S YSTEM M AINTENANCE 157 Upgrade CC-SG Note: If you are operating a CC-SG cluster, you mu st remove the cluster first and upgrade each node separately.Before you can upgrade CC-SG, y ou must be in Maintenance Mode. See section Maintenance Mode in Chapter 11: System Maintenance for additional information. 1. On the Setup menu, click Upg[...]

158 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE 5. Click OK to restart CC-SG or Cancel to exit the screen without restarting. Once y ou restart CC-SG, your Broadcast Message appears. Figure 187 Info Window 6. Click OK to restart CC-SG. 7. CC-SG will restart, and is ready for use. Shut Down CC-SG These are the recommended methods for Adm[...]

C HAPTER 11: S YSTEM M AINTENANCE 159 End CC-SG Session Log Out To exit CC-SG at the end of a session, or to refr esh t he database in case y ou or another user has made changes while you were logged in, log off from CC-SG entirely, then log in again. 1. On the Session menu, click Logout . The Logout window appears. Figure 189 Logout Window 2. Clic[...]

160 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Scheduled Tasks Scheduled tasks cannot execute while CC-SG is in Maintenance Mode ─ please see section Task Manager in Chapter 12: Advanced Administration for additional information on scheduled tasks. When CC-SG exits Maintenance Mode , scheduled tasks will be executed as soon as possib[...]

C HAPTER 12: ADVANCED ADMINISTRATION 161 Chapter 12: Advanced Administration Configuration Manager Network Configuration 1. On the Setup menu, click Configuration Manager . When the Configuration Manager screen appears, click on the Network Setup tab. Figure 192 Configuration Manage r Network Settings Screen 2. Type the CC-SG hostname in the Host N[...]

162 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE A. Choose Primary/Backup mode to implement network fa ilover and redundanc y. In this mode, only one NIC is active at a give n point of time and only one network IP address assignment is possible. Figure 193 Primary/Backup Network Typically, both NICs are attached to th e same LAN sub-netw[...]

C HAPTER 12: ADVANCED ADMINISTRATION 163 In this mode, CC-SG acts as a “router” or “traffic cop” between two separate IP domains; particularly when Proxy mode is being used (please see Connection Mode, later in this chapter, for additi onal information). In Proxy mode, Active/Active m ode is required so CC-SG routes proxied PC client sessio[...]

164 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE 3. Click on the Level to Forward drop-down arrow to select a level. 4. Repeat steps 2 and 3 for Secondary Server fields (note that Secondary Server is optional). 5. Click Update Configuration to save the server addresses to the system. 6. Click Close to close the Configuration Manager scre[...]

C HAPTER 12: ADVANCED ADMINISTRATION 165 Time/Date Configuration CC-SG’s Time and Date stamps must be accurately maintained in order to provide credibility for its device-management capabilities. Important! This time is used when scheduling tasks in Task Manager ⎯ see section Task Manager in Chapter 12: Advanced Administratio n. The time set on[...]

166 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Modem Configuration Use this screen to access CC-SG from a client machin e over a dial-up connection. This method of accessing CC-SG can be used in emergency situations. Note : A modem is not available and cannot be config ured on the V1 platform. Configure CC-SG 1. On the Setup menu, clic[...]

C HAPTER 12: ADVANCED ADMINISTRATION 167 4. Click on the Advanced tab. Figure 200 Extra Initialization Commands 5. Type an initialization command in Extra initialization commands that will be used by your modem to set the “Carrier detection” flag. For example, type at&c for a SoftK56 Data F ax modem. This is necessary to tell Windows not to[...]

168 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE 4. Click Next . Figure 202 New Connection Wizard 5. Click Connect to the network at my workplace . 6. Click Dial-up connection . 7. Type a name for CC-SG, for example CommandCenter . Figure 203 Connection Name 8. Type the phone number used to connect to CC-SG and click Next . This is NOT t[...]

C HAPTER 12: ADVANCED ADMINISTRATION 169 10. In the next screen, typically you want to click My use only in the next screen to make the connection available only to yourself. 11. Click Finish in the last screen to save the connection settings. Configure the Call-back Connection If the CC-SG uses a call-back connection, you need to use a script file[...]

170 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE transmit "ccclient^M" endproc Connect to CC-SG with Modem To connect to CC-SG: 1. On the start menu, click My Network Places . 2. Click view network connections under Network Tasks . 3. Double-click on the CommandCenter connection. Figure 206 Connecting to CC-SG 4. Type a usernam[...]

C HAPTER 12: ADVANCED ADMINISTRATION 171 7. If Show terminal window was checked as described in section Configure the Call-back Connection earlier in this chapter, then a window sim ilar to the one below will be displayed: Figure 208 After Dial Terminal 8. Wait 1 or 2 minutes and in a supported browser, enter the IP address of CC-SG that was config[...]

172 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Connection Mode When connected to a device, you have the option to pass data back and forth directly with that device ( Direct Mode ) or to route all the data through your CC-SG unit ( Proxy Mode ). While Proxy Mode increases the bandwidth load on your CC -SG server, you only need to keep [...]

C HAPTER 12: ADVANCED ADMINISTRATION 173 iii. Click the Add button to add the Net Address and Mask to the screen. You may have to use the scroll bar on the right side of the screen to view the Add/Remove/Update buttons) Figure 210 Configuration Manage r Connection Screen – Both[...]

174 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Device Settings 1. On the Setup menu, click Configuration Manager. When the Configuration Manager screen appears, click on the Device Settings tab. 2. To update device Default Port, select a Devi ce Type in the table and double-click on the Default Port value. Type the new Default Port val[...]

C HAPTER 12: ADVANCED ADMINISTRATION 175 SNMP Simple Network Management Protocol allows CC-SG to push SNMP traps (event notifications) to an existing SNMP manager on the network. On ly a CC-SG Administrator trained in handling an SNMP infrastructure should configure CC-SG to work with SNMP. CC-SG also supports SNMP GET/SET operations with third-par[...]

176 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE System Log traps, which include notifications for th e status of the CC unit itself, such as a hard disk failure, and Application Log traps for notifications generated by eve n ts in the CC application, such as modifications to a user a ccount. To enable traps by type, check the boxes mark[...]

C HAPTER 12: ADVANCED ADMINISTRATION 177 Strong Password Rules Strong password rules require users to observe strict guidelines when creating passwords, which makes the passwords more difficult to guess and, in theory, more secure. Administrators can enable or disable this feature ⎯ see the previous section Configure Security . When strong passwo[...]

178 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE 6. Type an email address in Lockout notification email so notific ation is sent to the address informing the recipient that lockout has occurred. If the field is blank, notificatio n is not sent. 7. Type a phone number in Administrator’s Phone if the administrator needs to be contacted. [...]

C HAPTER 12: ADVANCED ADMINISTRATION 179 4. Click OK to add the new application or Cancel to close the window. If you clicked OK , a search window appears. Figure 218 Search W indow 5. Click on the Look In drop-down arrow and navigate to locat e the application in your system . When you find the application, select it, and click Open . The applicat[...]

180 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE 6. Modify parameters in the Parameters panel and click the Update button in the Details panel of the screen. The parameters will be updated. 7. Click Close to close the Application Manager screen. Delete Application Deleting an application from the Application Manager removes it from the C[...]

C HAPTER 12: ADVANCED ADMINISTRATION 181 2. Click Add to add a new firmware file. A search window appears. Figure 222 Search W indow 3. Click on the Look In drop-down arrow and navigate to lo cate the firmware file in your system. When you find the firmware, select it, and click Open . The firmware name will appear in the Firmware Name field. 4. Cl[...]

182 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Add a CC-NOC Note : To create a valid connection, the time se ttings on both the CC-NOC and CC-SG should be synchronized. The best method of ach ieving this synchronization, it to use a common NTP (Network Time Protocol) server. For this reason, the CC-NOC and CC-SG are required to be conf[...]

C HAPTER 12: ADVANCED ADMINISTRATION 183 3. Select a software version of CC-NOC you want to add and click Next . Versio n 5.1 has fewer integration features than 5.2 and only requ ires adding a name and an IP address. For additional information on CC-NOC 5.1, please see www.raritan.com/support . Click on Product Documentation , then CommandCenter N[...]

184 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE To stop CC-NOC from monitoring a device, it can be unmanaged – see the CommandCenter NOC Administrator Guide . Note : Use the CC-NOC Synchronization Report to view targets that the CC-SG is subscribing to. The report also displays any new targets that have been discovered by CC-NOC. See [...]

C HAPTER 12: ADVANCED ADMINISTRATION 185 Important: To increase security, you must enter the passcodes in CC-NOC within five minutes after they are gener ated on CC-SG. This will min i mize the window of opportunity for intruders to breach the system with a brute-force attack. Avoid transmitting the passcodes over email or other electronic means to[...]

186 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE 2. Highlight a CC-NOC in the list and click Edit . The Edit CC-NOC Configuration screen appears. Figure 229 Edit CC-NOC Configuration Screen 3. Refer to the previous section Add a CC-NOC for field details. Launch CC-NOC To launch CC-NOC from CC-SG: 1. In the CC-NOC Configuration screen, hi[...]

C HAPTER 12: ADVANCED ADMINISTRATION 187 Delete a CC-NOC To remove and unregister a CC-NOC in CC-SG, do the following. 1. On the CommandCenter NOC menu, click Configuration . The CC-NOC Configuration screen appears. Figure 231 Delete CC-NOC Screen 2. Highlight a CC-NOC in the list and click Delete . You are prompted to confirm the deletion. 3. Clic[...]

188 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Create a Cluster In the event of a failover, the administrator s hould send an email to all CC-SG users, notifying them to use the IP address of the “new” Primary CC-SG node. Important: It is recommended to backup your configuration on both nodes before setting up a cluster configurati[...]

C HAPTER 12: ADVANCED ADMINISTRATION 189 Set Secondary CC-SG Node 1. Click Discover Co mmandCenters to scan and display all CC-SG appliances on the same subset as your one you are currently using. Alternatively, you can add a CC-SG, perhaps from a different subnet, by specifying an IP address in CommandCenter address in the bottom of the window. Cl[...]

190 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Remove Secondary CC-SG Node 1. To remove Secondary Node status from a CC-SG unit and reassign it to a different unit in your configuration, select the Secondary CC-SG Node in the Cluster Configuration table and click Remove “Backup” Node. 2. When the confirmation message appears, click[...]

C HAPTER 12: ADVANCED ADMINISTRATION 191 Set Advanced Settings To configure advanced settings of a cluster configuration: 1. Select the Primary node just created. 2. Click Advanced . The Advanced Settings window appears. Figure 236 Cluster Configur ation Advanced Settings 3. For Time Interval , enter how often CC-SG should check its connection with[...]

192 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE • Outlet Port Power Management (Power On/Off/Recycle Outlet ports) • Generate all Reports (HTML or CSV formats) • Purge Logs Scheduling Sequential Tasks You may want to schedule tasks sequentially to confirm that expected behavior was actually carried out. For example, you may want t[...]

C HAPTER 12: ADVANCED ADMINISTRATION 193 Create a New Task To schedule a new task: 1. On the Setup menu, click Task Manager . Figure 237 Task Manager 2. Click New . Figure 238 Create Task 3. In the Main tab, type a name (1-32 characters, alphanumeric characters or underscores, no spaces) and description for the task. Server Time New Button[...]

194 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE 4. Click on the Task Data tab and from the pulldown menu, select the task to be scheduled, such as Upgrade Device Firmware . Note that the fields requiring data will vary according to the task selected. With the exception of Restart Device and Restore Device , a single device or devices in[...]

C HAPTER 12: ADVANCED ADMINISTRATION 195 8. Change Own Password in Chapter 7: Adding Users and User Groups . If an email was not configured, then this field is blank. By defau lt, email is sent if the task was successful. To notify the recipient of failed tasks, click the On Failure checkbox. Figure 241 Specifying Task Email Notification 9. To send[...]

196 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE 4. To view the history of a task, select a task and click Task History . Figure 243 Task History 5. To view details of a task, double-click on a task. Figure 244 Task Details Note : If a task is changed or updated, its prior history no longer applies and the “Last Execution Date” will [...]

C HAPTER 12: ADVANCED ADMINISTRATION 197 Notification Manager Use Notification Manager to configure an extern al SMTP server so notifications can be sent from CC-SG. Notifications are used to email reports th at have been scheduled, email reports if users are locked out, email status of failed or successful scheduled tasks ─ please see section Ta[...]

198 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE SSH Access to CC-SG Use Secure Shell (SSH) clients, such as Putty or OpenSHH Client, to access a co mmand line interface to SSH (v2) server on CC-SG. Only a subset of CC-SG commands is provided via SSH to administer devices and CC-SG itself. The SSH client user is authenticated by the CC-S[...]

C HAPTER 12: ADVANCED ADMINISTRATION 199 4. A shell prompt appears. Type ls to display all commands available from SSH. Figure 248 CC-SG Commands via SSH 5. Typing help or ? provides the syntax and description of all available commands. Figure 249 SSH Help[...]

200 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE 6. Typing the command with the –h switch displays help for that command, such as listfirmwares –h. Figure 250 SSH listfirmwares Help Command Tips The following describes several nuances of the SSH commands: • For commands that pass an IP address, such as upgradedevice, you can substi[...]

C HAPTER 12: ADVANCED ADMINISTRATION 201 Create a SSH Connection to an SX Device You can create an SSH connection to an SX de vice to perform adm inistrative operations on the device. Once connected, the administrative commands supported by the SX device are available. Note : Before you can connect, ensure that the SX device has been added to the C[...]

202 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Connect to a Serial Port Connect to a serial port to access a target server. You can access serial ports on a SX, KSX, or IP- Reach device. The SSH connection to the serial ports are in proxy mode. 1. Type listports to view the port ids. Figure 253 Listing Ports on CC-SG 2. Type connect ?[...]

C HAPTER 12: ADVANCED ADMINISTRATION 203 3. Once connected to the port, type the default Escape key s of ‘ ~ ’ followed by a dot ‘ . ’. An intermediate prompt, typically named afte r port nam e, is display ed, for example testport> . At this intermediate prompt, you can enter specifi c commands or aliases as described below: C OMMAND A L[...]

204 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Diagnostic Console The Diagnostic Console is a standard, non-grap hical interface that pr ovides local access to CC- SG. It can be accessed from a serial or KVM port, or from Secure Shell (SSH) clients, such as Putty or OpenSSH Client. Two logins are provided ⎯ one is status and the othe[...]

C HAPTER 12: ADVANCED ADMINISTRATION 205 Accessing Status Console Entering a password to access the Status Console is no t required, but can be enforced if desired. 1. After login as: , type status . Figure 256 Login to Status Console The read-only status console is displayed. This screen dynamically displays information to help you determine the h[...]

206 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Accessing Administrator Console At the time of logging into Administrator Console, all inform ation displayed is “static”. If configuration changes occur through the CC-SG GU I or the Diagnostic Console, you need to re- login to Administrator Console after the chang es have taken effec[...]

C HAPTER 12: ADVANCED ADMINISTRATION 207 Navigating Adminis trator Console PRESS.. T O … CTRL+C or CTRL+Q To exit Diagnostic Console. CTRL+L Refresh screen and update information. TAB Move to next available option. SPACE Select current option. Arrow Keys Allows you to move to various options. Mouse Allows you to point and select an option. Editin[...]

208 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE 3. Click Save as Default at the bottom of the screen or press the TAB key and press Enter once Save as Default is highlighted. Press ^Q or ^C to exit. The Pre-Login and Message of the Day have three separate buffers or areas: • Admin Console Screen – starts with a copy of the Active Me[...]

C HAPTER 12: ADVANCED ADMINISTRATION 209 Figure 263 Edit Status Console Config 3. Click Save at the bottom of the screen or press the TAB key and press Enter once Save is highlighted. Press ^Q or ^C to exit. Editing Network Interfaces Configura tion (Network Interfaces) In Network Interface Configuration, you can perform initial setup tasks such as[...]

210 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE 2. If this is the first time accessing CC-SG and th e network interfaces have not been configured, it is strongly recommended to use CC-SG GUI to configure them instead of configuring them here. If the network interfaces have already been configured, you will see a Warning message, stating[...]

C HAPTER 12: ADVANCED ADMINISTRATION 211 Ping an IP Address (Network Interfaces ) Use ping to check that the connection between your computer and a particular IP address (domain) is working correctly. 1. To ping an IP address or hostname, click Operation , Network Interfaces , then Ping . Figure 266 Pinging a Target 2. Enter the IP address or hostn[...]

212 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Using Traceroute (Network Interfaces ) Traceroute is often used for network troubleshooting. B y showing a list of routers traversed, it allows you to identify the path ta ken from your computer to reach a particular destination on the network. It will list all the routers it passes throug[...]

C HAPTER 12: ADVANCED ADMINISTRATION 213 Active/Active network settings where each interface is attache d to a separate IP domain-see section Network Configuration in Chapter 12: Advanced Administration for additional information. Click with the mouse or use the TAB , ↓↑ keys to navigate and press the Enter key to select a value. 1. To view or [...]

214 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE 2. Click with the mouse or use the ↓↑ keys to navigate and press the Enter key to select a log file (marked with an X) . More than one log file can be viewed at a time. (Some log files are not available; a warning dialog will appear and the item will be de-selected for you.) Figure 271[...]

C HAPTER 12: ADVANCED ADMINISTRATION 215 3. When View is selected with Merged Windows, the LogViewer displays: Figure 272 Selecting Log Files to View 4. While viewing log files, type CTRL+C to return to the previous screen. 5. If desired, you can change colors in a log file to highl ight what is im portant. Type c to change colors of a log file and[...]

216 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE 7. If desired, you can filter the log file with a regular expression. Type e to add or edit a regular expression and select a log from the list if you have chosen to view several. Figure 275 Adding Expressions in Log Files 8. Type a to add a regular e xpression. For exa mple, if you want t[...]

C HAPTER 12: ADVANCED ADMINISTRATION 217 9. Select F1 to get help on all LogViewer options. Pressing CTL+C and CTL+Q (as well as a plain q ) terminates this LogViewer session. Figure 277 Getting Help (F1) Restarting CC-SG ( Admin) You can restart CC-SG, which will log off all curre nt CC-SG users and terminate their sessions to remote target server[...]

218 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE 2. Either click Restart CC-SG Application or press ENTER. Figure 279 Restarting CC-SG in Diagnostic Console Rebooting CC-SG (Admin) This option will reboot the entire CC-SG, which si mulates a power cycle. Users will NOT receive a notification at all. CC-SG, SSH, and Diagnostic Console use[...]

C HAPTER 12: ADVANCED ADMINISTRATION 219 2. Either click REBOOT System or press ENTER to reboot CC-SG. A screen to confirm this action appears and needs to be acknowledge d before this operation will commence. Figure 281 Rebooting CC-SG in Diagnostic Console Changing Passwords (Admin) This option provides the ability to configure the strength of pa[...]

220 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE In Password Configuration , enter the number of passwords that will be remembered. This is the password history, which discourages password reuse and ensures that the new password has not been used within the specified number of previous password changes. Default is 5 . With a setting of 5[...]

C HAPTER 12: ADVANCED ADMINISTRATION 221 Account Configuration By default, the status acco unt does not require a password, but you can configure it to have one here. Other aspects of the admin password can be configured and the Field Support accounts can be enabled or disabled. 1. To configure accounts, click Operation , Admin , Change Passwords ,[...]

222 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE 4. For the Admin and Status accounts, you can configure: S ETTING D ESCRIPTION User User Name This is the current user name or ID for this account. (This may be operator changeable in a future release.) Last Changed (Read-only). This is the date of the last password change for this accou[...]

C HAPTER 12: ADVANCED ADMINISTRATION 223 2. Either click Refresh or press Enter to refresh the display. Refr eshing the display is especially useful when upgrading or installing and you wa nt to see the progress of the RAID disks as they are being rebuilt and being synchronized. Figure 287 Displaying Disk Status of CC-SG in Diagnostic Console The d[...]

224 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE 2. View the total running, sleeping, total num ber and processes that have stopped. Figure 289 Displaying CC-SG Proc esses in Diagnostic Console 3. Type h to bring up an extensive help screen for the top command. The standard F1 help key is not operational at this point. To return to the A[...]

A PPENDIX A: S PECI FICATIONS 225 Appendix A: Specifications (G1, V1) G1 Platform General Specifications Form Factor 1U Dimensions (DxWxH) 22.1”x 17.32” x 1.75” 563mm x 440mm x 44mm Weight 24.07lb (10.92kg) Power Redundant, hot-swappable power supplies, auto-sensing 110/220 V – 2.0A Mean Time Between Failure (MTBF) 38,269 hours KVM Admin Po[...]

226 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE N ON -O PERATING Temperature 0 - 30 deg C; 32 – 104 deg F Humidity 10% - 90% RH Altitude Operate properly at any altitude between 0 to 10,000 feet, storage 40,000 feet (est.) Vibration 5-55-5 HZ, 0.38mm, 1 minutes per cycle; 30 minutes for each axis (X, Y, Z) Shock N/A Electrical Specifi[...]

A PPENDIX A: S PECI FICATIONS 227 V1 Platform General Specifications Form Factor 1U Dimensions (DxWxH) 24.21”x 19.09” x 1.75” 615mm x 485mm x 44 mm Weight 23.80lb (10.80kg) Power Single Supply (1 x 300 watt) Operating Temperature 10 ℃ - 35 ℃ (50 ℉ - 95 ℉ ) Mean Time Between Failure (MTBF) 36,354 hours KVM Admin Port (DB15 + PS2 or USB[...]

228 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE N ON -O PERATING Temperature -40 - +60 (-40-140) Humidity 5% - 95% RH Altitude Operate properly at any altitude between 0 to 10,000 feet, storage 40,000 feet (Estim ated) Vibration 5-55-5 HZ, 0.38mm,1 minutes per cycle; 30 minutes for each axis (X,Y,Z) Shock N/A Electrical Spec[...]

A PPENDIX B : CC - SG AND NETWORK CONFIGURATION 229 Appendix B: CC-SG and Ne twork Configuration Introduction This appendix discloses network requirements (addresses, protocols and ports) of a typical CommandCenter Secure Gateway (CC-SG) deployment . It provides what you need to know and how to configure your network for both external access (if de[...]

230 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Figure 290 CC-SG Deployment Elements Internet (Unsecured Netw ork) CC - SG Cluster Peer CC Clients Internal Network Firewall CC - NOC CC Clients Raritan Device Serial KVM Out - of -B a n d T a r get A ccess In-B a n d A ccess VPN Raritan Device CC - SG Internal Network[...]

A PPENDIX B : CC - SG AND NETWORK CONFIGURATION 231 CC-SG Communication Channels The communication channels are partitioned as follows: • CC-SG ↔ Raritan Devices • CC-SG ↔ CC-SG Clustering (optional) • CC-SG ↔ Infrastructure Services • Clients ↔ CC-SG • Clients ↔ Targets (Direct Mode) • Clients ↔ Targets (Proxy Mode) • Cli[...]

232 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Each CC-SG in the cluster may be on a separ ate LAN. However, the inter-connection between the units should be very reliable and not prone to periods of congestion. Communication Direction Port Number Protocol Purpose Configurable? CC-SG → Local Broadcast 10000 UDP CC-SG Discovery no CC-[...]

A PPENDIX B : CC - SG AND NETWORK CONFIGURATION 233 The first mode is the primary means for users and administrators to connect to CC-SG. The other two modes are less frequently used. These modes require the following networking configuration: Communication Direction Port Number Protocol Purpose Configurable? Client → CC-SG GUI 443 TCP HTTPS Acce[...]

234 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE CC-SG & SNMP Simple Network Management Protocol (SNMP) allows CC-SG to push SN MP traps (event notifications) to an existing SNMP manager on the network. CC-SG also supports SNMP GET/SET operations with third-party Enterprise Management Solutions, such as HP OpenView. Communication Dir[...]

A PPENDIX B : CC - SG AND NETWORK CONFIGURATION 235 Security and Open Port Scans As part of the CC-SG Quality Assurance process, several open port scanners are applied to the product and Raritan Computer makes certain that its product is not vulnerable to these known attacks. All the open or filtered/blocked ports are listed in the above sections. [...]

[...]

A PPENDIX C: I NITI AL S ETUP P ROCESS O VERVI EW 237 Appendix C: Initial Se tup Process Overview Pre-requisites: • Add Devices with Category/Element clearly identified. • Add Ports with Category/Element clearly identified. Create Group(s)/Add User(s) 1. Add Device Group with rule based on Category/Element 2. Add Port Group with rule based on C[...]

238 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE[...]

A PPENDIX D: U SER G ROUP P RI VIL EGE S 239 Appendix D: User Group Privileges U SERS G ROUP P RIVILEGE A VAILABLE C OMMANDS U SER C APABILITY Application Manager Users are ab le to add new application to CC-SG. Security Manager Users are able to configure security parameters. Configuration Manager Users are able to make general configuration of CC[...]

240 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE U SERS G ROUP P RIVILEGE A VAILABLE C OMMANDS U SER C APABILITY Configuration Manager Users are able to change general device settings configuration of CC-SG. Add Device Users are able to add new devices. Edit Device Users are able to modify devices na me and parameters. Delete Device User[...]

A PPENDIX D: U SER G ROUP P RI VIL EGE S 241 U SERS G ROUP P RIVILEGE A VAILABLE C OMMANDS U SER C APABILITY Association Manager Users are abl e to associate categories and elements. Device Group Manager Users are able to rename groups and add rules to device groups. Port Group Manager Users are able to rename groups and add rules to port groups. P[...]

242 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE[...]

A PPENDIX E: SNMP T RAPS 243 Appendix E: SNMP Traps CC-SG provides the following traps: SNMP T RAP D ESCRIPTION CCDeviceUpgrade CC-SG has upgraded the firmware on a device. CCImageUpgradeResults CC-SG image upgrade results. CCImageUpgradeStarted CC-SG image upgrade started. CCIncompatibleDeviceFirmware CC-SG detected device with incompatible firmw [...]

244 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE[...]

A PPENDIX F: T ROUBLESHOOTING 245 Appendix F: Troubleshooting • In order to launch CC-SG from your web brow ser, it requires a Java plug-in. If your machine has an incorrect version, CC-SG will guide you through the installation steps. If your machine does not have a Java plug-in, CC-SG can not automatically launch. In this case, you must uninsta[...]

246 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Port and Policy Group Creation Failure The default port groups and policies created in the Association Wizard are named after the elements of a category. If the element names ar e not unique, the default port groups and poli cies cannot be created (see the screen below) and will appear in [...]

A PPENDIX G: FAQ S 247 Appendix G: FAQs Q UESTION A NSWER General What is CC-SG? CC-SG is a network ma nagement device for aggregating and integrating multiple servers a nd network equipment typically deployed in a datacenter and which are connected to a Raritan IP-enabled product. Why would I need CC-SG? As you deploy more and more datacenter serv[...]

248 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Q UESTION A NSWER to add a console/serial port to CC-SG? the following conditions are met: - The Dominion unit is active. - The Dominion unit has not reached the maximum number of configured user accounts. Which version of Java will Raritan’s CC-SG be supporting? The earliest version CC-[...]

A PPENDIX G: FAQ S 249 Q UESTION A NSWER If we had more than 1,000 users, how would this be managed? That is, do you support Active Directory? CC-SG works with Microsoft Active Directory, Sun iPlanet or Novell eDirectory. If a user account already exists in an authentication server, then CC-SG supports remote authentication using AD/TACACS+ /RADIUS[...]

250 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE Q UESTION A NSWER track down to who switched on or off a power plug? through the CC-SG GUI can be logged to audit logs. Performance As a CC-SG Administrator, I added over 500 ports and assigned all of them to me. Now it takes a long time to log on to CC-SG. When you, as Administrator, have[...]

A PPENDIX G: FAQ S 251 Q UESTION A NSWER or simply box level? switches, the tightness of integration will vary. How would I mitigate the restriction of four simultaneous paths through any IP-Reach box, including the roadmap for the potential 8-path box? Currently, the best possible implementation is to aggregate IP- Reach boxes with CC-SG. In the f[...]

252 C OMMAND C ENTER S ECURE G ATEWAY A DMINISTRATOR G UIDE 255-80-5140-00[...]

A PPENDIX G: FAQ S 253[...]

North Amer ican Headquarte rs Raritan 400 Cottontail Lane Somerset, NJ 08873 U.S.A. Tel. (732) 764-8886 or (800) 724-8090 Fax (732) 764-8887 Email: sales@raritan.com Website: Raritan.com Raritan NC 4901 Waters Edge Dr. Suite 101 Raleigh, NC 27606 Tel. (919) 277-0642 Email: sales.nc@raritan.com Website: Raritan.com Raritan Canada 4 Robert Speck Pkwy[...]