JANUARY 2007 SW551A SW552A Secure Site Manager 8 Secure Site Manager 16 User’s Guide CUSTOMER SUPPORT INFORMATION Order toll-free in the U.S.: Call 877-877-BBOX (outside U.S. call 724-746-5500) FREE technical support 24 hours a day, 7 days a week: Call 724-746-5500 or fax 724-746-0746 Mailing address: Black Box Corporation, 1000 Park Drive, Lawrence, PA 15055-1018 Web site: www.blackbox.com • E-mail: info@blackbox.
FCC AND IC RFI STATEMENTS/CE NOTICE FEDERAL COMMUNICATIONS COMMISSION AND INDUSTRY CANADA RADIO FREQUENCY INTERFERENCE STATEMENTS This equipment generates, uses, and can radiate radio-frequency energy, and if not installed and used properly, that is, in strict accordance with the manufacturer’s instructions, may cause interference to radio communication.
SECURE SITE MANAGERS NORMAS OFICIALES MEXICANAS (NOM) ELECTRICAL SAFETY STATEMENT INSTRUCCIONES DE SEGURIDAD 1. Todas las instrucciones de seguridad y operación deberán ser leídas antes de que el aparato eléctrico sea operado. 2. Las instrucciones de seguridad y operación deberán ser guardadas para referencia futura. 3. Todas las advertencias en el aparato eléctrico y en sus instrucciones de operación deben ser respetadas. 4. Todas las instrucciones de operación y uso deben ser seguidas. 5.
NOM STATEMENT 12. Precaución debe ser tomada de tal manera que la tierra fisica y la polarización del equipo no sea eliminada. 13. Los cables de la fuente de poder deben ser guiados de tal manera que no sean pisados ni pellizcados por objetos colocados sobre o contra ellos, poniendo particular atención a los contactos y receptáculos donde salen del aparato. 14. El equipo eléctrico debe ser limpiado únicamente de acuerdo a las recomendaciones del fabricante. 15.
SECURE SITE MANAGERS TRADEMARKS USED IN THIS MANUAL BLACK BOX and the Double Diamond logo are registered trademarks of BB Technologies, Inc. ProComm is a registered trademark of DATASTORM TECHNOLOGIES, INC.™ Crosstalk is a registered trademark of Digital Communications Associates, Inc. VT100 is a trademark of Digital Equipment Corporation. AT is a registered trademark of International Business Machines Corporation. Netscape Navigator is a registered trademark of Netscape Communications Corporation.
WARNINGS AND CAUTIONS WARNINGS AND CAUTIONS Secure Racking If secure racked units are installed in a closed or multi-unit rack assembly, they may require further evaluation by certification agencies. Consider the following items: 1. The ambient temperature within the rack may be greater than the room ambient temperature. Installation should be such that the amount of airflow required for safe operation is not compromised. The maximum temperature for the equipment in this environment is 122°F (50°C). 2.
SECURE SITE MANAGERS Contents 1. Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2. Quick Start Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1. Quick Hardware Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1.1. Apply Power to the Secure Site Manager . . . . . . . . . . . . . . . . . . 2.1.2.
CONTENTS 5.7. Port Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.7.1. Port Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.7.2. RS232 Port Configuration Menus . . . . . . . . . . . . . . . . . . . . . . . . 5.7.2.1. Configuring the Internal Modem . . . . . . . . . . . . . . . . . 5.7.3. Network Port Configuration Menus . . . . . . . . . . . . . . . . . . . . . . 5.7.4. Implementing IP Security . . . . . . . . . . . .
SECURE SITE MANAGERS 9. The Syslog Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9.1. Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9.2. Criteria for Generating a Syslog Message . . . . . . . . . . . . . . . . . . . . . . . 9.3. Testing Syslog Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 92 94 95 10. SNMP Traps . . . . . . . . . . . . . . . . . . . . . .
CHAPTER 1: Specifications 1. Specifications Network Interface: 10/100Base-T Ethernet, RJ45, multi-session Telnet. RS232 Port Interface: Connectors: • Model SW551A: Eight (8) DB9 connectors (DTE pinout.) • Model SW552A: Sixteen (16) DB9 connectors (DTE pinout.) Coding: 7/8 bits, Even, Odd, No Parity, 1, 2 Stop Bits. Flow Control: XON/XOFF, RTS/CTS, Both, or None. Data Rate: 300 to 115.2K bps (all standard rates). Inactivity Timeout: No activity timeout disconnects port/modem sessions.
SECURE SITE MANAGERS 2. Quick Start Guide This section describes a simplified installation procedure for the Secure Site Managers, which will allow you to communicate with the unit in order to demonstrate basic features and check for proper operation. Note that this Quick Start Guide does not provide a detailed description of unit configuration, or discuss advanced operating features in detail.
CHAPTER 2: Quick Start Guide 2.2. Communicating with the Secure Site Manager When properly installed and configured, the Secure Site Manager will allow command mode access via Telnet, Web Browser, SSH client, modem, or local PC. However, in order to ensure security, both Telnet and Web Browser access are disabled in the default state. To enable Telnet and/or Web Browser access, please refer to Section 5.7.3.
SECURE SITE MANAGERS PORT STATUS: Site ID: (undefined) 11/20/2006 23:18:34 GMT (GMT+0000) PORT | NAME | USERNAME | STATUS | MODE | BUFFER COUNT -----+------------------+------------------+--------+--------+-------------01 | (undefined) | | Free | Any | 0 02 | (undefined) | | Free | Any | 0 03 | (undefined) | | Free | Pass | 0 04 | (undefined) | | Free | Pass | 0 05 | (undefined) | | Free | Pass | 0 06 | (undefined) | | Free | Pass | 0 07 | (undefined) | | Free | Pass | 0 08 | (undefined) | | Free | Pass | 0 09 | M
CHAPTER 2: Quick Start Guide d) Via Telnet: Make certain that Telnet access is enabled as described in Section 5.7.3. Start your Telnet client, and enter the Secure Site Manager’s default IP address (192.168.168.168). e) Via Modem: Use your communications program to dial the number for the line connected to the Secure Site Manager’s Phone Line port. 2. Username / Password Prompt: A message will be displayed, which prompts you to enter your username (Login) and password..
SECURE SITE MANAGERS iii. Issue a Third Party Disconnect command to disconnect Ports 2 and 3; type /D 2 [Enter]. The unit will display the “Are you Sure (y/n)?” prompt. Type y and press [Enter] to disconnect. iv. 5. Type /S [Enter] to display the Port Status Screen. The Status screen should now list Ports 2 and 3 as “Free”.
CHAPTER 3: Overview 3. Overview The Secure Site Managers provide in-band and out-of-band access to RS-232 console ports and maintenance ports on UNIX servers, routers and any other network element that includes a serial console port. System administrators can access the Secure Site Manager via TCP/IP network, using SSH or Telnet, or out-of-band via modem or local terminal.
SECURE SITE MANAGERS Configuration Backup Once you have configured the Secure Site Manager to fit your application, parameters and options can be saved to an ASCII text file on your PC. This allows you to quickly restore user-selected parameters if unit configuration is accidentally altered or deleted. Saved parameters can also be uploaded to other Secure Site Manager units. This allows rapid set-up when several units will be configured with identical or similar parameters.
CHAPTER 3: Overview Secure Site Manager ON CLEAR 1 2 3 SET RDY CONNECTIONS 1 2 4 3 4 5 6 7 8 5 Figure 3-1: Front Panel Components - Model SW551A Shown 3.1. Front Panel Components CLEAR: Restarts the Secure Site Manager without changing user-selected parameter settings. Note: When Clear is pressed, all ports will be disconnected. ON: Lights when AC Power is applied. SET: Used to Initialize the Secure Site Manager to default parameters.
SECURE SITE MANAGERS 5 O PHONE LINE 10/100BaseT LINK ACTIVITY 1 I SYSTEM SETUP PORTS (DTE) 1 2 3 4 2 5 6 7 8 4 3 Figure 3-2: Back Panel Components - SW551A Model 5 3 O PHONE LINE 10/100BaseT LINK ACTIVITY 1 SYSTEM SETUP PORTS (DTE) 1 3 5 7 9 11 13 15 2 4 6 8 10 12 14 16 2 3 I 4 Figure 3-3: Back Panel Components - SW552A Model 3.2. Back Panel Components Phone Line Port: For connection to your external phone line.
CHAPTER 4: Installation 4. Hardware Installation 4.1. Connecting Power to the Secure Site Manager Unit The Secure Site Manager is available in both AC and DC powered versions. When connecting power to the Secure Site Manager, proceed as follows: CAUTIONS: • Before attempting to install this unit, please review the warnings and cautions listed at the front of the user’s guide. • This device should only be operated with the type of power source indicated on the instrument nameplate.
SECURE SITE MANAGERS Figure 4-1: COM/RS-232 port interface. 4.3. Connecting Devices to the Secure Site Manager 1. Determine which Secure Site Manager port will be used for connection to the new device (e.g. Port 3). 2. Use an appropriate DB9 cable to connect the RS232 serial port on the device to a DB9 port on the Secure Site Manager. 3. a) External Modems and other DCE Devices: Use a standard serial modem cable. b) PCs and other DTE Devices: Use a null modem cable.
CHAPTER 5: Configuration 5. Configuration 5.1. Communicating with the Secure Site Manager In order to configure the Secure Site Manager, you must first connect to the unit, and access command mode. Note that, the Secure Site Manager offers two separate configuration interfaces; the Web Browser Interface and the Text Interface. In addition, the Secure Site Manager also offers three different methods for accessing command mode; via network, via modem, or via local console.
SECURE SITE MANAGERS To access command mode via the Text Interface, proceed as follows: Note: Command mode cannot be accessed via a Buffer Mode Port, Passive Mode Port, or any port that is presently connected to another Secure Site Manager port. 1. Contact the Secure Site Manager Unit: a) Via Local PC: Start your communications program and press [Enter]. Wait for the connect message, then proceed to Step 2. b) Via Network: The Secure Site Manager includes a default IP address (192.168.168.
CHAPTER 5: Configuration PORT STATUS: Site ID: (undefined) 11/20/2006 23:18:34 GMT (GMT+0000) PORT | NAME | USERNAME | STATUS | MODE | BUFFER COUNT -----+------------------+------------------+--------+--------+-------------01 | (undefined) | | Free | Any | 0 02 | (undefined) | | Free | Any | 0 03 | (undefined) | | Free | Pass | 0 04 | (undefined) | | Free | Pass | 0 05 | (undefined) | | Free | Pass | 0 06 | (undefined) | | Free | Pass | 0 07 | (undefined) | | Free | Pass | 0 08 | (undefined) | | Free | Pass | 0 09
SECURE SITE MANAGERS Figure 5-2: The Home Screen (Web Browser Interface) 5.1.2. The Web Browser Interface The Web Browser Interface consists of a series of web forms, which can be used to select configuration parameters and enable/disable Secure Site Manager operating functions, by clicking on radio buttons and/or entering text into designated fields. Notes: • The Web Browser Interface cannot be used to connect and disconnect ports; the Web Browser Interface is used only for configuration purposes.
CHAPTER 5: Configuration 2. Username / Password Prompt: A message box will prompt you to enter your username and password. The default username is “super” (all lower case, no quotes), and the default password is also “super”. 3. If a valid username and password are entered, the Secure Site Manager Home Screen will appear as shown in Figure 5-2. 5.2. System SetUp Ports Serial Ports 1 and 2 are reserved as SetUp Ports, and will always permit password protected access to Supervisor commands.
SECURE SITE MANAGERS SYSTEM PARAMETERS: 1. 2. 3. 4. 5. 6. 7. User Directory Site-ID: Real Time Clock: Invalid Access Lockout: Audit Log: Callback Security: “/PW” Command: 11/21/2006 20:15:40 On On - Without Syslog On - Callback (Without Password Prompt) Off Enter: # to change, exit ...
CHAPTER 5: Configuration 5.4. Defining System Parameters The System Parameters menus are used to define the Site ID Message, set the system clock and calendar, and configure the Invalid Access Lockout feature and Callback feature. In the Text Interface, the System Parameters menu is also used to create and manage user accounts and passwords.
SECURE SITE MANAGERS • Real Time Clock: This prompt provides access to the Real Time Clock menu, which is used to set the clock and calendar, and to enable and configure the NTP (Network Time Protocol) feature as described in Section 5.4.1. • Invalid Access Lockout: If desired, this feature can be used to automatically disable an Secure Site Manager serial port after a user specified number of unsuccessful login attempts are made. For more information, please refer to Section 5.4.2.
CHAPTER 5: Configuration • Time Zone: Sets the time zone, relative to Greenwich Mean Time. Note that the Time Zone setting will function differently, depending on whether or not the NTP feature is enabled and properly configured. (Default = GMT (No DST).) NTP Enabled: The Time Zone setting is used to adjust the Greenwich Mean Time value (received from the NTP server) to determine the precise local time for the selected time zone.
SECURE SITE MANAGERS 5.4.2. The Invalid Access Lockout Feature When properly configured and enabled, the Invalid Access Lockout feature will watch all login attempts made at all Secure Site Manager ports. If a given port exceeds the selected number of invalid attempts, then that port will be automatically disabled for a user-defined length of time.
CHAPTER 5: Configuration Notes: • Invalid Access Lockout parameters, defined via the System Parameters menu, will apply to all Secure Site Manager serial ports. • When a Port is locked, an external modem connected to that port will not answer. • When a given Secure Site Manager serial port is locked, the other Secure Site Manager serial ports will remain unlocked, unless the Invalid Access Lockout feature has been triggered at those other ports.
SECURE SITE MANAGERS 5.4.3. The Audit Log This feature allows you to create a record of command activity at all Secure Site Manager ports. Audit Log records will include the time, date, username, and a brief description of each logged event (e.g., Connect, Login, etc.) The Audit Log is enabled and configured via the System Parameters Menus as described in Section 5.4.
CHAPTER 5: Configuration 5.4.4. Callback Security The Callback function provides an additional layer of security when callers attempt to access command mode via modem. When this function is properly configured, modem users will not be granted immediate access to command mode upon entering a valid password; instead, the unit will disconnect, and dial a user-defined number before allowing access via that number.
SECURE SITE MANAGERS ■ On - Callback ONLY (Without Password Prompt): Callbacks will be performed for user accounts that include a Callback Number, and the username/password prompt will not be displayed when the user’s modem answers. Accounts that do not include a Callback Number will not be able to access command mode via an Secure Site Manager modem port.
CHAPTER 5: Configuration 5.5. User Accounts Prior to accessing command mode or establishing a Telnet Direct Connection, you will be prompted to enter a username (login) and password. The username and password entered at login determine which port(s) you will be allowed to connect and what type of commands you will be allowed to execute. Each username / password combination is defined within a “user account.
SECURE SITE MANAGERS In most cases, a password with Supervisor Access can be entered at any port, allowing the user to invoke Supervisor level commands. However, if you wish to completely deny a specific port’s access to Supervisor commands (even with a password that normally permits them), the Port Parameters menus can disable Supervisor commands at ports 3 and above, and the Network Port. The Supervisor Mode cannot be disabled at Ports 1 and 2 (the System Setup Ports.
CHAPTER 5: Configuration 5.6.1. Viewing User Accounts The “View User Directory” option allows you to view details about each account, including the ports the account is allowed to access and whether or not the account is allowed to invoke Supervisor commands. The View User option will not display actual passwords, and instead, the password field will read either “defined” or “undefined.
SECURE SITE MANAGERS ADD USERNAME TO DIRECTORY: 1. 2. 3. 4. Username: Password: Supervisor Access: Port Access: (undefined) Off PORT# PORT NAME ACCESS ------------------------------1 (undefined) Off 2 (undefined) Off 3 (undefined) Off 4 (undefined) Off 5 (undefined) Off PORT# PORT NAME ACCESS ------------------------------6 (undefined) Off 7 (undefined) Off 8 (undefined) Off 9 MODEM Off 5. Callback Phone #: Enter: # to select, to return to previous menu ...
CHAPTER 5: Configuration The Add Username Menu can be used to define the following parameters for each new account: • Username: Up to sixteen characters long, and cannot include non-printable characters. Duplicate usernames are not allowed. (Default = undefined.) • Password: Five to sixteen characters long, and cannot include non-printable characters. Note that passwords are case sensitive. (Default = undefined.) • Supervisor Access: Determines whether the account is allowed to invoke Supervisor commands.
SECURE SITE MANAGERS 5.6.3. Modifying User Accounts The “Edit User Directory” function allows you to edit existing user accounts in order to modify passwords and usernames, or change port access or Supervisor Command capability. Note that the Edit/Modify User function is only available to users who have accessed command mode using a password that permits Supervisor Level commands. To modify a user account, proceed as follows: • Text Interface: From the User Directory menu, type 3 and press [Enter].
CHAPTER 5: Configuration 5.7. Port Configuration When responding to prompts, invoking commands, and selecting items from port configuration menus, note the following: • Configuration menus are only available to accounts and ports that permit Supervisor commands. • If you are configuring the Secure Site Manager via modem, modem parameters will not be changed until after you exit command mode and disconnect from the Secure Site Manager. 5.7.1.
SECURE SITE MANAGERS PORT PARAMETERS #03: COMMUNICATION SETTING 1. Baud Rate: 2. Bits/Parity: 3. Stop Bits: 4. Handshake: 9600 8-None 1 RTS/CTS GENERAL PARAMETERS 11. Supervisor Mode: 12. Logoff Char: 13. Sequence Disc: 14. Inact Timeout: 15. Command Echo: 16. Accept Break: Permit ^X One Char Off On On PORT MODE PARAMETERS 21. Port Name: 22. Port Mode: 23. DTR Output: 24. Buffer Params: 25. Modem Params: Passive Pulse ----- NETWORK SERVICES 31. Direct Connect: Telnet Port: SSH Port: Raw Port: 32.
CHAPTER 5: Configuration 5.7.2. RS232 Port Configuration Menus The Port Configuration Menus are used to select communications parameters and enable/disable options for each RS232 port. • Text Interface: Type /P n and then press [Enter] (Where n is the number or name of the desired RS232 Serial Port.) The Port Parameters menu will be displayed as shown in Figure 5-7. • Web Browser Interface: Click the Serial Port link on the left hand side of the screen to display the Port Selector Menu.
SECURE SITE MANAGERS General Parameters: • Supervisor Mode: Permits/denies port access to supervisor commands. When enabled (Permit), the port will be allowed to invoke supervisor commands, providing the unit is accessed using an account that permits them. If disabled (Deny), the port may not invoke Supervisor commands. (Default = Permit). Note: If the Supervisor Mode is set to “Deny”, then user accounts that permit Supervisor commands will not be allowed to access command mode via this port.
CHAPTER 5: Configuration • Inactivity Timeout: Enables and selects the Timeout Period for this port. If enabled, the port will disconnect when no additional data activity is detected for the duration of the timeout period. When the port is set for Any-to-Any Mode, Passive Mode, or Buffer Mode, the default setting is “Off.” When set for Modem Mode, the default setting is 5 minutes. Notes: • The Inactivity Timeout value is also applied to Direct Connections.
SECURE SITE MANAGERS Depending on the Port Mode selected, the Secure Site Manager will also display the additional prompts listed in this section. In the Text Interface, these parameters are accessible via a submenu, which will only be active when the appropriate port mode is selected, and in the Web Browser Interface, fields will be “grayed out” unless the corresponding port mode is selected.
CHAPTER 5: Configuration Network Services: • Direct Connect: Direct Connect allows users to access the Secure Site Manager and automatically create a connection between the Network Port and a specific RS232 port by including the appropriate Telnet port number in the connect command (e.g. Port 5 = 2105). For more information, please refer to Section 8.3. As described below, the Direct Connect feature offers three options. (Default = Off.
SECURE SITE MANAGERS • Syslog: The Syslog feature is used to create records of each buffer event. As event records are created, they are sent to a Syslog Daemon, at an IP address defined via the Network Parameters menu. For more information, please refer to Section 9. The Syslog feature offers three possible settings. (Default = Off) ■ Off: Syslog disabled. (Default) ■ On - Not Connected: Messages will only be generated when a user is not connected to a buffer port (either by /C or direct connect.
CHAPTER 5: Configuration 5.7.2.1. Configuring the Internal Modem The Secure Site Manager’s internal modem can be configured via the Text Interface or Web Browser Interface. The configuration menu for the internal modem is identical to the configuration menus for the RS232 Serial Ports, except that the Port Mode for the Modem Port is always set at “Modem Mode” and the Any-to-Any Mode, Buffer Mode and Passive Mode are not available.
SECURE SITE MANAGERS 5.7.3. Network Port Configuration Menus The Network Parameters Menus are used to select parameters and options for the Network Port and also allow you to implement IP Security features, which can restrict access based on the user’s IP Address. Although the Web Browser Interface and Text Interface allow definition of essentially the same parameters, parameters are arranged differently in the two interfaces. In the Text Interface, most network parameters are defined via one menu.
CHAPTER 5: Configuration NETWORK PARAMETERS: COMMUNICATION SETTING 1. IP Address: 2. Subnet Mask: 3. Gateway Addr: 4. DHCP: 5. IP Security: 6. Static Route: 207.212.30.80 255.255.255.0 207.212.30.1 Off Off Off GENERAL PARAMETERS 11. Supervisor Mode: 12. Logoff Char: 13. Sequence Disc: 14. Inact Timeout: 15. Command Echo: 16. Accept Break: Permit ^X One Char 5 Min On On SERVERS AND CLIENTS 21. Telnet Access: 22. SSH Access: 23. Web Access: 24. SYSLOG IP addr: 25. SNMP Access: 26. SNMP Trap: 27.
SECURE SITE MANAGERS Figure 5-11: Network Parameters Menu (Web Browser Interface) Network Parameters In the Text Interface, these parameters are accessed via the Network Configuration menu (Figure 5-9.) In the Web Browser Interface, these parameters can be found by first clicking the “Network Configuration” link, and then Clicking the “Network Parameters” link to display the Network Parameters menu (Figure 5-11.) • IP Address: (Default = 192.168.168.168.) • Subnet Mask: (Default = 255.255.255.0.
CHAPTER 5: Configuration • DHCP: Enables/Disables Dynamic Host Configuration Protocol. When this option is “On”, the Secure Site Manager will perform a DHCP request. Note that the MAC address for the Secure Site Manager is listed on the Network Status Screen. (Default = Off.) Note: Before configuring this feature via Telnet or Web, make certain your DHCP server is set up to assign a known, fixed IP address.
SECURE SITE MANAGERS Figure 5-12: Network Port Parameters Menu (Web Browser Interface) Network Port Parameters In the Text Interface, these parameters are found in the Network Configuration menu (Figure 5-9.) In the Web Browser Interface, these parameters are found by first clicking the Network Configuration link, and then clicking the Network Port Parameters link to display the Network Port Configuration Menu (Figure 5-12.) • Supervisor Mode: Permits/denies access to Supervisor commands.
CHAPTER 5: Configuration • Sequence Disconnect: Enables/Disables and configures the Resident Disconnect command. Offers the option to either disable the Sequence Disconnect, or select a one character, or three character command format. (Default = One Character). Notes: • The One Character Disconnect is intended for situations where the destination port should not receive the disconnect command.
SECURE SITE MANAGERS IP Security As described in Section 5.7.4, the IP Security function allows you to restrict command mode access based on the user’s IP address. In the Text Interface, IP Security parameters are defined via item 5 in the Network Configuration menu (Figure 5-9.) In the Web Browser Interface, these parameters are found by clicking the Network Configuration link, and then Clicking the IP Security link. In the default state, IP Security is disabled.
CHAPTER 5: Configuration Figure 5-13: SNMP Parameters Menu (Web Browser Interface) SNMP Parameters In the Text Interface, SNMP parameters are found in the Network Configuration menu (Figure 5-9.) In the Web Browser Interface, SNMP parameters can be found by first clicking the Network Configuration link, and then clicking the SNMP Parameters link to display the SNMP Parameters Menu (Figure 5-13.) • Enable: Enables/disables SNMP Polling. (Default = Off.
SECURE SITE MANAGERS Figure 5-14: TACACS Parameters Menu (Web Browser Interface) TACACS Parameters To access the TACACS Configuration Menus, proceed as follows: • Text Interface: Type /N and press [Enter] to access the Network Configuration Menu. From the Network Configuration Menu, type 27 and press [Enter] to display the TACACS Configuration Menu.
CHAPTER 5: Configuration • Secret Word: Defines the shared TACACS Secret Word for both TACACS servers. (Default = undefined.) • Fallback Local: Determines whether or not the Secure Site Manager will fallback to its own password/username directory when an authentication attempt fails.
SECURE SITE MANAGERS Figure 5-15: RADIUS Parameters Menu (Web Browser Interface) RADIUS Parameters To access the RADIUS Configuration Menus, proceed as follows: • Text Interface: Type /N and press [Enter] to access the Network Configuration Menu. From the Network Configuration Menu, type 28 and press [Enter] to display the RADIUS Configuration Menu.
CHAPTER 5: Configuration • Primary Secret Word: Defines the RADIUS Secret Word for the primary RADIUS server. (Default = undefined.) • Secondary IP Address: Defines the IP address for your secondary, fallback RADIUS server (if present.) (Default = undefined.) • Secondary Secret Word: Defines the RADIUS Secret Word for the secondary RADIUS server. (Default = undefined.
SECURE SITE MANAGERS 5.7.4. Implementing IP Security The Secure Site Manager can restrict unauthorized IP addresses from establishing an inbound Telnet connection to the unit. This allows the user to grant Telnet access to only a specific group of IP addresses, or block a particular IP address. In the default state, the Secure Site Manager accepts incoming IP connections from all hosts.
CHAPTER 5: Configuration IP SECURITY: CLIENT LIST FOR “hosts.allow” FILE: 1. 2. 3. 4. 5. 6. 7. 8. CLIENT LIST FOR “hosts.deny” FILE: 9. 10. 11. 12. 13. 14. 15. 16. Enter: # to select menu, for previous menu ...
SECURE SITE MANAGERS 5.7.4.1. Adding IP Addresses to the Allow and Deny Lists To add an IP Address to the Allow or Deny list, and begin configuring the IP Security feature, proceed as follows. Notes: • Both the Allow and Deny list can include Linux operators, wild cards, and net/mask pairs. • In some cases, it is not necessary to enter all four “digits” of the IP Address. For example, if you wish to allow access to all IP addresses that begin with “192,” then you would only need to enter “192.
CHAPTER 5: Configuration 5.7.4.2. Linux Operators and Wild Cards In addition to merely entering a specific IP address or partial IP address in the Allow or Deny list, you may also use any standard Linux operator or wild card. In most cases, the only operator used is “EXCEPT” and the only wild card used is “ALL,” but more experienced Linux users may note that other operators and wild cards may also be used. EXCEPT: This operator creates an exception in either the “allow” list or “deny” list.
SECURE SITE MANAGERS 5.7.4.3. IP Security Examples 1. Mostly Closed: Access is denied by default and the only clients allowed, are those explicitly listed in the Allow list. To deny access to all clients except 192.255.255.192 and 168.112.112.05, the Allow and Deny lists would be defined as follows: • Allow List: 1. 192.255.255.192 2. 168.112.112.05 • Deny List: 1. ALL 2.
CHAPTER 5: Configuration COPY PORT PARAMETERS: COMMUNICATION SETTING 1. Baud Rate: 2. Bits/Parity: 3. Stop Bits: 4. Handshake: PORT MODE PARAMETERS 21. Port Name: 22. Port Mode: 23. DTR Output: 24. Buffer Params: 25. Modem Params: GENERAL PARAMETERS 11. Supervisor Mode: 12. Logoff Char: 13. Sequence Disc: 14. Inact Timeout: 15. Command Echo: 16. Accept Break: NETWORK SERVICES 31. Direct Connect: 32. Syslog: 33. SNMP Trap Lv: ----- ----- Enter: # to define parameter.
SECURE SITE MANAGERS 2. 3. Invoke the /CP command at the command prompt; the menu shown in Figure 5-18 will be displayed. The following options are available: a) Copy to All Ports: Type /CP [Enter]. b) Copy to a Range of Ports: Type /CP m-n [Enter]. Where m and n are port numbers that specify the desired range. For example, to copy parameters to ports 3 through 7, type /CP 3-7 and press [Enter]. c) Copy to Several Ports: Type /CP m,n,x [Enter]. Where m, n and x are the numbers of the desired ports.
CHAPTER 6: The Status Screens 6. The Status Screens The Status Screens display connection status and communication parameters for the RS232 ports and the Network Port. There are four different status screens; The Port Status Screen (/S), the Port Diagnostics Screen (/SD), the Network Status Screen (/SN), and the Port Parameters Screens (/W). Note: The status screens discussed in this section are only available via the Text Interface. The status screens cannot be accessed via the Web Browser Interface. 6.
SECURE SITE MANAGERS The Port Status Screen lists the following items: • Port: The Port Number. • Name: The user-defined name for each port. • Username: The username that was entered in order to access command mode via this port. • Status: The connect status of each port. ■ If the port is connected to an RS232 port, this column will list the number of the other Secure Site Manager port in “c-nn” format, where “nn” is the number of the Secure Site Manager port connected to this port (for example, “C-07”.
CHAPTER 6: The Status Screens PORT DIAGNOSTICS: Site ID: (undefined) 11/22/2006 00:47:28 GMT (GMT+0000) PORT | NAME | STATUS | BAUD | COM | HS | MODE | BUF | CTS -----+------------------+--------+--------+-----+------+--------+--------+---01 | (undefined) | Free | 9600 | 8N1 | RTS | Any | 0 | L 02 | (undefined) | Free | 9600 | 8N1 | RTS | Any | 0 | L 03 | (undefined) | Free | 9600 | 8N1 | RTS | Pass | 0 | L 04 | (undefined) | Free | 9600 | 8N1 | RTS | Pass | 0 | L 05 | (undefined) | Free | 9600 | 8N1 | RTS | Pa
SECURE SITE MANAGERS NETWORK STATUS: MAC Address: 00-09-9b-00-c4-2d PORT|TCP PORT|STATUS| USERNAME |PORT|TCP PORT|STATUS| USERNAME | ---------------------------------------------------------------------------N1 | 23|Active|super |N17 | | Free | | N2 | | Free | |N18 | | Free | | N3 | | Free | |N19 | | Free | | N4 | | Free | |N20 | | Free | | N5 | | Free | |N21 | | Free | | N6 | | Free | |N22 | | Free | | N7 | | Free | |N23 | | Free | | N8 | | Free | |N24 | | Free | | N9 | | Free | |N25 | | Free | | N10 |
CHAPTER 6: The Status Screens • Status: The status for each TCP port. ■ If the Status Column reads “Active,” this indicates the port has accessed command mode. ■ If this Telnet session is connected to an RS232 Port, this column will read “C-nn,” where “nn” indicates the connected port for each Telnet session. • Username: The username that was entered at this port in order to access command mode. 6.4.
SECURE SITE MANAGERS PORT PARAMETERS #03: COMMUNICATION SETTING 1. Baud Rate: 2. Bits/Parity: 3. Stop Bits: 4. Handshake: 9600 8-None 1 RTS/CTS GENERAL PARAMETERS 11. Supervisor Mode: 12. Logoff Char: 13. Sequence Disc: 14. Inact Timeout: 15. Command Echo: 16. Accept Break: Permit ^X One Char Off On On PORT MODE PARAMETERS 21. Port Name: 22. Port Mode: 23. DTR Output: 24. Buffer Params: 25. Modem Params: Passive Pulse ----- NETWORK SERVICES 31. Direct Connect: Telnet Port: SSH Port: Raw Port: 32.
CHAPTER 7: Operation 7. Operation This section discusses the procedures for connecting and disconnecting ports, and describes the various port modes. Note: The Web Browser Interface cannot be used to connect or disconnect ports. In order to connect or disconnect ports, you must access command mode via the Text Interface. 7.1.
SECURE SITE MANAGERS To Connect ports, proceed as follows: 1. Access command mode via the Text Interface. 2. Invoke the /C command to connect the desired ports. a) Resident Connect: To connect your resident port to another port, type /C xx [Enter]. Where xx is the number or name of the port you want to connect. The Secure Site Manager will display the numbers of the connected ports, along with the command required in order to disconnect the two ports.
CHAPTER 7: Operation 7.1.1.2. Disconnecting Ports There are three different methods for disconnecting ports, the Resident Disconnect, the Third Party Disconnect, and the No Activity Timeout. Providing the Timeout feature is enabled, a No Activity Timeout will disconnect resident ports or third party ports. Note: The “DTR Output” option in the Port Parameters menu determines how DTR will react when the port disconnects. DTR can be held low, held high, or pulsed and then held high. 1.
SECURE SITE MANAGERS 2. Third Party Disconnect: (Supervisors Only) The /D command is issued from your resident port to disconnect two other ports. For example, if your Resident Port is Port 1, a Third Party Disconnect is used to disconnect Ports 3 and 4. Note: The Third Party Disconnect method can be used to terminate a Telnet Direct Connection. For more information, please refer to Section 8.3.4.
CHAPTER 7: Operation 3. No Activity Timeout: Providing the Timeout feature is enabled at either connected port, the No Activity Timeout can disconnect Resident Ports, or Third Party Ports. Note: The No Activity Timeout also applies to Telnet Direct Connections. For more information, please refer to Section 8.3. a) RS232 Ports: To select the timeout period for RS232 Ports, access the Port Configuration Menu for the desired port as described in Section 5.7.2.
SECURE SITE MANAGERS 7.1.2. Defining Hunt Groups A Hunt Group creates a situation where the Secure Site Manager will scan a group of similarly named ports and connect to the first available port in the group. Hunt Groups are created by assigning identical or similar names to two or more ports. Hunt Groups can be defined using Any-to-Any, Passive, Buffer, or Modem Mode Ports. Note that the Network Port cannot be included in Hunt Groups. 1.
CHAPTER 7: Operation Hunt Group Example 1: 1. Ports 1 and 2 are Modem Mode ports, and modems are installed at both ports. Port 1 is named “MODEM1” and Port 2 is named “MODEM2”. 2. Your resident port is Port 4. To connect to the first available Modem, type /C MODEM* [Enter]. Hunt Group Example 2: 1. Ports 3, 4, and 5 are Any-to-Any Mode ports. All three ports are named “SERVER”. 2. Your resident port is Port 1. If you want to connect Port 2 to the first available server, type /C 2 SERVER [Enter]. 7.2.
SECURE SITE MANAGERS 7.3. Buffer Mode The Buffer Mode allows collection of data from various devices without the requirement that all devices use the same communication parameters (e.g. baud rate, parity, etc.) In addition, Buffer Mode ports can also be configured to support the SYSLOG and SNMP Trap functions, as described in Sections 9 and 10. Notes: • Buffer Mode Ports cannot access command mode. • Buffer Mode is not available to Port 1 (the SetUp Port) or the Network Port. 7.3.1.
CHAPTER 7: Operation If the buffer contains data, the Secure Site Manager will display a prompt that offers the following options: • Display One Screen: To send data one screen at a time, press [Enter]. Each time [Enter] is pressed, the next screen is sent. • Display All Data: To send all data currently stored in the buffer, type 1 and press [Enter]. • Erase Data on Screen: To erase the data currently displayed on-screen, type 2 and press [Enter].
SECURE SITE MANAGERS 7.3.2. Port Buffers The Status Screen lists the amount of Buffer Memory currently used by each port. The Secure Site Manager uses buffer memory in two different ways, depending on the user-selected port mode. • Any-to-Any, Passive, and Modem Mode Ports: When two ports are communicating at dissimilar baud rates, the buffer memory prevents data overflow at the slower port. • Buffer Mode Ports: Stores data received from connected devices.
CHAPTER 7: Operation 7.4. Modem Mode The Modem Mode provides features specifically related to modem communication. A Modem Mode Port can perform all functions normally available in Any-to-Any Mode. The Modem Mode is available to all Secure Site Manager ports except the Network Port, and is the default port mode at the Internal Modem port.
SECURE SITE MANAGERS 8. Telnet & SSH Functions 8.1. Network Port Numbers Whenever an inbound Telnet or SSH session connects to one of the Secure Site Manager’s RS232 Ports, the Port Status Screen and Port Diagnostics Screen will indicate that the RS232 port is presently connected to Port “Nn” (where “N” indicates a network connection, and “n” is a number that lists the logical Network Port being used; for example, “N7”.) This “Nn” number is referred to as the logical Network Port Number. 8.2.
CHAPTER 8: Telnet & SSH Functions 8.3. The Direct Connect Feature The Direct Connect feature allows you to initiate a Telnet, SSH or Raw Socket session with the Secure Site Manager and make an immediate connection to a specific RS232 Port of your choice, without first being presented with the command interface. This allows you to connect to a TCP port that is mapped directly to one of the Secure Site Manager’s RS232 Serial Ports.
SECURE SITE MANAGERS 8.3.2. Configuration The Direct Connect Function is configured on a per port basis using the Port Configuration Menus (/P nn), item 13, “Direct Connect”. The following options are available: 1. Direct Connect OFF: Direct Connect disabled at this port. (Default) 2. Direct Connect ON - NO PASSWORD: The Direct Connect feature is enabled at this port, but no password is required in order to connect to the port.
CHAPTER 8: Telnet & SSH Functions Notes: • If you intend to use SSH to establish direct connections to the Secure Site Manager, the “Direct Connect ON - PASSWORD option must be selected. • If Supervisor commands are disabled at the Network Port, then accounts that permit Supervisor commands will not be able to initiate a Direct Connection.
SECURE SITE MANAGERS 3. SSH Direct Connection (with Password): a) 8-Port Units: • Serial Ports: TCP port numbers 2201 through 2208. • Internal Modem Port: TCP port number 2209. b) 16-Port Units: • Serial Ports: TCP port numbers 2201 through 2216. • Internal Modem Port: TCP port number 2217. 4. Raw Socket Direct Connection (with Password): a) 8-Port Units: • Serial Ports: TCP port numbers 3101 through 3108. • Internal Modem Port: TCP port number 3109.
CHAPTER 8: Telnet & SSH Functions Connection Example: 1. Assume that Port 8 is configured as described in Section 8.3.2. If the Secure Site Manager’s IP address is “1.2.3.4”, and you wish to establish a standard Telnet protocol connection with port 8 (TCP Port Number 2108), then on a UNIX system, the connect command would be invoked as follows: $ telnet 1.2.3.4 2108 [Enter] 2.
SECURE SITE MANAGERS 9. The Syslog Feature The Syslog feature can create time-stamped log records of each buffer event. As these event records are created, they are sent to a Syslog Daemon, located at an IP address defined via the Network Parameters menu. Note: • The Syslog Function is only available to Buffer Mode ports. • This option is not available to RS232 Port 1, which is reserved as a System SetUp Port, and therefore cannot be configured as a Buffer Mode Port. 9.1.
CHAPTER 9: The Syslog Feature 3. 4. 5. Port Parameters Menu: Access the Port Parameters Menu for the desired port as described in Section 5.7.2, and then set the following parameters: a) Port Mode: Set the Port Mode to “Buffer.” b) Syslog Function: Enable the Syslog Function.
SECURE SITE MANAGERS 9.2. Criteria for Generating a Syslog Message Once the Secure Site Manager is properly configured, Syslog messages will be generated as follows: 1. Data Terminated by NULL Character: Syslog will generate a message whenever a properly configured Buffer Mode Port receives data or text terminated by a NULL character (0x00). The message sent to the Syslog Daemon will contain header information and the event (buffered data or text) captured by the Secure Site Manager.
CHAPTER 9: The Syslog Feature 9.3. Testing Syslog Configuration After you have configured the Secure Site Manager as described in Section 9.1, the /TEST command can be used to make certain that the function is properly set up. To test the Syslog function, type /TEST, press [Enter], then follow the instructions in the resulting submenu. The Secure Site Manager will attempt to send a test Syslog message, using the current Syslog configuration.
SECURE SITE MANAGERS 10. SNMP Traps SNMP is an acronym for “Simple Network Management Protocol”. The SNMP Trap function allows Buffer Mode Ports to send a message to two different SNMP Managers, indicating the amount of data currently stored in buffer memory. Note: • The SNMP Trap function is only available to Buffer Mode Ports. • This option is not available to RS232 Port 1, which is reserved as a “System SetUp Port” and therefore, cannot be configured as a Buffer Mode Port.
CHAPTER 10: SNMP Traps 3. 10.2. Network Parameters Menu: Access the Network Parameters Menu as described in Section 5.7.3. Set the following: a) Enable: SNMP Access must be enabled in order for SNMP traps to function. b) SNMP Contact: (Optional.) c) SNMP Location: (Optional.) d) SNMP Managers 1 and 2: Consult your network administrator to determine the IP address(es) for the SNMP Manager(s), then use the Network Parameters menu to set the IP address for each SNMP Manager.
SECURE SITE MANAGERS 10.3. 1. 2. 10.4. How and When SNMP Traps are Sent: When the buffer port reaches the trigger level, SNMP Traps are immediately sent to each defined SNMP manager. SNMP uses the UDP protocol (an “unreliable” protocol). Successful manager receipt of traps are assisted by the following: a) The Secure Site Manager verifies that the ARP table is updated completely before sending a trap to each manager defined.
CHAPTER 11: Saving and Restoring Configuration Parameters 11. Saving and Restoring Configuration Parameters Once the Secure Site Manager is properly configured, parameters can be downloaded and saved as an ASCII text file. Later, if the configuration is accidentally altered, the saved parameters can be uploaded to automatically reconfigure the unit without the need to manually assign each parameter.
SECURE SITE MANAGERS 4. 11.2. The Secure Site Manager will send a series of ASCII command lines which specify currently selected parameters. The last line of the file should end with a “/G-00” command. When the download is complete, press [Enter] to return to the command prompt. Restoring Saved Parameters This section describes the procedure for using your terminal emulation program to send saved parameters to the Secure Site Manager. 1.
CHAPTER 12: Upgrading Firmware 12. Upgrading Firmware When new, improved versions of the Secure Site Manager firmware become available, the “Upgrade Firmware” function can be used to update the unit. Updates can be uploaded via FTP or SFTP protocols. Notes: • The FTP/SFTP servers can only be started via the Text Interface. • All other ports will remain active during the firmware upgrade procedure.
SECURE SITE MANAGERS 4. To proceed with the upgrade, select either option 1 or option 2. The Secure Site Manager will display a message that indicates that the unit is waiting for data. Leave the current Telnet/SSH client session connected at this time. 5. Open your FTP/SFTP application and login to the Secure Site Manager unit, using a username and password that permit access to Supervisor Level commands. 6. Transfer the binary format upgrade file to the Secure Site Manager. 7.
CHAPTER 13: Command Reference Guide 13. Command Reference Guide 13.1. Command Conventions Most commands described in this section conform to the following conventions: • Text Interface: Commands discussed in this section, can only be invoked via the Text Interface. These commands cannot be invoked via the Web Browser Interface. • Slash Character: Most Secure Site Manager commands begin with the Slash Character (/).
SECURE SITE MANAGERS 13.2.
CHAPTER 13: Command Reference Guide 13.3. Command Set This Section provides information on all Text Interface commands, sorted alphabetically by command. ^X Resident Disconnect Sequence The Resident Disconnect Sequence is used to disconnect your resident port from another port. Although the default Resident Disconnect Sequence is ^X ([Ctrl] plus [X]), the command can be redefined via the Port Configuration Menus as described in Section 5.7.2.
SECURE SITE MANAGERS /C Connect Establishes a bidirectional connection between two ports. For more information, see Section 7.1. There are two types of connections: • Resident Connect: If the /C command specifies only one port, your resident port will be connected to the specified port. • Third Party Connect: If the /C command specifies two ports, the unit will connect the two ports indicated. Third Party Connections can only be initiated by ports and accounts that permit Supervisor commands.
CHAPTER 13: Command Reference Guide /D Third Party Disconnect Invoke the /D command at your resident port to disconnect two other ports. Note that the /D command cannot disconnect your resident port. Availability: Supervisor Only Format: /D[/Y] [x] [Enter] Where: /Y x (Optional) suppresses the “Sure?” prompt. Is the number or name of the port(s) to be disconnected. To disconnect all ports, enter an asterisk. To disconnect a Telnet session, enter the “Nn” format Network Port Number.
SECURE SITE MANAGERS /F Set System Parameters Displays a menu which is used to define the Site ID message, create user accounts, set the system clock, and configure and enable the Invalid Access Lockout feature. Note that all functions provided by the /F command are also available via the Web Browser Interface in the “System Parameters” menu. For more information, refer to Section 5.4. Availability: Supervisor Only Format: /F [Enter] Response: Displays System Parameters Menu.
CHAPTER 13: Command Reference Guide /J Display Site ID Displays the Site I.D. message. Availability: Supervisor / Non-Supervisor Format: /J [Enter] Response: Displays Site I.D. Message. /K Send SSH Key Instructs the Secure Site Manager to provide you with a public SSH key for validation purposes. This public key can then be provided to your SSH client, in order to prevent the SSH client from warning you that the user is not recognized when you attempt to create an SSH connection.
SECURE SITE MANAGERS /P Set RS232 Port Parameters Displays a series of menus used to select options and parameters for the RS232 ports. Note that all functions provided by the /P command are also available via the Web Browser Interface in the “Serial Port” menu. Section 5.7.2 describes the procedure for defining port parameters. Availability: Supervisor Only Format: /P [x] [Enter] Where x is the number or name of the port to be configured.
CHAPTER 13: Command Reference Guide /S Display Port Status Displays the Port Status Screen (Figure 6.1), which summarizes conditions and parameters for all ports. For more information, please refer to Section 6.1. Availability: Supervisor / Non-Supervisor Format: /S [Enter] Response: Displays Port Status Screen. /SD Display Port Diagnostics Provides detailed information regarding the status of each port.
SECURE SITE MANAGERS /U Save Parameters Sends Secure Site Manager configuration parameters to an ASCII text file as described in Section 11. Availability: Supervisor Only Format: /U [Enter] Response: The Secure Site Manager will send a series of command lines. /UF Upgrade Firmware When new versions of the Secure Site Manager firmware become available, this command is used to update existing firmware as described in Section 12.
CHAPTER 13: Command Reference Guide /W Display Port Parameters (Who) Displays configuration information for an individual port, but does not allow the user to change parameters. Accounts that do not permit Supervisor commands can only display parameters for their resident port. For more information, please refer to Section 6.4. Availability: Supervisor / Non-Supervisor Format: /W [x] [Enter] Where x is the port number or name. To display parameters for the Network Port, enter an “N”.
SECURE SITE MANAGERS Appendix A: Troubleshooting A.1. Calling Black Box If you determine that your Secure Site Manager is malfunctioning, do not attempt to alter or repair the unit. It contains no user-serviceable parts. Contact Black Box at 724-746-5500. Before you do, make a record of the history of the problem. We will be able to provide more efficient and accurate assistance if you have a complete description, including: • The nature and duration of the problem. • When the problem occurs.
© Copyright 2006. Black Box Corporation. All rights reserved.