HP Integrity iLO 3 Operations Guide
Role time restrictions
You can place time restrictions on iLO 3 roles. Users are only granted rights that are specified for
the iLO 3 devices listed in the role if they are members of the role and meet the time restrictions
for that role.
The iLO 3 devices use local host time to enforce time restrictions. If the iLO 3 device clock is not
set, the role time restriction fails (unless no time restrictions are specified on the role).
Role-based time restrictions can only be enforced if the time is set on the iLO 3 device. The time is
normally set when the host is booted and is maintained by running the agents in the host operating
system, which enables iLO 3 device to compensate for leap years and minimize clock drift with
respect to the host. Events such as unexpected power loss or the flashing of MP firmware can cause
the iLO 3 device clock not to be set. Also, the host time must be correct for the iLO 3 device to
preserve time across firmware flashes.
IP address range restrictions
IP address range restrictions enable you to specify network addresses that are granted or denied
access by the restriction. The address range is typically specified in a low-to-high range format.
You can specify an address range to grant or deny access to a single address. Addresses that fall
within the low-to-high IP address range meet the IP address restriction.
IP address and subnet mask restrictions
IP address and subnet mask restrictions enable you to specify a range of addresses that are granted
or denied access by the restriction. This format has similar capabilities to those in an IP address
range but can be more native to your networking environment. An IP address and subnet mask
range is typically specified using a subnet address and address bit mask that identifies addresses
on the same logical network.
In binary math, if the bits of a client machine address are added to the bits of the subnet mask,
and these bits match the restriction subnet address, the client machine meets the restriction.
DNS-based restrictions
DNS-based restrictions use the network naming service to examine the logical name of the client
machine by looking up machine names assigned to the client IP addresses. DNS restrictions require
a functional name server. If the name service fails or cannot be reached, DNS restrictions cannot
be matched and will fail.
DNS-based restrictions can limit access to a single, specific machine name or to machines sharing
a common domain suffix. For example, the DNS restriction www.hp.com matches hosts that are
assigned the domain name www.hp.com. However, the DNS restriction *.hp.com matches any
machine originating from HP.
DNS restrictions can cause some ambiguity because a host can be multi-homed. DNS restrictions
do not necessarily match one-to-one with a single system.
CAUTION: Using DNS-based restrictions can create some security complications. Name service
protocols are insecure. Any individual with malicious intent and access to the network can place
a rogue DNS service on the network, creating fake address restriction criteria. When implementing
DNS-based address restrictions, take organizational security policies into consideration.
Role address restrictions
Role address restrictions are enforced by the MP firmware, based on the client IP network address.
When the address restrictions are met for a role, the rights granted by the role apply.
Address restrictions can be difficult to manage if access is attempted across firewalls or through
network proxies. Either of these mechanisms can change the apparent network address of the
client, causing the address restrictions to be enforced in an unexpected manner.
Directory-enabled remote management 141