Owner's manual

ManualsBrandsRaritan Computer ManualsHardwareCC-SG

Table Of Contents

Chapter 1: Introduction
- Prerequisites
- Intended Audience
- Terminology/Acronyms
Chapter 2: Accessing CC-SG
- Browser-Based Access
- Thick Client Access
  - Install the Thick Client
  - Use the Thick Client
- CC-SG Window Components
- Check IP Address, Firmware Version, and Application Versions
- Power Down CC-SG
- Compatibility Matrix
Chapter 3: Configuring CC-SG with Guided Setup
- Prepare to Configure CC-SG with Guided Setup
- Guided Setup Overview
- Start Guided Setup:
- Associations
  - Create Categories and Elements
- Device Setup
  - Discover and Add Devices
- Create Groups
  - Add Device Groups and Node Groups
- User Management
  - Add User Groups and Users
Chapter 4: Creating Associations
- Associations
- Association Manager
Chapter 5: Adding Devices and Device Groups
- The Device Tab
- Device and Port Icons
- Search for Devices
- Add a Device
  - Adding a KVM or Serial Device
  - Adding a PowerStrip Device
- Discover Devices
- Edit Device
  - Edit PowerStrip Device
- Delete Device
- Configure Ports
- Device Management
- Viewing Devices
  - Tree View
  - Custom View
- Special Access to Paragon II System Devices
  - Paragon II System Controller (P2-SC)
  - IP-Reach and UST-IP Administration
- Device Group Manager
Chapter 6: Configuring Nodes and Interfaces
- View Nodes
- Nodes and Interfaces Overview
  - About Nodes
  - About Interfaces
- Add Node
- Add an Interface
- Connect to a Node
- Edit an Interface
- Delete an Interface
- Ping a Node
- Edit a Node
- Delete a Node
- Chat
- Node Groups
Chapter 7: Adding and Managing Users and User Groups
- The Users Tree
- Special User Groups
- Add User Groups
- Edit A User Group
- Delete User Group
- Add User
- Edit a User
- Delete User
- Assign Users To Group
- Delete Users From Group
- Other User and User Group Functions
Chapter 8: Policies
- Controlling Access Using Policies
  - Policy Summary
- Node Groups
- Device Groups
- Policy Manager
- Applying Policies To User Groups
Chapter 9: Configuring Remote Authentication
- Authentication and Authorization (AA)
  - Flow for Authentication
  - User Accounts
- Distinguished Names for LDAP and AD
  - Username
  - Base DN
- AD Configurations
- Add LDAP (Netscape) Module to CC-SG
- Add a TACACS+ Module
  - TACACS+ General Settings
- Add a RADIUS Module
  - RADIUS General Settings
- Specify Modules for Authentication and Authorization
- Establish Order of External AA Servers
Chapter 10: Generating Reports
- Audit Trail Report
- Error Log Report
- Access Report
- Availability Report
- Active Users Report
- Locked Out Users Report
- User Data Report
- Users in Groups Report
- Group Data Report
- AD User Group Report
- Asset Management Report
- Node Asset Report
- Active Nodes Report
- Node Creation Report
- Query Port Report
- Active Ports Report
- Scheduled Reports
- CC-NOC Synchronization Report
Chapter 11: System Maintenance
- Maintenance Mode
- Backup CC-SG
- Restore CC-SG
  - Saving and Deleting Backup Files
- Reset CC-SG
- Restart CC-SG
- Upgrade CC-SG
- Shut Down CC-SG
- Restarting CC-SG after Shutdown
- End CC-SG Session
  - Log Out
  - Exit CC-SG
Chapter 12: Advanced Administration
- Guided Setup
- Message of the Day Setup
- Application Manager
  - Adding, Editing and Deleting Applications
  - Default Applications
- Firmware Manager
- Cluster Configuration
- Configure Security
- Notification Manager
- Task Manager
- CommandCenter NOC
- SSH Access to CC-SG
- Diagnostic Console
Appendix A: Specifications (G1, V1, and E1)
- G1 Platform
- V1 Platform
- E1 Platform
Appendix B: CC-SG and Network Configuration
- Introduction
- Executive Summary
- CC-SG Access via NAT-enabled Firewall
- Security and Open Port Scans
Appendix C: User Group Privileges
Appendix D: SNMP Traps
Appendix E: Troubleshooting
- Client Browser Requirements
Appendix F: Two-Factor Authentication
- Supported Environments
- Setup Requirements
- Known Issues
Appendix G: FAQs
Appendix H: Keyboard Shortcuts

CommandCenter

Secure Gateway

CC-SG

Administrator Guide

Release 3.1

CCA-0D-E

January 2007

255-80-5140-00

Summary of content (258 pages)

PAGE 2
This page intentionally left blank.
PAGE 3
Copyright and Trademark Information This document contains proprietary information that is protected by copyright. All rights reserved. No part of this document may be photocopied, reproduced, or translated into another language without express prior written consent of Raritan, Inc. © Copyright 2007 Raritan, CommandCenter, RaritanConsole, Dominion, and the Raritan company logo are trademarks or registered trademarks of Raritan, Inc. All rights reserved.
PAGE 4
Safety Guidelines To avoid potentially fatal shock hazard and possible damage to Raritan equipment: • Do not use a 2-wire power cord in any product configuration. • Test AC outlets at your computer and monitor for proper polarity and grounding. • Use only with grounded outlets at both the computer and monitor. When using a backup UPS, power the computer, monitor and appliance off the supply.
PAGE 5
CONTENTS i Contents Chapter 1: Introduction ......................................... 1 Prerequisites.................................................................................................................................1 Intended Audience ........................................................................................................................1 Terminology/Acronyms ................................................................................................................
PAGE 6
ii CONTENTS Upgrade Device .................................................................................................................................47 Backup Device Configuration..............................................................................................................47 Restore Device Configuration..............................................................................................................48 Copy Device Configuration..............................................
PAGE 7
CONTENTS iii Add Node Groups ..............................................................................................................................91 Edit Node Group ................................................................................................................................95 Delete Node Group.............................................................................................................................95 Device Groups..............................................
PAGE 8
iv CONTENTS Restore CC-SG.........................................................................................................................139 Saving and Deleting Backup Files......................................................................................................140 Reset CC-SG............................................................................................................................141 Restart CC-SG.....................................................................
PAGE 9
CONTENTS v Appendix A: Specifications (G1, V1, and E1) ........................ 211 G1 Platform .............................................................................................................................211 General Specifications ......................................................................................................................211 Hardware Specifications ...................................................................................................................
PAGE 10
vi FIGURES Figures Figure 1 Login Window .................................................................................................................................. 3 Figure 2 IP Specification Window....................................................................................................................4 Figure 3 CC-SG Window Components ............................................................................................................. 6 Figure 4 Confirm IP Address .............
PAGE 11
FIGURES Figure 52 Custom View Screen...................................................................................................................... 54 Figure 53 Selecting a Custom View................................................................................................................ 54 Figure 54 Custom View Screen...................................................................................................................... 55 Figure 55 Paragon Manager Application Window ..........
PAGE 12
viii FIGURES Figure 105 LDAP General Settings .............................................................................................................. 111 Figure 106 LDAP Advanced Settings .......................................................................................................... 112 Figure 107 Add TACACS+ Module ............................................................................................................. 114 Figure 108 TACACS+ General Settings.........................
PAGE 13
FIGURES Figure 158 Modems Tab ............................................................................................................................. 157 Figure 159 Extra Initialization Commands .................................................................................................... 157 Figure 160 Create a New Connection............................................................................................................ 158 Figure 161 Connection Name ................................
PAGE 14
x FIGURES Figure 211 Displaying CC-SG Processes in Diagnostic Console...................................................................... 209 Figure 212 NTP not configured in CC-SG GUI ............................................................................................. 210 Figure 213 NTP running on the CC-SG GUI ................................................................................................. 210 Figure 214 CC-SG Deployment Elements ..............................................
PAGE 15
CHAPTER 1: INTRODUCTION 1 Chapter 1: Introduction Congratulations on your purchase of CommandCenter Secure Gateway (CC-SG), Raritan’s convenient and secure method for managing various UNIX servers, firewalls, routers, load balancers, Power Management devices, and Windows servers. CC-SG provides central management and administration, using a set of serial and KVM appliances.
PAGE 16
2 • • • • • • • • • • • • • • • • COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE are managed by CC-SG. These devices control the target servers and systems that are connected to them. Director Client—A Java-based client for CC-SG useable by both normal access users and administrators. It is the only client that permits administration. Elements—are the values of a category. For example, the “New York City” element belongs to the “Location” category.
PAGE 17
CHAPTER 2: ACCESSING CC-SG 3 Chapter 2: Accessing CC-SG Once you have configured CC-SG with an IP address, the CC-SG unit can be placed at its final destination. Make all necessary hardware connections to make the unit operational. You can access CC-SG in several ways, each described in this chapter: • Browser: CC-SG supports numerous web browsers. (For a complete list of supported browsers and platforms, please refer to the Compatibility Matrix on http://www.raritan.com/support.
PAGE 18
4 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Thick Client Access The CC-SG thick client allows you to connect to CC-SG by launching a Java Web Start application instead of running an applet through a web browser. The advantage of using the thick client instead of a browser is that the client can outperform the browser in terms of speed and efficiency. Install the Thick Client 1.
PAGE 19
CHAPTER 2: ACCESSING CC-SG 5 9. Type your Username and Password in the corresponding fields, and then click Login to continue. Use the Thick Client Once the thick client is installed, there are 2 different ways to access it on your client computer. These are determined by the Java version you are using. • Java 1.4.x If your client computer is running Java version 1.4.
PAGE 20
6 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE CC-SG Window Components Upon valid login, the CC-SG application window appears. 1 6 2 3 4 5 Figure 3 CC-SG Window Components 1. Nodes tab: Click the Nodes tab to display all known target nodes in a tree view. Click a node to view the Node Profile. Interfaces are grouped under their parent nodes. Click the + and signs to expand or collapse the tree. Right-click an interface and select Connect to connect to that interface.
PAGE 21
CHAPTER 2: ACCESSING CC-SG 7 Check IP Address, Firmware Version, and Application Versions After logging in, you should confirm the IP address, set the CC-SG server time, and check the firmware and application versions installed. You may need to upgrade the firmware and applications. Confirm IP Address 1. On the Administration menu, click Configuration to open the Configuration Manager screen. 2. Click the Network Setup tab. Figure 4 Confirm IP Address 3.
PAGE 22
8 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Set the CC-SG Server Time 1. Log onto CC-SG. 2. On the Administration menu, click Configuration to open the Configuration Manager screen. 3. Click the Time/Date tab. Figure 5 Time/Date Configuration 4. On the Administration menu, click Configuration to open the Configuration Manager screen. 5. Click the Time/Date tab. a.
PAGE 23
CHAPTER 2: ACCESSING CC-SG 9 Check and Upgrade CC-SG Firmware Version 1. Log onto CC-SG. 2. On the Help menu, click About Raritan Secure Gateway. A pop-up window containing the firmware version number appears. Click OK. 3. If the version is not current, you must upgrade your firmware. You can download the firmware upgrade file from the Raritan website or get it off of a Raritan CD. Save the firmware upgrade file to your client PC. Note: Before you can upgrade CC-SG, you must switch to Maintenance Mode.
PAGE 24
10 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Check and Upgrade Application Versions Check and upgrade the CC-SG applications, for example, Raritan Console (RC) and Raritan Remote Client (RRC). 1. On the Administration menu, click Applications. Figure 7 CC-SG Application Manager 2. Click the Application name drop-down arrow and select an application from the list. Note the number in the Version field. 3. If the application version is not current, you must upgrade the application.
PAGE 25
CHAPTER 2: ACCESSING CC-SG 11 Power Down CC-SG If a V1 unit loses AC power while it is up and running CC-SG, the V1 unit will remember its last power state. Once AC power is restored, the V1 unit automatically reboots. However, if a V1 unit loses AC power when it is powered off, the V1 unit will remain powered off when AC power is restored. Important: Do not hold the POWER button to forcibly power down CC-SG. The recommended way to power down CC-SG is to use the following procedure.
PAGE 26
12 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE This page intentionally left blank.
PAGE 27
CHAPTER 3: CONFIGURING CC-SG WITH GUIDED SETUP 13 Chapter 3: Configuring CC-SG with Guided Setup Prepare to Configure CC-SG with Guided Setup Before proceeding with CC-SG configuration, you must complete system configuration. • Configure and install Dominion series and IP-Reach appliances (both serial and KVM devices), including assigning an IP address and creating a CC-SG administrator account.
PAGE 28
14 • • COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Create Groups—Categorize the devices and nodes that CC-SG manages into groups and create full access policies for each group. User Management—Add users and user groups to CC-SG, and select the policies and privileges that will govern users’ access within CC-SG and to devices and nodes. Associations You can set up Associations to help organize the equipment that CC-SG manages.
PAGE 29
CHAPTER 3: CONFIGURING CC-SG WITH GUIDED SETUP • 5. 6. 7. 8. 15 To delete an element, select its row, and then click the Delete Row icon to delete the selected element from the Elements table. Repeat these steps until you have added all the elements within the category to the Elements table. If you want to create another category, click Apply to save this category, and then repeat the steps in this section to add additional categories. When you have finished creating categories and elements, click OK.
PAGE 30
16 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 5. Check Broadcast discovery if searching for devices on the same subnet on which CC-SG resides. Uncheck Broadcast discovery to discover devices across all subnets. 6. Click Discover. 7. When the discovery is complete, a confirmation message pops up. Click OK in the confirmation message. 8.
PAGE 31
CHAPTER 3: CONFIGURING CC-SG WITH GUIDED SETUP 17 9. In the table of discovered devices, select the device you want to add to CC-SG, and then click Add. The Add Device panel opens. The Add Device panel is slightly different depending on the type of device you are adding. Figure 13 Guided Setup – Add Device 10. You can change the Device name and Description by typing new information in the corresponding fields. 11.
PAGE 32
18 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 20. If you want the Element to apply to the device and to the nodes connected to the device, check the Apply to Nodes checkbox. 21. If you want to add another device, click Apply to save this device, and then repeat the steps in this section to add additional devices. 22. When you have finished adding devices, click OK. The Device Summary panel displays a list of the devices that you added. 23. Click Continue to start the next task, Create Groups.
PAGE 33
CHAPTER 3: CONFIGURING CC-SG WITH GUIDED SETUP • • 19 b. In the Available list, select the device you want to add to the group, and then click Add to move the device into the Selected list. Devices in the Selected list will be added to the group. If you want to remove a device from the group, select the device name in the Selected list, and then click Remove. You can search for a device in either the Available or Selected list. Type the search terms in the field below the list, and then click Go.
PAGE 34
20 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Select Nodes a. Click the Select Nodes tab in the Add Nodes Groups panel. Figure 15 Guided Setup—Add Node Groups, Select Nodes b. In the Available list, select the node you want to add to the group, and then click Add to move the node into the Selected list. Nodes in the Selected list will be added to the group. c. If you want to remove a node from the group, select the node name in the Selected list, and then click Remove. d.
PAGE 35
CHAPTER 3: CONFIGURING CC-SG WITH GUIDED SETUP f. 21 When you have finished adding node groups, click OK. The Group Summary panel displays a list of the groups that you added. Figure 16 Guided Setup--Group Summary g. Click Continue to start the next task, User Management. Follow the steps in the next section. User Management The fourth task of Guided Setup is User Management. User Management allows you to select the Privileges and Policies that govern the access and activities of groups of users.
PAGE 36
22 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 5. In the Node Access section, you can specify whether you want the user group to have access to In band and Out of band nodes, and to Power Management functions. Check the checkboxes that correspond to the types of access you want to assign to the group. Figure 17 Add User Group--Privileges 6. Click the Policies tab.
PAGE 37
CHAPTER 3: CONFIGURING CC-SG WITH GUIDED SETUP 23 7. In the All Policies list, select the Policy that you want to assign to the user group then click Add to move the Policy to the Selected Policies list. Policies in the Selected Policies list will be assigned to the user group. Repeat this step to add additional policies to the user group. Figure 18 Add User Group-Policies 8. If you want to remove a policy from the user group, select the policy name in the Selected Policies list, and then click Remove.
PAGE 38
24 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 20. Click the User Group drop-down arrow and select the user group to which you want to assign the user from the list. 21. If you want to add another user, click Apply to save this user, and then repeat the steps in this section to add additional users. 22. When you have finished adding users, click OK. The User Summary panel displays a list of the user groups and users that you added.
PAGE 39
CHAPTER 4: CREATING ASSOCIATIONS 25 Chapter 4: Creating Associations Associations You can set up Associations to help organize the equipment that CC-SG manages. Each Association includes a Category, which is the top-level organizational group, and its related Elements, which are subsets of a Category. For example, you may have Raritan devices that manage target servers in data centers in New York, Philadelphia, and New Orleans. You could set up an Association that organizes this equipment by location.
PAGE 40
26 • • COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Devices—are Raritan products such as Dominion KX, Dominion SX, Dominion KSX, IPReach, Paragon II System Controller, Paragon II UMT832 with USTIP, and others, that CCSG manages. These devices control the target systems, or nodes, that are connected to them. Nodes—are the target systems or servers that CC-SG can access and manage. In CC-SG, you can click a node to access and manage the node via interfaces.
PAGE 41
CHAPTER 4: CREATING ASSOCIATIONS 27 How to Create Associations There are two ways to create associations, Guided Setup and Association Manager. • Guided Setup combines many configuration tasks into an automated interface. Guided Setup is recommended for your initial CC-SG configuration. Once you have completed Guided Setup, you can always edit your configurations individually. Please refer to Chapter 3: Configuring CC-SG with Guided Setup for additional information.
PAGE 42
28 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 2. Click Add in the Category panel to add a new category. The Add Category window appears. Figure 21 Add Category Window 3. Type a category name in the Category Name field. Maximum length is 31 characters. 4. Click the Value Type drop-down arrow to select a value type of String or Integer. 5. Click the Applicable For drop-down arrow to select the type of device this category applies to: Device, Node, or Both. 6.
PAGE 43
CHAPTER 4: CREATING ASSOCIATIONS 29 Delete Category Deleting a category deletes all of the elements created within that category. The deleted category will no longer appear in the Nodes or Devices trees once the screen refreshes or the user logs out and then logs back into CC-SG. 1. On the Associations menu, click Association. The Association Manager screen appears. 2. Click the Category Name drop-down arrow and select the category you want to delete. 3.
PAGE 44
30 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 3. Click Add in the Elements For Category panel to add a new element. The Add Element window appears. Figure 25 Add Element Window 4. Type the new element name in the Enter Value for Element field. 5. Click OK to add the element or Cancel to exit the window. The new element appears in the Elements For Category panel. Edit Element 1. On the Associations menu, click Association Manager. The Association Manager screen appears. 2.
PAGE 45
CHAPTER 4: CREATING ASSOCIATIONS 31 3. Select the element to be deleted from the Element For Category list, and then click Delete in the Elements For Category panel. The Delete Element window appears. Figure 27 Delete Element Window 4. Click Yes to delete the element or No to close the window. The element name is removed from the Element For Category list. Note: Deleting an element removes the element from all device and node category associations, leaving all pre-associated element fields blank.
PAGE 46
32 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE This page intentionally left blank.
PAGE 47
CHAPTER 5: ADDING DEVICES AND DEVICE GROUPS 33 Chapter 5: Adding Devices and Device Groups You must add Raritan devices, such as Dominion series devices and IP-Reach units, to CC-SG before you can use CC-SG to configure and manage them. The Devices menu offers all the functions related to devices and ports. You can also access some functions by right-clicking a device or port in the Devices tab, and selecting from the menu that appears.
PAGE 48
34 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Device and Port Icons For easier identification, KVM, Serial, and Power devices and ports have different icons in the Devices tree. Hold the mouse pointer over an icon in the Devices tree to view a tool tip containing information about the device or port.
PAGE 49
CHAPTER 5: ADDING DEVICES AND DEVICE GROUPS 35 Search for Devices The Devices tab provides the ability to search for devices within the tree. Searching will only return devices as results and will not include port names. The method of searching can be configured through the My Profile screen described later in Chapter 7: Adding and Managing Users and User Groups. To search for a device, at the bottom of the Devices Tree, type a search string in Search For Device field, then press ENTER.
PAGE 50
36 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Add a Device Devices must be added to CC-SG before you can configure ports or add Out-of-Band interfaces to Nodes through those ports. Add Device is used to add devices whose properties you know and can provide to CC-SG. To add a device to CC-SG: 10. On the Devices menu, click Device Manager, and then click Add Device. The Add Device screen appears. Figure 30 Add Device Screen 11.
PAGE 51
CHAPTER 5: ADDING DEVICES AND DEVICE GROUPS 37 21. A list of Categories and Elements can be configured to better describe and organize this device and the nodes connected to it. Please refer to Chapter 4: Creating Associations for additional information. To configure Categories and Elements: a. For each Category listed, click the Element drop-down menu, and then select the element you want to apply to the device from the list.
PAGE 52
38 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 4. Click the Number of Outlets drop-down menu and select the number of outlets this Power Strip contains. 5. Click the Managing Device drop-down menu, and then select the device that you will use to manage this power strip from the list. 6. Click the Managing Port drop-down menu, and then select the port on the managing device to which this power strip is connected. 7. Optionally, type a short description of this Power Strip in the Description field 8.
PAGE 53
CHAPTER 5: ADDING DEVICES AND DEVICE GROUPS 39 4. To search for a particular type of device, select it in the list of Device types. By default, all device types are selected. Use CTRL+click to select more than one device type. 5. Check Include IPMI Agents if you want to find targets that provide IPMI power control. 6. Click Discover to start the search. At any time during the discovery, you can click Stop to discontinue the discovery process. Discovered devices appear in a list.
PAGE 54
40 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE operation. You can upgrade the device firmware after adding the device to CC-SG. Please refer to Upgrade Devices later in this chapter for additional information. Edit Device You can edit a device to rename it and modify its properties. 1. Click the Devices tab and select the device you want to edit. The Device Profile screen appears. Figure 35 The Device Profile Screen 2. Type the new device properties in the appropriate fields on this screen.
PAGE 55
CHAPTER 5: ADDING DEVICES AND DEVICE GROUPS 41 Delete Device You can delete a device to remove it from CC-SG management. Important: Deleting a device will remove all ports configured for that device. All interfaces associated with those ports will be removed from the nodes. If no other interface exists for these nodes, the nodes will also be removed from CC-SG. 1. Click the Devices tab and select the device you want to delete. 2. On the Devices menu, click Device Manager, and then click Delete Device.
PAGE 56
42 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Configure Ports If the ports of a device were not all automatically added by checking Configure all ports when you added the device in the Add Device screen, you can use the Configure Ports screen to add individual ports or a set of ports on the device to CC-SG. You must configure ports before any Out-of-Band interfaces using those ports can be added to nodes. Configure a Serial Port 1.
PAGE 57
CHAPTER 5: ADDING DEVICES AND DEVICE GROUPS 43 3. Click the Configure button that corresponds to the serial port you want to configure. The Configure Serial Port screen appears. Figure 38 Configure Serial Ports Screen 4. Type a port name in Port Name field. For ease of use, name the port after the target that is connected to the port. 5. Type a node name in the Node Name field to create a new node with an Out-of-Band interface from this port.
PAGE 58
44 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Configure a KVM Port 1. Click the Devices tab and select a KVM device from the Devices tree. 2. On the Devices menu, click Port Manager, and then click Configure Ports. The Configure Ports screen appears. Figure 39 Configure Ports Screen • Click a column header to sort the ports by that attribute in ascending order. Click the header again to sort the ports in descending order. 3.
PAGE 59
CHAPTER 5: ADDING DEVICES AND DEVICE GROUPS 45 5. Type a node name in the Node Name field to create a new node with an Out-of-Band interface from this port. For ease of use, name the node after the target that is connected to the port. This means that you will type the same name in the Port name and Node Name fields. 6. Click the Access Application drop-down menu and select the application you want to use when you connect to this port from the list.
PAGE 60
46 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Delete Ports Delete a port to remove the port entry from a Device. Important: If you delete a port that is associated with a node, the associated out-of-band KVM or Serial interface provided by the port will be removed from the node. If the node has no other interfaces, the node will also be removed from CC-SG. 1. Click the Devices tab and select a device whose ports you want to delete. 2.
PAGE 61
CHAPTER 5: ADDING DEVICES AND DEVICE GROUPS 47 5. To remove a device from the Selected Devices list, select the device, and then click <. 6. Click OK to bulk copy or Cancel to exit without copying. A Device Copied Successfully message confirms that device categories and elements have been copied. Upgrade Device Upgrade Device allows you to download new versions of device firmware. 1. Click the Devices tab and select a device from the Devices tree. 2.
PAGE 62
48 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Restore Device Configuration You can restore a previously backed-up device configuration to a device. 1. Click the Devices tab and select the device you want to restore to a backup configuration. 2. On the Devices menu, click Device Manager, Configuration, and then click Restore. The Restore Device Configuration screen appears. Figure 45 Restore Device Configuration Screen 3.
PAGE 63
CHAPTER 5: ADDING DEVICES AND DEVICE GROUPS 49 Restart Device Use the Restart Device function to restart a device. 1. Click the Devices tab and select the device you want to restart. 2. On the Devices menu, click Device Manager, and then click Restart Device. The Restart Device screen appears. Figure 46 Restart Device Screen 3. Click OK to restart the device. A Device Restart Successfully message confirms that the device has been restarted.
PAGE 64
50 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Device Power Manager Device Power Manager is used to view the status of a PowerStrip device (including voltage, current, and temperature) as well as manage all power outlets on a PowerStrip device. As opposed to powering Nodes on and off individually, Device Power Manager provides a PowerStrip-centric view of its outlets.
PAGE 65
CHAPTER 5: ADDING DEVICES AND DEVICE GROUPS 51 Topological View Topological View displays the structural setup of all the connected appliances in your configuration. 1. Click the Devices tab and select the device whose topological view you want to see. 2. On the Devices menu, click Device Manager, and then click Topological View. The Topological View for the selected device appears. Figure 49 Topological View 3. Navigate the Topological View in the same way you navigate the Devices tree.
PAGE 66
52 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Disconnect Users Administrators can terminate any user's session with a device. This includes users who are performing any kind of operation on a device, such as connecting to ports, backing up the configuration of a device, restoring a device’s configuration, or upgrading the firmware of a device. Note: Firmware upgrades and device configuration backups and restores are allowed to complete before the user's session with the device is terminated.
PAGE 67
CHAPTER 5: ADDING DEVICES AND DEVICE GROUPS 53 Viewing Devices CC-SG offers different options for displaying devices in the Devices tab. Tree View Select Tree View to view devices in the Devices tree grouped in the default view. Selecting Tree View will also return you to the standard view from a Custom View. Please refer to Custom Views later in this chapter for additional information. 1. On the Devices menu, click Change View, and then click Tree View.
PAGE 68
54 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 2. On the Devices menu, click Change View, then click Create Custom View. The Custom View screen appears. Figure 52 Custom View Screen 3. To customize your view, click the Name drop-down arrow and select a custom view that has already been saved in the database. Details of the View categories appear in the Custom View Details field. 4. Click Set Current to arrange the Devices tree to reflect the selected custom view. 5.
PAGE 69
CHAPTER 5: ADDING DEVICES AND DEVICE GROUPS 55 2. On the Devices menu, click Change View, and then click Create Custom View. The Custom View screen appears. 3. In the Custom View panel, click Add. An Add Custom View window appears. 4. Type a new custom view name, and then click OK or click Cancel to close the window. The new view name appears in the Name field. 5. In the Custom View Details panel, click the drop-down arrow at the bottom of the panel.
PAGE 70
56 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Special Access to Paragon II System Devices Paragon II System Controller (P2-SC) Paragon II System Integration users can add their P2-SC devices to the CC-SG Devices tree and configure them via the P2-SC Admin application from within CC-SG. Please refer to Raritan’s Paragon II System Controller User Guide for additional information on using P2-SC Admin.
PAGE 71
CHAPTER 5: ADDING DEVICES AND DEVICE GROUPS 57 IP-Reach and UST-IP Administration You can also perform administrative diagnostics on IP-Reach and UST-IP devices connected to your Paragon System setup directly from the CC-SG interface. After adding the Paragon System device to CC-SG, it appears in the Devices tree. To access Remote User Station Administration: 1. Click the Device tab, and then select the Paragon II System Controller. 2.
PAGE 72
58 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Device Group Manager Use the Device Groups Manager screen to add device groups, edit device groups, and remove device groups. When you add a new device group, you can create a full access policy for the group. Please refer to Chapter 8: Policies for additional information. Add Device Group 1. On the Associations menu, click Device Groups. The Device Groups Manager window opens. Existing device groups display in the left panel.
PAGE 73
CHAPTER 5: ADDING DEVICES AND DEVICE GROUPS 2. Click the New Group icon 59 in the toolbar. The Device Group: New panel displays. Figure 58 Device Group: New Panel, Select Devices Tab 3. In the Group name field, type a name for a device group you want to create. 4. There are two ways to add devices to a group, Select Devices and Describe Devices. The Select Devices tab allows you to select which devices you want to assign to the group by selecting them from the list of available devices.
PAGE 74
60 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Describe Devices a. Click the Describe Devices tab in the Device Group: New panel. In the Describe Devices tab, you create a table of rules that describe the devices you want to assign to the group. Figure 59 Describe Devices Tab b. Click the Add New Row icon to add a row to the table. c. Double-click the cell created for each column to activate a drop-down menu. Select the rule components you want to use from each list.
PAGE 75
CHAPTER 5: ADDING DEVICES AND DEVICE GROUPS 61 description only requires a single rule, then simply type that rule’s name in the field. If multiple rules are being evaluated, type the rules into the field using a set of logical operators to describe the rules in relation to each other: • & - the AND operator. A node must satisfy rules on both sides of this operator for the description (or that section of a description) to be evaluated as true. • | - the OR operator.
PAGE 76
62 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Edit Device Group 1. On the Associations menu, click Device Groups. The Device Groups Manager window opens. Figure 60 Device Groups Manager Screen 2. Existing device groups display in the left panel.. Select the Device Group whose name you want to edit. The Device Group Details panel appears. 3. If you want to edit the device group name, type a new name for the device group in the Group Name field. 4.
PAGE 77
CHAPTER 5: ADDING DEVICES AND DEVICE GROUPS 63 Delete Device Group 1. On the Associations menu, click Device Groups. The Device Groups Manager window opens. Figure 61 Device Groups Manager Screen 2. Existing device groups display in the left panel. Select the device group you want to delete. The Device Group Details panel appears. 3. On the Groups menu, click Delete.
PAGE 78
64 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 4. The Delete Device Group panel appears. Click Delete. Figure 63 Delete Device Group Panel 5. Click Yes in the confirmation message that displays.
PAGE 79
CHAPTER 6: CONFIGURING NODES AND NODE GROUPS 65 Chapter 6: Configuring Nodes and Interfaces This chapter discusses how to view, configure, and edit nodes and their associated interfaces. Please refer to Raritan’s CommandCenter Secure Gateway User Guide for additional information on connecting to nodes. View Nodes In CC-SG, you can view all nodes in the Nodes tree, and select a node to view its Node Profile. Nodes Tree When you click the Nodes tab, the Nodes tree displays the available nodes.
PAGE 80
66 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Nodes and Interfaces Overview About Nodes Each node represents a target that is accessible through CC-SG, either via In-Band (direct IP) or Out-of Band (connected to a Raritan device) methods. For example, a node can be a server in a rack connected to a Raritan KVM over IP device, a server with an HP iLO card, a PC on the network running VNC, or a piece of networking infrastructure with a remote serial management connection.
PAGE 81
CHAPTER 6: CONFIGURING NODES AND NODE GROUPS 67 Add Node To add a new node to CC-SG: 1. Click the Nodes tab. 2. On the Nodes menu, click Add Node. The Node Profile screen appears. Figure 65 Add Node Screen 3. Type a name for the node in the Node Name field. All node names in CC-SG must be unique. 4. Optionally, type a short description for this node under the Description field. 5. You must configure at least one interface. Click Add in the Interfaces area of the Add Node screen to add an interface.
PAGE 82
68 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 2. Click the Interface Type drop-down menu and select the type of connection being made to the node: In-Band Connections • DRAC KVM: Select this item to create a KVM connection to a Dell DRAC server through the DRAC interface. You will be required to configure a DRAC Power interface afterwards. • RDP: Select this item to create a KVM connection to a node using Remote Desktop Protocol (for example, the Remote Desktop Connection on a Windows server).
PAGE 83
CHAPTER 6: CONFIGURING NODES AND NODE GROUPS 69 For In-Band connections and DRAC, RSA, and iLO/RILOE power connections: Figure 66 Add Interface—In-Band iLO/RILOE KVM 1. 2. 3. 4. 5. Type the IP Address or Hostname for this interface in the IP Address/Hostname field. If necessary, type a TCP Port for this connection in the TCP Port field. Type a username for this connection in the Username field. If necessary, type a password for this connection in the Password field.
PAGE 84
70 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE For Out-of-Band KVM, Out-of-Band Serial connections: Figure 67 Configuring an Out-of-Band KVM Connection 1. Click the Application name drop-down menu and select the application you want to use to connect to the node with the interface from the list. To allow CC-SG to automatically select the application based on your browser, select Auto-Detect. 2. Click the Raritan Device Name drop-down menu and select the Raritan device providing access to this node.
PAGE 85
CHAPTER 6: CONFIGURING NODES AND NODE GROUPS 71 For Managed Power Strip connections: Figure 68 Configuring a Managed Power Strip Power Control Interface 1. Click the Managing Device drop-down menu and select the Raritan device that manages the Power Strip that provides power to the node. The device you select must be added to CC-SG before the appropriate options are available. 2. Click the Power Strip Name drop-down menu and select the Power Strip that provides power to the node.
PAGE 86
72 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE For IPMI Power Control connections: Figure 69 Configuring an IPMI Power Control Interface 1. Type the IP Address or Hostname for this interface in the IP Address/Hostname field. 2. Type a UDP Port for this interface in the UDP Port field. 3. Click the Authentication drop-down menu and select an authentication scheme for connecting to this interface. 4. Type a check interval for this interface in the Check Interval (seconds) field. 5.
PAGE 87
CHAPTER 6: CONFIGURING NODES AND NODE GROUPS 73 Connect to a Node Once a node has an interface, you can connect to that node through the interface in a number of ways. Please refer to Raritan’s CommandCenter Secure Gateway User Guide for additional information. Figure 70 Connecting to a Node's Configured Interface 1. Click the Nodes tab. 2. Select the node you want to connect to. The Node Profile screen appears. 3. In the Interfaces table, click the name of the interface you want to connect with.
PAGE 88
74 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 5. You cannot change the type of the existing interface. You can change the Interface Name, Description, and the values of the other fields for this type. Please refer to the Add Interface section above for additional information. Delete an Interface To delete an interface from a node: 1. Click the Nodes tab. 2. Click the node with the interface you want to delete. The Node Profile screen appears. 3.
PAGE 89
CHAPTER 6: CONFIGURING NODES AND NODE GROUPS 75 5. Select an existing node in the Interfaces table, and then click Edit or Delete to edit or delete that interface from the node. Please refer to the Edit an Interface or Delete an Interface section above for additional information on this procedure. 6. A list of Categories and Elements can be configured to better describe and organize this node. A category is a way to classify a node and an element is a specific value for that classification.
PAGE 90
76 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Chat Chat provides a way for users connected to the same node to communicate with each other. You must be connected to a node to start a chat session for that node. Only users on the same node will be able to chat with each other. To engage in a chat session: 1. Click the Nodes tab to the left. 2. Right-click a node you are currently connected to and select Chat, then Start Chat Session if no session has been created yet. A Chat session will be created.
PAGE 91
CHAPTER 7: ADDING AND MANAGING USERS AND USER GROUPS 77 Chapter 7: Adding and Managing Users and User Groups Users make up the individual users and administrators that connect to CC-SG in order to access nodes and manage devices. User Groups are organizations that define a set of privileges for its member users; users by themselves have no privileges. In general, all users must belong to a user group.
PAGE 92
78 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Special User Groups CC-SG is configured with three user groups by default: CC-Super User, System Administrators, and CC Users. CC Super-User Group The CC Super-User group has full administrative and access privileges. Only one user can be a member of this group. The default username is admin. You can change the default username. You cannot delete the CC-Super User group.
PAGE 93
CHAPTER 7: ADDING AND MANAGING USERS AND USER GROUPS 79 Add User Groups Creating user groups first will help you organize users when they are added. When a user group is created, a set of privileges is assigned to the user group. Users that are assigned to that group will inherit those privileges. For example, if you create a group and assign it the User Management privilege, all users assigned to the group will be able to see and execute the commands on the User Manager menu.
PAGE 94
80 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 7. Click the Device/Node Policies tab. A table of policies appears. Figure 77 The Policies Tab on the Add User Group Screen The All Policies table lists all the policies available on CC-SG. Each policy represents a rule allowing (or denying) access to a group of nodes. Please refer to Chapter 8: Policies for more information on policies and how they are created. 8.
PAGE 95
CHAPTER 7: ADDING AND MANAGING USERS AND USER GROUPS 81 Edit A User Group Edit a User Group to change the existing privileges and policies for that group. Note: You cannot edit the Privileges or Policies of the CC-Super User group and the Users not in Group group. To edit a group: 1. Click the Users tab to the left. 2. Click the user group in the Users tab. The User Group Profile appears. Figure 78 Editing the Selected Group 3. 4. 5. 6. 7. 8. 9. 10. 11. 12.
PAGE 96
82 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Delete User Group Deleting a User Group removes that group from CC-SG. Users in the deleted group will remain in any other groups to which they have been assigned. If the users in the deleted group were not in any other groups, they will be assigned to the Users Not in Group group, which does not have any privileges assigned to it. To delete a User Group: 1. Click the Users tab to the left. 2. Click the user group you want to delete in the Users tab. 3.
PAGE 97
CHAPTER 7: ADDING AND MANAGING USERS AND USER GROUPS 83 a password is not required and the New Password and Retype New Password fields will be disabled. 7. In the New Password and Retype New Password fields, type the password that the user will use to log in to CC-SG. Note: If strong passwords are enabled, the password entered must conform to the established rules. The information bar at the top of the screen will display messages to assist with the password requirements.
PAGE 98
84 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 4. Uncheck Login enabled if you want to prevent this user from logging in to CC-SG. Check Login enabled if you want to allow this user to log into CC-SG. 5. Check Remote Authentication only if you want the user to be authenticated by an external server, such as TACACS+, RADIUS, LDAP, or AD. If you are using remote authentication, a password is not required and the New Password and Retype New Password fields will be disabled. 6.
PAGE 99
CHAPTER 7: ADDING AND MANAGING USERS AND USER GROUPS 85 Assign Users To Group Use this command to assign an existing users to a group they currently do not belong to. Users assigned in this way will be added to their new group while still existing in any group they were previously assigned to. To move a user, use this command in conjunction with Delete User From Group described below. To assign a user to a group: 1. Click the Users tab to the left. 2. Click the User Group you want to assign users to. 3.
PAGE 100
86 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 4. On the Users menu, click User Manager, then Delete User From Group. The Delete User appears displaying the user and the group they will be removed from. Figure 84 Deleting a User From A Group 5. Click OK to delete the user from the group or click Cancel to exit without removing the user. Note: If you delete a user from a group and they do not belong to any other groups, the user will be added to Users Not In Group group.
PAGE 101
CHAPTER 7: ADDING AND MANAGING USERS AND USER GROUPS 4. 5. 6. 7. 87 b. Type your new password in the New Password field. A notice will appear if Strong Passwords are required. c. Type your new password again in the Retype New Password field. Type a new address in the Email address field to add or change the address CC-SG will use to send you notifications. Click the Font Size drop-down menu to adjust the font size the standard CC-SG client displays at.
PAGE 102
88 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Bulk Copy To save time, Bulk Copy can be used to clone one user’s privileges and policies to a number of other existing users by moving them to the same User Groups as the selected user. To perform a Bulk Copy: 1. Click the Users tab to the left. 2. Click the + symbol next to a User Group with the user you want to copy. 3. Click the user you want to copy. 4. On the Users menu, select User Manager, then Bulk Copy. The Bulk Copy screen appears.
PAGE 103
CHAPTER 8: POLICIES 89 Chapter 8: Policies Controlling Access Using Policies Configuring new policies to provide user access to nodes is optional, but central to making effective use of CC-SG ability to control that access. If you want to give all users access to all nodes, simply assign the Full Access Policy to all user groups. If you want to have more control over user access to nodes you will need to create policies to define rules for that access.
PAGE 104
90 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Node Groups Node groups are used to organize nodes into a set. This group will then become the basis for a policy either allowing or denying access to this particular set of nodes. Nodes can be grouped arbitrarily or by a set of common attributes. Additionally, if you used the Associations manager to create categories and elements for nodes, some means to organize nodes along common attributes have already been created.
PAGE 105
CHAPTER 8: POLICIES 91 3. If viewing a group based on attributes, click View Nodes to display a list of nodes currently in the Node Group. A Nodes In Node Group window will appear displaying the nodes and all their attributes. Figure 89 Nodes in a Group Based on Attributes Add Node Groups To add a new Node Group: 1. On the Associations menu, click Node Group. The Node Groups Manager window displays. 2. On the Groups menu, select Add. A template for a node group will appear. 3.
PAGE 106
92 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Select Nodes Figure 90 Adding Nodes Using Select Nodes 1. Click the Select Nodes tab. 2. Click the Device Name drop-down menu and select a device if you want to filter the Available list to only display nodes with interfaces from that device. 3. In the Available list, select the nodes you want to add to the group, and then click Add to move the node into the Selected list. Nodes in the Selected list will be added to the group. 4.
PAGE 107
CHAPTER 8: POLICIES 93 Describe Nodes Figure 91 Describing a Node Group With Multiple Rules 1. Click the Select Nodes tab. 2. Click Add New Row to add a row in the table for a new rule. Rules take the form of an expression which can be compared against nodes. 3. Double-click each column in the row to turn the appropriate cell into a drop-down menu, then select the appropriate value for each component: • Prefix – Leave this blank or select NOT.
PAGE 108
94 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 4. If you want to add another rule, click Add New Row again, and make the necessary configurations. Configuring multiple rules will allow more precise descriptions by providing multiple criteria for evaluating nodes. 5. If you want to remove a rule, highlight the rule in the table, and then click Remove Row. 6. The table of rules only makes available criteria for evaluating nodes.
PAGE 109
CHAPTER 8: POLICIES 95 Edit Node Group Edit a node group to change the membership or description of the group. To edit a node group: 1. On the Associations menu, click Node Group. The Node Groups Manager window displays. Figure 92 Editing a Node Group 2. Click the node you want to edit in the Node Group List to the left. The details of that node will appear in the Node Groups window. 3.
PAGE 110
96 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Device Groups Device groups operate in a similar fashion to Node Groups, except that Device Groups are used to organize Raritan devices into sets for management by policies. Please refer to Chapter 5: Adding Devices and Device Groups, Device Group Manager for additional information.
PAGE 111
CHAPTER 8: POLICIES 97 5. Click the Device Group drop-down arrow, and select the Device Group this policy governs access to. Click the Node Group drop-down arrow and select the Node Group this policy governs access to. If the policy will cover only one type of group, only select a value for that group. 6.
PAGE 112
98 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 7. In the End Time field, type the time of day this policy ends. The time must be in 24-Hour format. 8. In the Device/Node Access Permission field, select Control to define this policy to allow access to the selected node or device group for the designated times and days. Select Deny to define this policy to deny access to the selected node or device group for the designated times and days. 9.
PAGE 113
CHAPTER 9: CONFIGURING REMOTE AUTHENTICATION 99 Chapter 9: Configuring Remote Authentication Authentication and Authorization (AA) Users of CC-SG can be locally authenticated and authorized on the CC-SG or remotely authenticated using the following supported directory servers: • Microsoft Active Directory (AD) • Netscape’s Lightweight Directory Access Protocol (LDAP) • TACACS+ • RADIUS Any number of remote RADIUS, TACACS+, and LDAP servers can be used for external authentication.
PAGE 114
100 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Distinguished Names for LDAP and AD Configuration of remotely authenticated users on LDAP or AD servers requires entering user names and searches in Distinguished Name format. The full DN format is described in RFC2253. For the purposes of this document, you need to know how to enter Distinguished Names and in what order each component of the name should be listed.
PAGE 115
CHAPTER 9: CONFIGURING REMOTE AUTHENTICATION 101 AD Configurations Add AD Module to CC-SG CC-SG supports authentication and authorization of users imported from an AD domain controller, without requiring that users be defined locally in CC-SG. This allows users to be maintained exclusively on the AD server. Once your AD server is configured as a module in CCSG, CC-SG can query all domain controllers for a given domain.
PAGE 116
102 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE AD General Settings In the General tab, you add the information that allows CC-SG to query the AD server. Figure 96 AD General Settings 1. Type the AD domain you want to query in the Domain field. For example, if the AD domain is installed in the xyz.com domain, type xyz.com in the Domain field. CC-SG and the AD server you want to query must be configured either on the same domain or on different domains that trust each other.
PAGE 117
CHAPTER 9: CONFIGURING REMOTE AUTHENTICATION 103 5. Type the password for the user account you want to use to query the AD server in the Password and Confirm Password fields. 6. Click Test Connection to test the connection to the AD server using the given parameters. You should receive a confirmation of a successful connection. If you do not see a confirmation, review the settings carefully for errors and try again. 7. Click Next to proceed. The Advanced tab opens. AD Advanced Settings 1.
PAGE 118
104 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 5. Type a user’s attributes in Filter so the search query will be restricted to only those entries that meet this criterion. The default filter is objectclass=user, which means that only entries of the type user are searched. 6. Specify the way in which the search query will be performed for the user entry. If you check Use Bind, CC-SG attempts to connect, or bind, to AD directly with the username and password supplied in the applet.
PAGE 119
CHAPTER 9: CONFIGURING REMOTE AUTHENTICATION 105 EXAMPLE DESCRIPTION The search query for the user in the dc=raritan,dc=com group will be made over the whole directory structure. cn=Administrators,cn=Users,dc=raritan,dc=com The search query for the user in the group will be performed only in the Administrators sub-directory (entry). 3. Type a user’s attributes in Filter so the search query for the user in the group will be restricted to only those entries that meet this criterion.
PAGE 120
106 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 2. For each domain in the Trust Partner column, click the Trust Direction drop-down menu, and then select the direction of trust you want to establish between the domains. Trust directions are updated in all AD modules when you make changes to one AD module. • Incoming: information will be trusted coming in from the domain.
PAGE 121
CHAPTER 9: CONFIGURING REMOTE AUTHENTICATION 107 3. Click Import Groups… to retrieve a list of user group values stored on the AD server. If any of the user groups are not already on the CC-SG, you can import them here and assign them an access policy. Figure 100 Importing Groups from AD Server 4. Check the checkboxes next to the groups you want to import to CC-SG. Click a column header to sort the list of user groups by the information in that column.
PAGE 122
108 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Synchronize AD User Groups When you synchronize AD user groups, CC-SG retrieves the groups for the selected AD module, compares their names with the user groups that have been imported from AD, and identifies the matches. CC-SG will present the matches and allow you to select which ones you want to import. This ensures that CC-SG has imported the most current AD user group information. CC-SG also automatically synchronizes all AD modules once per day.
PAGE 123
CHAPTER 9: CONFIGURING REMOTE AUTHENTICATION 109 8. To exit Maintenance Mode, on the System Maintenance menu, click Maintenance Mode, and then click Exit Maintenance Mode. 9. In the screen that appears, click OK. A second confirmation message will display when CCSG exits maintenance mode. Click OK. Set AD Synchronization Time By default, CC-SG will synchronize all configured AD modules at 23:30 each day. You can change the time at which this automatic synchronization occurs. 1.
PAGE 124
110 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 9. After you have synchronized each modules AD user groups, you should synchronize all AD modules. Please refer to Synchronize All AD Modules for additional information. Depending on your AD configuration, the synchronization process may take up to 30 seconds per domain controller. If any domain controllers are offline during synchronization, the process may take longer.
PAGE 125
CHAPTER 9: CONFIGURING REMOTE AUTHENTICATION 111 LDAP General Settings 1. Click the General tab. Figure 105 LDAP General Settings 2. Type the IP address or hostname of the LDAP server in the IP Address/Hostname field. For hostname rules, please refer to Terminology/Acronyms in Chapter 1: Introduction. 3. Type the port value in the Port field. The default port is 389. 4. Check Secure Connection for LDAP if using a secure LDAP server. 5. Check Anonymous Bind if your LDAP server allows anonymous queries.
PAGE 126
112 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 10. Click Test Connection to test the LDAP server using the given parameters. You should receive a confirmation of a successful connection. If not, review the settings carefully for errors and try again. 11. Click Next to proceed to the Advanced tab to set advanced configuration options for the LDAP server. LDAP Advanced Settings 1. Click the Advanced tab. Figure 106 LDAP Advanced Settings 2.
PAGE 127
CHAPTER 9: CONFIGURING REMOTE AUTHENTICATION 113 Sun One LDAP (iPlanet) Configuration Settings If using a Sun One LDAP server for remote authentication, use this example for parameter settings: PARAMETER NAME SUN ONE LDAP PARAMETERS IP Address/Hostname User Name CN= Password BaseDN Filter Passwords (Advanced Screen) Password Default Digest (Advanced) Use Bind Use Bind After Search O= (objectclass=person) Plain Text SHA unchecked Checke
PAGE 128
114 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Add a TACACS+ Module CC-SG users who are remotely authenticated by a TACACS+ server need to be created on the TACACS+ server and on CC-SG. The user name on the TACACS+ server and on CC-SG must be the same, although the passwords may be different. Please refer to Chapter 7: Adding and Managing Users and User Groups for additional information on adding users who will be remotely authenticated. 1. On the Administration menu, click Security.
PAGE 129
CHAPTER 9: CONFIGURING REMOTE AUTHENTICATION 115 TACACS+ General Settings 1. Type the IP address or hostname of the TACACS+ server in the IP Address/Hostname Name field. For hostname rules, please refer to Terminology/Acronyms in Chapter 1: Introduction Figure 108 TACACS+ General Settings 2. Type the port number on which the TACACS+ server is listening in the Port Number field. The default port number is 49. 3. Type the authentication port in the Authentication Port field. 4.
PAGE 130
116 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Add a RADIUS Module CC-SG users who are remotely authenticated by a RADIUS server need to be created on the RADIUS server and on CC-SG. The user name on the RADIUS server and on CC-SG must be the same, although the passwords may be different. Please refer to Chapter 7: Adding and Managing Users and User Groups for additional information on adding users who will be remotely authenticated. 1. On the Administration menu, click Security.
PAGE 131
CHAPTER 9: CONFIGURING REMOTE AUTHENTICATION 117 RADIUS General Settings 1. Click the General tab. Figure 110 Specifying a RADIUS Server 2. Type the IP address or hostname of the RADIUS server in the IP Address/Hostname field. For hostname rules, please refer to Terminology/Acronyms in Chapter 1: Introduction. 3. Type the port number in the Port Number field. The default port number is 1812. 4. Type the authentication port in the Authentication Port field. 5.
PAGE 132
118 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Specify Modules for Authentication and Authorization Once you have added all the external servers as modules in CC-SG, you specify whether you want CC-SG to use each of them for either authentication, authorization, or both. 1. On the Administration menu, click Security. When the Security Manager screen appears, click the General tab. All configured external authentication and authorization servers display in the External AA Servers section. 2.
PAGE 133
CHAPTER 10: GENERATING REPORTS 119 Chapter 10: Generating Reports Reports can be sorted by clicking on the column headers. Click a column header to sort report data by the values in that column. The data will refresh in ascending order alphabetically, numerically, or chronologically. Click the column header again to sort in descending order. You can resize the column width in all reports. Hold your mouse pointer on the column divider in the header row until the pointer becomes a double-headed arrow.
PAGE 134
120 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 4. Click OK to run the report. The report is generated, displaying data about activities that occurred during the designated time period that also comply with any additional parameters specified. Figure 113 Audit Trail Report • • • • Click Next or Previous to navigate through the pages of the report. Click Manage Report Data… to save or print the report.
PAGE 135
CHAPTER 10: GENERATING REPORTS 121 • If you want to limit the report to a particular IP address’s activities, type the user’s IP address in the User IP address field. 4. Click OK to run the report. The report is generated, displaying data about activities that occurred during the designated time period that also comply with any additional parameters specified. Figure 115 Error Log Report • • • • Click Next or Previous to navigate through the pages of the report.
PAGE 136
122 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 3. You can limit the data that the report will contain by entering additional parameters in the Message, Device name, Port name, Username, and User IP address fields. • If you want to limit the report by the message text associated with an activity, type the text in the Message field. • If you want to limit the report to a particular device, type the device name in the Device name field.
PAGE 137
CHAPTER 10: GENERATING REPORTS 123 Availability Report The Availability Report displays the status of all connections, showing devices by name and IP address. This report gives you the full accessibility picture for all devices on your system, and supplies information that could be useful for troubleshooting. 1. On the Reports menu, click Availability Report. The Availability Report is generated. Figure 118 Availability Report • • Click Manage Report Data… to save or print the report.
PAGE 138
124 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Active Users Report The Active Users report displays current users and user sessions. You can select active users from the report and disconnect them from CC-SG. 1. On the Reports menu, click Users, and then click Active Users. The Active Users report is generated. Figure 119 Active Users Report • • • To disconnect a user from an active session in CC-SG, select the user name you want to disconnect, and then click Logout.
PAGE 139
CHAPTER 10: GENERATING REPORTS 125 Locked Out Users Report The Locked Out Users report displays users who are currently locked out of CC-SG because they made too many unsuccessful login attempts. You can unlock users from this report. Please refer to Chapter 12: Advanced Administration, Lockout Settings for additional information on lockout settings. 1. On the Reports menu, click Users, and then click Locked Out Users.
PAGE 140
126 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE User Data Report The User Data report displays certain data on all users in the CC-SG database. 1. On the Reports menu, click Users, and then click User Data. The All Users’ Data report is generated. Figure 121 All Users’ Data Report • • • • • • • • • • The User Name field displays the user names of all CC-SG users.
PAGE 141
CHAPTER 10: GENERATING REPORTS 127 Users in Groups Report The Users In Group report displays data on users and the groups with which they are associated. 1. On the Reports menu, click Users, and then click Users In Groups. The Users In Groups report is generated. Figure 122 Users In Groups Report • • Click Manage Report Data… to save or print the report. Click Save to save the records that are displayed in the current report page to a CSV file or click Save All to save all records.
PAGE 142
128 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Group Data Report The Group Data report displays user group, node group, and device group information. View user groups by name and description, view node groups by name, and view device groups by name, all in one screen. 1. On the Reports menu, click Users, and then click Group Data. The Groups report is generated. Figure 123 Groups Report • • • Click Manage Report Data… to save or print the report section.
PAGE 143
CHAPTER 10: GENERATING REPORTS 129 4. Click Apply. The AD User Group report is generated. Figure 124 AD User Group Report • • Click Manage Report Data… to save or print the report section. Click Save to save the records that are displayed in the current report page to a CSV file or click Save All to save all records. Click Print to print the records that are displayed in the current report page or Print All to print all records. Click Close to close the window. Click Close to close the report.
PAGE 144
130 • • COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE records. Click Print to print the records that are displayed in the current report page or Print All to print all records. Click Close to close the window. Click Refresh to generate a new report. The report may take several minutes to generate, based on the size of your system configuration. Click Close to close the report.
PAGE 145
CHAPTER 10: GENERATING REPORTS 131 3. Click Apply to generate the report. The Node Asset Report generates. Figure 127 Node Asset Report • • Click Manage Report Data… to save or print the report. Click Save to save the records that are displayed in the current report page to a CSV file or click Save All to save all records. Click Print to print the records that are displayed in the current report page or Print All to print all records. Click Close to close the window. Click Close to close the report.
PAGE 146
132 • COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Click Print to print the records that are displayed in the current report page or Print All to print all records. Click Close to close the window. Click Close to close the report. Node Creation Report The Node Creation report lists all node creation attempts, both successful and unsuccessful, within a specified timeframe. You can specify whether you want to see all node creation attempts, or only those that are potential duplicate nodes. 1.
PAGE 147
CHAPTER 10: GENERATING REPORTS 133 Query Port Report The Query Port Report displays all ports according to port status. 1. On the Reports menu, click Ports, and then click Query Port. The Query Port screen appears. Figure 131 Query Port Screen 2. In the Select port status section, check the checkboxes that correspond to the port statuses you want to include in the report. Checking more than one checkbox and clicking Apply will display ports with all statuses that are selected.
PAGE 148
134 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 4. Click Apply to generate the report. Figure 132 Query Port Report • • • Click the arrow icons at the bottom right of the report to navigate through multiple page reports. Click Configure next to a New or Unused port in the report to configure it. Click Close to close the report. Active Ports Report The Active Ports report displays out-of-band ports that are currently in use. You can view the active ports list and disconnect ports from this report.
PAGE 149
CHAPTER 10: GENERATING REPORTS • • • 135 To disconnect a port from a current session, select the port you want to disconnect, and then click Disconnect. Click Manage Report Data… to save or print the report. Click Save to save the records that are displayed in the current report page to a CSV file or click Save All to save all records. Click Print to print the records that are displayed in the current report page or Print All to print all records. Click Close to close the window.
PAGE 150
136 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 2. Select a Last Discovered Date, and then click Get Targets. The targets that were discovered on or earlier than the Last Discovered Date are displayed under Targets Discovered. • If you want to purge a target from the CC-SG database, select the target you want to purge, and then click Purge. • If you want to purge the entire list of targets from the CC-SG database, click Purge All. • Click Manage Report Data… to save or print the report.
PAGE 151
CHAPTER 11: SYSTEM MAINTENANCE 137 Chapter 11: System Maintenance Maintenance Mode This mode restricts access to CC-SG so that an administrator can perform various operations without disruption. Operations can be performed from the GUI or from an SSH command line interface via clients, such as Putty, OpenSSH Client, etc. Please refer to Chapter 12: Advanced Administration, SSH Access for additional information.
PAGE 152
138 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Backup CC-SG Best practice is to enter Maintenance Mode before backing up CC-SG. 1. On the System Maintenance menu, click Backup. The Backup CommandCenter screen appears. Figure 136 Backup CommandCenter Screen 2. Type a name for this backup in the Backup Name field. 3. Optionally, type a short description for the backup in the Description field. 4. Select a Backup Type.
PAGE 153
CHAPTER 11: SYSTEM MAINTENANCE 139 c. If you are not using the default port for the selected protocol (FTP: 21, SFTP: 22) type the communications port used in the Port Number field. d. Type a username for the remote server in the Username field. e. Type a password for the remote server in the Password field. f. In the Directory field, specify the directory used to store the backup on the remote server. 6. Click OK. A success message will appear to confirm CC-SG backup.
PAGE 154
140 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE • Custom – Allows you to specify which components of the backup to restore to CC-SG by checking them in the Restore Options area below. Check each of the following to include them in the restore: a. Data – CC-SG configuration, Device and Node configuration and User Data. b. Logs – Error logs and event reports stored on CC-SG c. CC firmware files – Stored firmware files used for updating the CC-SG server itself. d.
PAGE 155
CHAPTER 11: SYSTEM MAINTENANCE 141 To Delete a backup 1. From the Available Backups table, select the backup you want to delete. 2. Click Delete. A confirmation dialog appears. 3. Click OK to delete the backup from the CC-SG system or Cancel to exit without deleting. Once deleted, the file backup file will be removed from the CC-SG. Note: Saving and restoring can be used to move a backup from one CC-SG unit to another.
PAGE 156
142 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 2. Type your password in the Password field. 3. Accept the default message or type a warning message to display to any users currently online in the Broadcast message field (for example, you might give users a brief time period to finish their tasks in CC-SG or tell them why you are restarting the system). All users will be disconnected when you restart CC-SG. 4.
PAGE 157
CHAPTER 11: SYSTEM MAINTENANCE 143 1. On the System Maintenance menu, click Shutdown CommandCenter. The Shutdown CommandCenter screen appears. Figure 142 Shutdown CC-SG Screen 2. Type your password in the Password field. 3. Accept the default message or type a message to display to any users currently online in the Broadcast message field (for example, you might give users a brief time period to finish their tasks in CC-SG and tell them when they can expect the system to be functional again).
PAGE 158
144 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE This page intentionally left blank.
PAGE 159
CHAPTER 12: ADVANCED ADMINISTRATION 145 Chapter 12: Advanced Administration Guided Setup Guided Setup steps an administrator through some of the most common tasks on CC-SG: creating associations, setting up Raritan devices, creating user groups and creating users. For information on running Guided Setup, please refer to Chapter 3: Configuring CC-SG With Guided Setup.
PAGE 160
146 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 5. Click OK to save your settings to CC-SG. Application Manager The Application Manager provides an interface for administrators to add access applications to CC-SG, edit existing applications and set the default application for accessing nodes on Raritan devices. 1. On the Administration menu, click Applications. The Application Manager screen appears.
PAGE 161
CHAPTER 12: ADVANCED ADMINISTRATION 147 5. Click OK when the necessary devices have been selected to work with the application. An Open dialog window will appear. 6. In the Open dialog window, browse for the location of your application file (usually a .jar or .cab file), select the file, and then click Open. The selected application will then be loaded on to CC-SG. Editing an Application: 1.
PAGE 162
148 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Default Applications Click the Default Applications tab to view and edit the current default applications for various Interfaces and Port Types. Applications listed here will become the default choice when configuring a node to allow access through a selected interface. Figure 147 A List of Default Applications To edit the default application of an Interface or Port Type: 1. Select the row for an Interface or Port Type. 2.
PAGE 163
CHAPTER 12: ADVANCED ADMINISTRATION 149 Firmware Manager CC-SG stores firmware for Raritan devices in order to update the devices under its control. The firmware manager is used to upload and delete device firmware files to and from CC-SG. Upload Firmware This command allows you to upload different versions of firmware to your system. When new firmware versions become available, they are posted on the Raritan website. 1. On the Administration menu, click Firmware. The Firmware Manager screen appears.
PAGE 164
150 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Delete Firmware 1. On the Administration menu, click Firmware. The Firmware Manager screen appears. 2. Click the Firmware Name drop-down arrow and select the firmware to be deleted. 3. Click Delete. The Delete Firmware window appears. Figure 150 Delete Firmware Window 4. Click Yes to delete the firmware or No to close the window. 5. Click Close to close the Firmware Manager screen.
PAGE 165
CHAPTER 12: ADVANCED ADMINISTRATION 151 the Fully-Qualified Domain Name (FQDN) if a domain server and domain suffix has been configured. 4. Click either Primary/Backup Mode or Active/Active Mode. A CC-SG provides two Network Interface Controllers (NIC).
PAGE 166
152 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE B. Choose Active/Active mode if you have special network conditions; particularly if you have two networks where routing may not exist. If network security is important and if you are using proxy-type deployments, you also should choose this mode. Figure 153 Active/Active Network In this mode, CC-SG acts as a “router” or “traffic cop” between two separate IP domains; particularly when Proxy mode is being used.
PAGE 167
CHAPTER 12: ADVANCED ADMINISTRATION 153 8. If you chose Active/Active mode, follow steps 5 through 7 to configure the second network interface. 9. Click Update Configuration to update the Network Setup of your system. 10. Click Close to close the Configuration Manager screen. Log Configuration From the Logs tab you can configure CC-SG to report to external logging servers. You can configure what level of messages is reported in each of the logs. Configuring Logging Activity: 1.
PAGE 168
154 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Purging CC-SG’s Internal Log: The Logs tab can also be used to clear CC-SG’s log of events. This command only clears CCSG’s log of events, it will not purge events recorded by external logging servers. 1. On the Administration menu, click Configuration. The Configuration Manager screen appears. 2. Click the Logs tab. 3. Click Purge at the bottom of the screen. A dialog window will appear asking for confirmation. 4.
PAGE 169
CHAPTER 12: ADVANCED ADMINISTRATION 155 Time/Date Configuration CC-SG’s Time and Date must be accurately maintained to provide credibility for its devicemanagement capabilities. Important! The Time/Date configuration is used when scheduling tasks in Task Manager. Please refer to Chapter 12: Advanced Administration, Task Manager for additional information. The time set on the client may be different than the time set on CC-SG.
PAGE 170
156 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Modem Configuration Use this screen to access a CC-SG G1 from a client machine over a dial-up connection. This method of accessing CC-SG can be used in emergency situations. Note: A modem is not available and cannot be configured on the V1 or E1 platforms. Configure CC-SG 1. On the Administration menu, click Configuration. When the Configuration Manager screen appears, click the Modem tab. Figure 157 Configuration Manager Modem Screen 2.
PAGE 171
CHAPTER 12: ADVANCED ADMINISTRATION 157 2. Click the Modems tab. Figure 158 Modems Tab 3. Click Properties. 4. Click the Advanced tab. Figure 159 Extra Initialization Commands 5. Type an initialization command in Extra initialization commands that will be used by your modem to set the “Carrier detection” flag. For example, type at&c for a SoftK56 Data Fax modem.
PAGE 172
158 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 3. Under Network Tasks in the Network Connections window, click Create a new connection. Figure 160 Create a New Connection 4. Click Next, Connect to the network at my workplace, Dial-up connection. 5. Type a name for CC-SG, for example CommandCenter. Figure 161 Connection Name 6. Type the phone number used to connect to CC-SG, and then click Next.
PAGE 173
CHAPTER 12: ADVANCED ADMINISTRATION 159 Configure the Call-back Connection If the CC-SG uses a call-back connection, you need to use a script file that is described below. To supply the script file for call-back: 1. On the Start menu, click My Network Places. 2. Click view network connections under Network Tasks. 3. Right-click the CommandCenter connection, and then click Properties. 4. Click the Security tab. Figure 163 Specify Dial-up Script 5. Click the Show terminal window. 6.
PAGE 174
160 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Connect to CC-SG with Modem To connect to CC-SG: 1. On the start menu, click My Network Places. 2. Click view network connections under Network Tasks. 3. Double-click the CommandCenter connection. Figure 164 Connecting to CC-SG 4. Type a username of ccclient and password of cbupass. Figure 165 Entering username and password 5. If not filled in already, enter the phone number used to connect to CC-SG. This is NOT the dial-back number. 6. Click Dial.
PAGE 175
CHAPTER 12: ADVANCED ADMINISTRATION 161 7. If Show terminal window was checked as described in section Configure the Call-back Connection earlier in this chapter, then a window similar to the one below will be displayed: Figure 166 After Dial Terminal 8. Wait 1 or 2 minutes and in a supported browser, enter the IP address of CC-SG that was configured as the Server address under the Modem tab in Configuration Manager on CCSG and login to CC-SG.
PAGE 176
162 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 2. Click the Connection Mode tab. Figure 167 Configuration Manager Connection Screen – Direct Mode 3. Click the radio button for the connection mode you prefer. a. Click the Direct Mode radio button to connect to a device directly. b. Click the Proxy Mode radio button to connect to a device via your CC-SG unit. c. Click the Both radio button if you want to connect to some devices directly, but others through Proxy Mode.
PAGE 177
CHAPTER 12: ADVANCED ADMINISTRATION 163 Device Settings 1. On the Administration menu, click Configuration. The Configuration Manager screen appears. 2. Click the Device Settings tab. Figure 168 Configuration Settings Device Settings Screen 3. To update device Default Port, select a Device Type in the table and double-click the Default Port value. Type the new Default Port value and press the Enter key. 4.
PAGE 178
164 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 2. Click the SNMP tab. Figure 169 Configuration Settings Device Settings Screen 3. To identify the SNMP agent running on CC-SG to a third-party enterprise Management Solutions, provide agent information under Agent Configuration. Type a Port for the agent (default is 161). Type a Read-Only Community string (default is public), and Read-Write Community string, (default is private). Multiple community strings are allowed; separate them with a comma.
PAGE 179
CHAPTER 12: ADVANCED ADMINISTRATION 165 Cluster Configuration A CC-SG cluster uses two CC-SG nodes, one Primary node and one Secondary node, for backup security in case of Primary CC-SG node failure. Both nodes share common data for active users and active connections, and all status data is replicated between the two nodes. The primary and secondary nodes in a cluster must be running the same version of software, on the same version of hardware (G1, V1, or E1).
PAGE 180
166 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 2. Click Discover CommandCenters to scan and display all CC-SG appliances on the same subset as the one you are currently using. Alternatively, you can add a CC-SG, perhaps from a different subnet, by specifying an IP address in CommandCenter address in the bottom of the window, and then clicking Add CommandCenter. Figure 170 Cluster Configuration Screen 3. Type a name for this cluster in Cluster Name.
PAGE 181
CHAPTER 12: ADVANCED ADMINISTRATION 167 Set Secondary CC-SG Node 1. Click Discover CommandCenters to scan and display all CC-SG appliances on the same subset as your one you are currently using. Alternatively, you can add a CC-SG, perhaps from a different subnet, by specifying an IP address in CommandCenter address in the bottom of the window. Click Add CommandCenter. Note: Adding a backup CC-SG from a different subnet or network may avoid issues affecting a single network or physical location. 2.
PAGE 182
168 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Recover a Failed CC-SG Node When a node fails and failover occurs, the failed node will recover in Waiting status. 1. Select the Waiting node in the Cluster Configuration table. 2. Add it as a backup node by clicking Join “Waiting” Node. 3. A confirmation message will appear. Click Yes to assign Secondary status to the selected node, or click No to cancel.
PAGE 183
CHAPTER 12: ADVANCED ADMINISTRATION 169 Configure Security The Security Manager is used to manage how CC-SG provides access to users. Within Security Manager you can configure authentication methods, SSL access, strong password rules, lockout rules, the login portal, certificates, and access control lists. Remote Authentication Please refer to Chapter 9: Configuring Remote Authentication for detailed instructions on configuring remote authentication servers.
PAGE 184
170 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Login Settings The Login Settings lets you configure the Strong Password Settings and Lockout Settings. 1. On the Administration menu, click Security. The Security Manager screen appears. 2. Click the Login Settings tab. Figure 174 Login Settings Strong Password Settings Strong password rules require users to observe strict guidelines when creating passwords, which makes the passwords more difficult to guess and, in theory, more secure.
PAGE 185
CHAPTER 12: ADVANCED ADMINISTRATION 171 • Passwords must contain at least one special character (for example, an exclamation point or ampersand). When you are done configuring strong password rules, click Update to save the settings. All selected rules are cumulative, that is all passwords must meet every criteria that the administrator configures.
PAGE 186
172 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Portal Portal settings allow administrators to configure a logo and an access agreement to greet users when they access a client. To access the Portal settings: 1. On the Administration menu, click Security. The Security Manager screen appears. 2. Click the Portal tab. Figure 175 Portal Settings Logo A small graphic file can be uploaded to CC-SG to act as a banner on the login page. The maximum size of the logo is 998 by 170 pixels. To upload logo: 1.
PAGE 187
CHAPTER 12: ADVANCED ADMINISTRATION 173 b. In the dialog window, select the text file with the message you want to use, and then click Open. The maximum length of the text message is 10,000 characters. c. Click Preview if you want to preview the text contained in the file. It will appear in the banner message field above. 3. Click Update to save your Restricted Service Banner changes to CC-SG.
PAGE 188
174 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 2. Click the Certificate tab. Figure 177 Security Manager Certificate Screen Export Current Certificate and Private Key Click Export current certificate and private key. The certificate appears in the Certificate panel and the private key appears in Private Key panel. Copy the text of the Certificate and Private Key and submit it by clicking Export.
PAGE 189
CHAPTER 12: ADVANCED ADMINISTRATION 175 2. Type the requested data for the CSR into the fields. Figure 178 Generate Certificate Signing Request Screen 3. Click OK to generate the CSR or Cancel to exit the window. The CSR and Private Key appear in the corresponding fields of the Certificate screen. Figure 179 Certificate Request Generated 4. Using an ASCII editor such as Notepad, copy and paste the CSR into a file and save it with a .cer extension. 5.
PAGE 190
176 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 9. Copy and paste the signed certificate into the Certificate Request field. Paste the Private Key that was saved previously into the Private Key field. 10. Click Browse next to CA file: and select the root certificate file that was saved in Step 6. 11. Type raritan in the Password field if the CSR was generated by CC-SG. If a different application generated the CSR, use the password for that application.
PAGE 191
CHAPTER 12: ADVANCED ADMINISTRATION 177 2. Click the IP-ACL tab. Figure 181 Security Manager IP-ACL Screen 3. To change the order of the line items in the Access Control List, select the line item, and then click Up or Down. Connecting users will be allowed or denied according to the first rule that applies (from top to bottom). 4. To add a new item to the list, specify a range to apply the rule to by typing the starting IP value in the Starting IP field, and the ending IP value in the Ending IP field.
PAGE 192
178 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Notification Manager Use Notification Manager to configure an external SMTP server so notifications can be sent from CC-SG. Notifications are used to email reports that have been scheduled, email reports if users are locked out, and to email status of failed or successful scheduled tasks. Please refer to Task Manager, later in this chapter for additional information.
PAGE 193
CHAPTER 12: ADVANCED ADMINISTRATION 179 Task Manager Use Task Manager to schedule CC-SG tasks on a daily, weekly, monthly, or yearly basis. A task can be scheduled to run only once or periodically on a specified day of the week and at a specified interval, such as, scheduling device backups every three weeks on Fridays or emailing a particular report to one or more recipients every Monday. Note: Task Manager uses the Server time that is set on CC-SG for scheduling--not the time on your client PC.
PAGE 194
180 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Create a New Task To schedule a new task: 1. On the Administration menu, click Tasks. The Task Manager screen appears Figure 183 Task Manager 2. Click New. 3. In the Main tab, type a name (1-32 characters, alphanumeric characters or underscores, no spaces) and description for the task. 4. Click the Task Data tab. 5. Click the Task Operation drop-down menu and select the task to be scheduled, such as Upgrade Device Firmware, from the list.
PAGE 195
CHAPTER 12: ADVANCED ADMINISTRATION 181 • Yearly: Click the drop-down menu and select the month in which the task should execute from the list. Use the up and down arrows to select the day in that month on which the task should execute. 8. For Daily, Weekly, Monthly, and Yearly tasks, you must add a start and end time for the task in the Range of recurrence section. Use the up and down arrows to select the Start at time and Start date.
PAGE 196
182 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE CommandCenter NOC Adding a CommandCenter NOC (CC-NOC) to your setup will expand your target management capabilities by providing monitoring, reporting, and alert services for your serial and KVM target systems. Please refer to Raritan’s CommandCenter NOC documentation for additional information on installing and operating your CC-NOC appliance. Important: In the following procedure, passcodes are generated.
PAGE 197
CHAPTER 12: ADVANCED ADMINISTRATION 183 5. Type the IP address or hostname of the CC-NOC in the CC-NOC IP/Hostname field. This is a required field. For hostname rules, please refer to Terminology/Acronyms in Chapter 1: Introduction. 6. To retrieve daily information on targets in the CC-NOC database, type a discovery range in the IP Range From and IP Range To fields. This IP range represents the range of addresses CC-SG is interested in and instructs CC-NOC to send events for these devices to CC-SG.
PAGE 198
184 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 11. Either copy and paste the passcodes into CC-NOC fields if you are the CC-NOC administrator, or submit the two passcodes to the CC-NOC administrator. As documented in the CommandCenter NOC Administrator Guide, the CC-NOC administrator will then enter the passcodes in CC-NOC, which initiates an exchange of security certificates.
PAGE 199
CHAPTER 12: ADVANCED ADMINISTRATION 185 SSH Access to CC-SG Use Secure Shell (SSH) clients, such as Putty or OpenSHH Client, to access a command line interface to SSH (v2) server on CC-SG. Only a subset of CC-SG commands is provided via SSH to administer devices and CC-SG itself. The SSH client user is authenticated by the CC-SG in which existing authentication and authorization policies are applied to the SSH client.
PAGE 200
186 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE SSH Commands The following table describes all commands available in SSH. You must be assigned the appropriate privileges in CC-SG to access each command. COMMAND DESCRIPTION activeports List active ports. activeusers List active users. backup device <[-host ] | [-id ]> backup_name [description] Backup device configuration. clear Clear screen.
PAGE 201
CHAPTER 12: ADVANCED ADMINISTRATION 187 more [-p ] Make paging pingdevice <[-id ] | [host]> Ping device restartcc minutes [message] Restart CC-SG restartdevice <[-id ] | [host]> Restart device restoredevice <[-host ] | [-id ]> [backup_id] Restore device configuration shutdowncc minutes [message] Shutdown CC-SG. ssh [-e ] <[-id ] | [host]> Open SSH connection to an SX device su [-u ] Change a user.
PAGE 202
188 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Create an SSH Connection to an SX Device You can create an SSH connection to an SX device to perform administrative operations on the device. Once connected, the administrative commands supported by the SX device are available. Note: Before you connect, ensure that the SX device has been added to the CC-SG. 1. Type listdevices to ensure the SX has been added to CC-SG. Figure 186 Listing Devices on CC-SG 2.
PAGE 203
CHAPTER 12: ADVANCED ADMINISTRATION 189 Use SSH to Connect to a Node via a Serial Out of Band Interface You can use SSH to connect to a node through its associated serial out-of-band interface. The SSH connection is in proxy mode. 1. Type listinterfaces to view the node ids and associated interfaces. Figure 188 Listinterfaces in SSH 2. Type connect –i to connect to the node associated with the interface. Figure 189 Connecting to a Node via a Serial Out-of-Band Interface 3.
PAGE 204
190 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Diagnostic Console The Diagnostic Console is a standard, non-graphical interface that provides local access to CCSG. It can be accessed from a serial or KVM port, or from Secure Shell (SSH) clients, such as Putty or OpenSSH Client. Two logins are provided⎯one is status, which gives access to the Status Console, and the other is admin, which gives access to the Administrator Console. All login usernames and passwords are case-sensitive.
PAGE 205
CHAPTER 12: ADVANCED ADMINISTRATION 191 Accessing Status Console A password is not required to access the Status Console, but password usage can be enforced. 1. At the login prompt, type status. The read-only Status Console appears. Figure 191 Status Console • This screen dynamically displays information about the health of the system and whether CCSG and its sub-components are working. • The time in the upper-right corner of the screen is the last time at which the CC-SG data was polled.
PAGE 206
192 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE password. Please refer to Diagnostic Console Passwords (Admin) later in this chapter for additional information on setting password strength. 3. The main Administrator Console screen appears. You can perform initial system network interface configuration, edit Message of the Day in the Status window, and view log files.
PAGE 207
CHAPTER 12: ADVANCED ADMINISTRATION 193 2. Using the Delete and Backspace keys, type a new message in the box provided. For MOTD, you can enter up to 76 characters. Figure 193 Editing MOTD for Status Console 3. Click Make Active at the bottom of the screen, or press the TAB key until Make Active is selected, and then press the SPACEBAR once. 4.
PAGE 208
194 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE offers three services: Status Display, Admin Console, Raritan Field Support. This screen allows the selection of which services are available via the various access mechanisms. 3. Type the port number you want to set for SSH access to Diagnostic Console in the Port field. The default port is 23. Important: Be careful not to completely lockout all Admin or Field Support access. Figure 194 Edit Diagnostic Console Configuration 4.
PAGE 209
CHAPTER 12: ADVANCED ADMINISTRATION 195 2. If the network interfaces have already been configured, you will see a Warning message stating that you should use the CC-SG GUI (administrator’s Director Client) to configure the interfaces. If you want to continue, click YES. The default Network Interface Configuration screen is shown here: Figure 195 Editing Network Interfaces 3. Type your hostname in the Host Name field.
PAGE 210
196 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 10. System progress can be monitored in a Diagnostic Console Status Screen. On the KVM port, another terminal session can be selected by typing + and logging in as status. You may return to the original terminal session by typing +. There are six available terminal sessions on thorough .
PAGE 211
CHAPTER 12: ADVANCED ADMINISTRATION 197 2. Enter the IP address or hostname of the target you wish to check in the Traceroute Target field. 3. Optionally, select: OPTION DESCRIPTION Verbose Verbose output, which lists received ICMP packets other than TIME_EXCEEDED and UNREACHABLEs. No DNS Resolution Does not resolve addresses to host names. Use ICMP (vs. normal UDP) Use ICMP ECHO instead of UDP datagrams. 4.
PAGE 212
198 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 1. Click Operation, Admin, then System Logfile Viewer. 2. The Logviewer screen is divided into 4 main areas (see screen below): • List of Logfiles currently available on the system. If list is longer than the display window, the list can be scrolled using the arrow keys. • Logfile List sort criteria. Logfiles can be shown sort by their Full File Name, the most recently changed logfile or by the largest logfile size.
PAGE 213
CHAPTER 12: ADVANCED ADMINISTRATION 199 Use Default Color Scheme If this box is checked, some of the logfiles will be viewed with a standard color scheme. Note: multitail commands can be used to change the color scheme once the logfile(s) are being viewed. Use Default Filters If this box is checked, some of the logfiles will have automatic filters applied.
PAGE 214
200 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 6. Type i for info to display system information. Note: System load is static as of the start of this Admin Console session – use the TOP utility to dynamically monitor system resources. Figure 200 Displaying Information 7. If desired, you can filter the log file with a regular expression. Type e to add or edit a regular expression and select a log from the list if you have chosen to view several.
PAGE 215
CHAPTER 12: ADVANCED ADMINISTRATION 201 8. Type a to add a regular expression. For example, if you want to display information on the WARN messages in sg/jboss/console.log log file, enter WARN and select match. Note: This screen also shows the Default Filter Scheme for console.log, which removes most of the Java heap messages. Figure 202 Specifying a Regular Expression for a Log File 9. Select F1 to get help on all LogViewer options. Pressing CTRL+C and CTRL+Q terminates this LogViewer session.
PAGE 216
202 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE To restart CC-SG: 1. Click Operation, Admin, and then click CC-SG Restart. 2. Either click Restart CC-SG Application or press ENTER. Confirm the restart in the next screen to proceed. Figure 203 Restarting CC-SG in Diagnostic Console Rebooting CC-SG (Admin) This option will reboot the entire CC-SG, which simulates a power cycle. Users will not receive a notification. CC-SG, SSH, and Diagnostic Console users (including this session) will be logged off.
PAGE 217
CHAPTER 12: ADVANCED ADMINISTRATION 203 Powering Off the CC-SG System (Admin) This option will power down the entire CC-SG. Users will not receive a notification. CC-SG, SSH, and Diagnostic Console users (including this session) will be logged off. Any connections to remote target servers will also be terminated. The only way to power the CC-SG unit back on is to press the power button on the front panel of the unit. To power off the CC-SG: 1. Click Operation, Admin, and then click CC-SG System Power OFF.
PAGE 218
204 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE To reset the CC-SG GUI admin password: 1. Click Operation, Admin, and then click CC-SG ADMIN Password Reset. 2. Either click Reset CC-SG GUI Admin Password or press ENTER to change the admin password back to factory default. Confirm the password reset in the next screen to proceed.
PAGE 219
CHAPTER 12: ADVANCED ADMINISTRATION OPTION Full CC-SG Database Reset 205 DESCRIPTION Selecting this option completes removes the existing CCSG Database and builds a new version from scratch loading it with all the Factory Default values. Preserve CC-SG Personality This option is only valid and effective if the previous during Reset option is also selected.
PAGE 220
206 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Diagnostic Console Passwords (Admin) This option provides the ability to configure the strength of passwords (status and admin) and allows you to configure password attributes, such as, the setting maximum number of days that must lapse before you need to change the password, which should be done via the Account Configuration menu.
PAGE 221
CHAPTER 12: ADVANCED ADMINISTRATION 207 3. Select either Regular, Random, or Strong for the admin and status (if enabled) passwords. PASSWORD SETTING Regular Random Strong DESCRIPTION These are standard. Passwords must be longer than 4 characters with few restrictions. This is the system default password configuration. Provides randomly generated passwords.
PAGE 222
208 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE This screen is split into three main areas: • The top displays read-only information about the accounts on the system. • The middle section displays the various parameters related and pertinent to each ID, along with a set of buttons, to allow the parameters to be updated or new passwords provided for the accounts. • The final area restores the password configuration to Factory Defaults (or how the system was initially shipped). 3.
PAGE 223
CHAPTER 12: ADVANCED ADMINISTRATION 209 2. Either click Refresh or press Enter to refresh the display. Refreshing the display is especially useful when upgrading or installing, and you want to see the progress of the RAID disks as they are being rebuilt and synchronized. Figure 210 Displaying Disk Status of CC-SG in Diagnostic Console Note: The disk drives are fully synchronized and full RAID-1 protection is available when you see a screen as shown above. The status of both md0 and md1 arrays are [UU]).
PAGE 224
210 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Displaying NTP (Network Time Protocol) Status (Utilities) This option displays the status of the NTP time daemon if it is configured and running on CC-SG. To display status of the NTP daemon on the CC-SG: 1. Click Operation, Utilities, and then click NTP Status Display. 2. The NTP Daemon can only be configured in the CC-SG administrator’s Director Client.
PAGE 225
APPENDIX A: SPECIFICATIONS 211 Appendix A: Specifications (G1, V1, and E1) G1 Platform General Specifications Form Factor Dimensions (DxWxH) Weight Power Mean Time Between (MTBF) KVM Admin Port Serial Admin Port Console Port Failure 1U 22.1”x 17.32” x 1.75” 563mm x 440mm x 44mm 24.07lb (10.92kg) Redundant, hot-swappable power supplies, auto-sensing 110/220 V – 2.
PAGE 226
212 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE V1 Platform General Specifications 1U 24.21”x 19.09” x 1.75” 615mm x 485mm x 44mm 23.80lb (10.80kg) Form Factor Dimensions (DxWxH) Weight Power Operating Temperature Mean Time Between (MTBF) KVM Admin Port Serial Admin Port Console Port Single Supply (1 x 300 watt) 10 - 35 (50 - 95 ) 36,354 hours Failure (DB15 + PS2 or USB Keyboard/Mouse) DB9 (2) USB 2.
PAGE 227
APPENDIX A: SPECIFICATIONS 213 E1 Platform General Specifications 2U 27.05”x 18.7” x 3.46”—687 mm x 475 mm x 88 mm 44.09 lbs—20 kg Form Factor Dimensions (DxWxH) Weight Power Operating Temperature Mean Time Between (MTBF) KVM Admin Port Serial Admin Port Console Port SP502-2S Hot-Swappable 500W 2U power supply 0~50 degree C 53,564 hours Failure PS/2 keyboard and mouse ports, 1 VGA port Fast UART 16550 serial port (2) USB 2.
PAGE 228
214 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE This page intentionally left blank.
PAGE 229
APPENDIX B: CC-SG AND NETWORK CONFIGURATION 215 Appendix B: CC-SG and Network Configuration Introduction This appendix discloses network requirements (addresses, protocols and ports) of a typical CCSG (CC-SG) deployment. It includes information about how to configure your network for both external access (if desired) and internal security and routing policy enforcement (if used).
PAGE 230
216 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE CC Clients Internet (Unsecured Network) CC-NOC CC Clients CC-SG Cluster Peer Firewall Internal Network VPN CC-SG Raritan Device KVM Serial Out-of-Band Node Access Internal Network Raritan Device Figure 214 CC-SG Deployment Elements In-Band Access
PAGE 231
APPENDIX B: CC-SG AND NETWORK CONFIGURATION 217 CC-SG Communication Channels The communication channels are partitioned as follows: • CC-SG ↔ Raritan Devices • CC-SG ↔ CC-SG Clustering (optional) • CC-SG ↔ Infrastructure Services • Clients ↔ CC-SG • Clients ↔ Targets (Direct Mode) • Clients ↔ Targets (Proxy Mode) • Clients ↔ Targets (In-Band) • CC-SG ↔ CC-NOC For each communication channel, the tables in the sections that follow: • Represents the symbolic IP Addresses used by the communicating parties.
PAGE 232
218 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Each CC-SG in the cluster may be on a separate LAN. However, the inter-connection between the units should be very reliable and not prone to periods of congestion.
PAGE 233
APPENDIX B: CC-SG AND NETWORK CONFIGURATION 219 The first mode is the primary means for users and administrators to connect to CC-SG. The other two modes are less frequently used.
PAGE 234
220 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE CC-SG & SNMP Simple Network Management Protocol (SNMP) allows CC-SG to push SNMP traps (event notifications) to an existing SNMP manager on the network. CC-SG also supports SNMP GET/SET operations with third-party Enterprise Management Solutions, such as HP OpenView.
PAGE 235
APPENDIX B: CC-SG AND NETWORK CONFIGURATION 221 Security and Open Port Scans As part of the CC-SG Quality Assurance process, several open port scanners are applied to the product and Raritan makes certain that its product is not vulnerable to these known attacks. All the open or filtered/blocked ports are listed in the above sections. Some of the more common exposures are: Issue ID 3 Synopsis CVE-1999-0517 snmp (161/UDP) - the community CVE-1999-0186 name of the remote SNMP server can be guessed.
PAGE 236
PAGE 237
APPENDIX C: USER GROUP PRIVILEGES Appendix C: User Group Privileges MENU > SUB-MENU Secure Gateway Users > User Manager > User Group Manager Devices > Device Manager REQUIRED DESCRIPTION PRIVILEGE This menu is available for all users. My Profile None* Message of the Day None* Print None* Logout None* Exit None* This menu and the User tree are available only for users with the User Management privilege.
PAGE 238
224 MENU > SUB-MENU >> Configuration COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE MENU ITEM >> Backup >> Restore >> Copy Configuration > Restart Device > Ping Device > Pause Management > Device Power Manager > Launch Admin > Launch User Station Admin > Disconnect Users REQUIRED PRIVILEGE Upgrade Management Device Configuration and Upgrade Management Device Configuration and Upgrade Management Device Configuration and Upgrade Management Device, Port and Node Management or Device Configuratio
PAGE 239
APPENDIX C: USER GROUP PRIVILEGES MENU > SUB-MENU MENU ITEM > Topological View > Change View > Create Custom View > Tree View > Port Manager > Connect > Configure Ports > Bookmark Port > Disconnect Port > Bulk Copy > Delete Ports > Port Sorting Options > By Port Name > By Port Status 225 REQUIRED PRIVILEGE Configuration and Upgrade Management Device, Port and Node Management Device, Port and Node Management or Device Configuration and Upgrade Management Device, Port and Node Management or
PAGE 240
226 MENU > SUB-MENU Nodes > Node Sorting Options > Chat COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE REQUIRED DESCRIPTION PRIVILEGE Upgrade Management This menu and the Nodes tree is available only for users with any one of the following privileges: Device, Port and Node Management Node In-Band Access Node Out-of-Band Access Node Power Control Add Node Device, Port and Node Management (Editing Nodes) Device, Port and Via the Node Profile Node Management Delete Node Device, Port and Node Management
PAGE 241
APPENDIX C: USER GROUP PRIVILEGES MENU > SUB-MENU > Change View Associations REQUIRED DESCRIPTION PRIVILEGE Node Out-of-Band Access or Node Power Control > Show Chat Session Node In-Band Access or Node Out-of-Band Access or Node Power Control > End Chat Session Node In-Band Access or Node Out-of-Band Access or Node Power Control > Create Custom View Any of the following: Device, Port and Node Management or Node In-Band Access or Node Out-of-Band Access or Node Power Control > Tree View Any of the follow
PAGE 242
228 MENU > SUB-MENU Reports > Users > Devices > Nodes > Ports COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE REQUIRED DESCRIPTION PRIVILEGE This menu is available for all users.
PAGE 243
APPENDIX C: USER GROUP PRIVILEGES MENU > SUB-MENU 229 CC-NOC Synchronization REQUIRED PRIVILEGE CC Setup and Control CC-NOC Configuration CC Setup and Control MENU ITEM DESCRIPTION Access Administration This menu is available only for users with one of the following privilege(s): CC Setup and Control Combination of Device, Port and Node Management, User Management, and User Security Management Guided Setup All of the following: Device, Port and Node Management, User Management, and User Security
PAGE 244
230 MENU > SUB-MENU COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE MENU ITEM > Exit Maintenance Mode View Window Help REQUIRED PRIVILEGE CC Setup and Control None* None* None* DESCRIPTION *None means that no particular privilege is required. Any user who has access to CC-SG will be able to view and access these menus and commands.
PAGE 245
APPENDIX D: SNMP TRAPS 231 Appendix D: SNMP Traps CC-SG provides the following traps: SNMP TRAP ccUnavailable ccAvailable ccUserLogin ccUserLogout ccPortConnectionStarted ccPortConnectionStopped ccPortConnectionTerminated ccImageUpgradeStarted ccImageUpgradeResults ccUserAdded ccUserDeleted ccUserModified ccUserAuthenticationFailure ccLanCardFailure ccHardDiskFailure ccLeafNodeUnavailable ccLeafNodeAvailable ccIncompatibleDeviceFirmware ccDeviceUpgrade ccEnterMaintenanceMode ccExitMaintenanceMode ccUserLo
PAGE 246
232 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE
PAGE 247
APPENDIX E: TROUBLESHOOTING 233 Appendix E: Troubleshooting • • To launch CC-SG from your web browser, it requires a Java plug-in. If your machine has an incorrect version, CC-SG will guide you through the installation steps. If your machine does not have a Java plug-in, CC-SG cannot automatically launch. In this case, you must uninstall or disable your old Java version and provide serial port connectivity to CC-SG to ensure proper operation.
PAGE 248
234 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE
PAGE 249
APPENDIX F: TWO-FACTOR AUTHENTICATION 235 Appendix F: Two-Factor Authentication As part of CC-SG RADIUS based remote authentication, CC-SG can be configured to point to a RSA RADIUS Server which supports two-factor authentication via an associated RSA Authentication Manager. CC-SG acts as a RADIUS client and sends user authentication requests to RSA RADIUS Server. The authentication request includes user id, a fixed password, and a dynamic token code.
PAGE 250
236 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE
PAGE 251
APPENDIX G: FAQS 237 Appendix G: FAQs QUESTION General What is CC-SG? Why would I need CC-SG? What is CommandCenter NOC? Which Raritan products does CC-SG support? How does CC-SG integrate with other Raritan Products? Is PDA access possible? Is the status of CC-SG limited by the status of the devices which it proxies? Can I upgrade to newer versions of CC-SG software as they become available? How many nodes and/or Dominion units and/or IPReach units can be connected to CC-SG? Is there any way to opti
PAGE 252
238 QUESTION to CC-SG? Which version of Java will Raritan’s CC-SG be supporting? An administrator added a new node to the CC-SG database and assigned it to me, how can I see it in my Nodes tree? How will the Windows desktop be supported in the future? COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE ANSWER - The Dominion unit is active. - The Dominion unit has not reached the maximum number of configured user accounts.
PAGE 253
APPENDIX G: FAQS 239 QUESTION What options are available for authentication with directory services and security tools such as LDAP, AD, RADIUS, etc. Security Sometimes when I try to log on, I receive a message that states my “login is incorrect” even though I am sure I am entering the correct username and password. Why is this? ANSWER CC-SG permits local authentication as well remote authentication. Remote authentication servers supported include: AD, TACACS+, RADIUS, and LDAP.
PAGE 254
240 Performance As a CC-SG Administrator, I added over 500 nodes and assigned all of them to me. Now it takes a long time to log on to CC-SG.
PAGE 255
APPENDIX G: FAQS simultaneous paths through any IP-Reach box, including the roadmap for the potential 8-path box? Authorization Can authorization be achieved via RADIUS/TACACS/ LDAP? User Experience Regarding console management via network port or local serial port (for example, COM2): What happens to the logging, does CC-SG capture local management or is this lost? 241 increase simultaneous access paths per box.
PAGE 256
242 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE
PAGE 257
APPENDIX H: KEYBOARD SHORTCUTS 243 Appendix H: Keyboard Shortcuts The following keyboard shortcuts can be used in the Director Client.
PAGE 258
North American Headquarters Raritan 400 Cottontail Lane Somerset, NJ 08873 U.S.A. Tel. (732) 764-8886 or (800) 724-8090 Fax (732) 764-8887 Email: sales@raritan.com Website: Raritan.com Raritan NC 4901 Waters Edge Dr. Suite 101 Raleigh, NC 27606 Tel. (919) 277-0642 Email: sales.nc@raritan.com Website: Raritan.com Raritan Canada 4 Robert Speck Pkwy, Suite 1500 Mississauga, ON L4Z 1S1 Canada Tel. (905) 949-3650 Fax (905) 949-3651 Email: sales.canada@raritan.com Website: Raritan.