CommandCenter Secure Gateway Deployment Guide Release 4.0 Copyright © 2008 Raritan, Inc.
This document contains proprietary information that is protected by copyright. All rights reserved. No part of this document may be photocopied, reproduced, or translated into another language without express prior written consent of Raritan, Inc. © Copyright 2008 Raritan, Inc., CommandCenter®, Dominion®, Paragon® and the Raritan company logo are trademarks or registered trademarks of Raritan, Inc. All rights reserved. Java® is a registered trademark of Sun Microsystems, Inc.
Contents Chapter 1 Introduction 5 Prerequisites .................................................................................................................................. 5 Intended Audience ......................................................................................................................... 5 CC NOC Deployment and Paragon Integration............................................................................. 6 Chapter 2 Pre-Deployment Planning 7 Prepare Infrastructure ..
Contents Chapter 4 Install CC-SG 50 1. Rack Mount the CC-SG Unit.................................................................................................... 50 2. Physical Connections .............................................................................................................. 50 3. Set IP Address of CC-SG ........................................................................................................ 52 Appendix A Installation Template 53 Blank Template ............
Chapter 1 Introduction CommandCenter Secure Gateway (CC-SG) provides a hardware-based management solution engineered to consolidate secure access and control of IT devices. It provides centralized management of serial, KVM and power control devices in multiple data centers, branch offices and remote locations via a single, secure browser-based access. Users can access target servers and systems (nodes) that are connected to Raritan devices, such as Dominion KX or IP-Reach.
Chapter 1: Introduction CC NOC Deployment and Paragon Integration CommandCenter NOC (CC NOC) and integration with Paragon II systems (P2-SC) are NOT covered in this guide. See the Deployment Guide that came with your CC NOC or P2-SC unit.
Chapter 2 Pre-Deployment Planning In This Chapter Prepare Infrastructure................................................................................8 Prepare Network........................................................................................9 Prepare Target Servers ...........................................................................10 Prepare User PC .....................................................................................
Chapter 2: Pre-Deployment Planning Prepare Infrastructure Planning for the installation of your CC-SG and Raritan devices is very much like the planning for any other new systems in your datacenter. HVAC, power, physical access and mounting, network, cabling, and remote access must be considered. 8 • Heating and Cooling. It is essential to have adequate heating and cooling so that the equipment can operate in the temperature and humidity ranges for which it has been designed.
Chapter 2: Pre-Deployment Planning Basic Requirements for Dominion Products All Dominion products include rack mounts for installation in standard 19 inch cabinets. Standard included power cables are for 110 VAC/15 amp receptacles. Power supplies are 110/220 auto switching. • Dominion KX devices use standard CAT 5 or better cabling for connecting between the target and Dominion KX. The standard supported distance is 150 feet. Each target requires a CIM.
Chapter 2: Pre-Deployment Planning Prepare Target Servers Target servers and systems that attach to KVM over IP Raritan devices, for example, Dominion KX, Dominion KX II, Dominion KX101, Dominion KX2-101, Dominion KSX, Dominion KSX II, and IP-Reach, must have mouse and video settings adjusted for optimal performance and responsiveness over an IP network. This allows CC-SG to remotely control the target systems. Adjust the mouse and video settings before connecting the target to the Raritan device.
Chapter 2: Pre-Deployment Planning Install Java Runtime Environment Install the currently approved version of Java on all PCs that are using CC-SG. You can download Java from http://java.sun.com/j2se/index.jsp http://java.sun.com/j2se/index.jsp. For the most current listing of compatible browsers, PC platforms, and JRE versions, please refer to the Compatibility Matrix for your version of CC-SG in the Support section of the Raritan website.
Chapter 3 Prepare Raritan Devices The Raritan devices must be configured and installed on the network prior to adding the devices to CC-SG. Basic installation and configuration consists of the following steps: 1. Attach power cord and local access method, such as KVM drawer or laptop. 2. Set device IP address. 3. Connect devices to network. 4. Attach CIMs to targets, and then attach targets to devices.
Chapter 3: Prepare Raritan Devices Default IP Address and Logins • All Raritan IP-based products use the default IP address: 192.168.0.192. • The default IP address to access CC-SG administrative functions is 192.168.0.192/admin. • Most Raritan products use the default username admin and password raritan. • CC-SG's default login for versions 3.1 and higher is username admin and password raritan. CC-SG versions prior to 3.1 use the default username ccroot and password raritan0.
Chapter 3: Prepare Raritan Devices Minimum Firmware Version Raritan devices managed by CC-SG must have the current minimum firmware version to work correctly with CC-SG. Once you add Raritan devices to CC-SG, you can perform firmware upgrades from the CC-SG interface. See the Compatibility Matrix for CC-SG in the Support section of the Raritan website. Preparing Dominion Devices for CC-SG Management Prior to installation, please read the entire section for each device that will be managed by CC-SG.
Chapter 3: Prepare Raritan Devices Local Access Console Ports Server Ports Attach Power Cord and Local Console 1. Connect the included AC power cord to the Dominion KX unit and plug into an AC Power Outlet. 2. Attach a multisync VGA monitor, mouse, and keyboard to the ports labeled Local User using either a PS/2 keyboard and mouse or a USB keyboard and mouse. 3. Power ON the Dominion KX unit. The device powers up and begins the boot process.
Chapter 3: Prepare Raritan Devices Connect to Network and Attach Servers 1. [Optional] Use a straight-through serial cable to connect an external modem. 2. Connect one end of a straight-through Ethernet cable (included) to the port labeled LAN1 on the Dominion KX, and the other end to a network switch or router. 3. [Optional] For Ethernet redundancy, use a straight-through Ethernet cable to connect the LAN2 port to another network switch or router.
Chapter 3: Prepare Raritan Devices Dominion KX II Devices The following section provides you with the necessary background information and steps to install and configure Raritan Dominion KX II units to conform to CC-SG's requirements. Note: Be sure to document the device name, IP address, administrative username and password, and attached systems (port number, type, system name) in Installation Template (on page 53). Attach Power Cord and Local Console 1.
Chapter 3: Prepare Raritan Devices 3. Follow the prompts to change the default password. Please refer to Raritan's KX II User Guide for details. Be sure to make a note of the new password. 4. You will receive confirmation that the password was successfully changed. Click OK. The Port Access page is displayed. 5. Select Device Settings > Network Settings. 6. Specify a meaningful Device Name for your Dominion KX II unit; up to 16 alphanumeric characters, special characters, and no spaces. 7.
Chapter 3: Prepare Raritan Devices Connecting the Dominion KX II-101 The Dominion KX II-101 has the physical connections described in the diagram below: 19
Chapter 3: Prepare Raritan Devices 20
Chapter 3: Prepare Raritan Devices 1 Attached Monitor and PS/2 Cable (See item 3.). 2 Mini-USB Port. Use to connect the device to the target server with the included USB cable if not using the attached PS/2 cable. A USB connection must be used in order to utilize the Absolute Mouse Sync or Virtual Media features. 3 Attached Monitor and PS/2 Cable. Use to connect the device to a monitor and to a target server if not using the USB cable. 4 LOCAL USER port.
Chapter 3: Prepare Raritan Devices 3. If you require Virtual Media (VM) connectivity, connect the mini-USB connector to the Dominion KX II-101 and the USB connector to any USB port on the target server. 22 1 Integrated PS/2 keyboard, video, and mouse connections from Dominion KX II-101 to target server. 2 Dominion KX II-101. 3 Video connection to local monitor (optional cable). 4 Local monitor. 5 PS/2 connection from Dominion KX II-101 to mouse (optional cable).
Chapter 3: Prepare Raritan Devices USB Configuration To configure the Dominion KX II-101 for use with a USB target server: 1. Connect the mini-USB connector to the Dominion KX II-101 and the USB connector to a USB port on the target server. 2. Use the included PS/2 DKX2-101-LPKVMC cabling to attach only the local video to the Local User port of the Dominion KX II-101. Note: The Dominion KX II-101 must be powered for the Local User port to function. 3.
Chapter 3: Prepare Raritan Devices 3 Video connection to local monitor (optional cable). 4 Local monitor. 5 USB connection from target server to mouse. 6 USB connection from target server to keyboard. 7 Target server. Connecting to the Network Connect a standard Ethernet cable from the network port labeled LAN to an Ethernet switch, hub, or router. The LAN LEDs that appear above the Ethernet connection indicate Ethernet activity.
Chapter 3: Prepare Raritan Devices Configuring the Dominion KX II-101 The Dominion KX II-101 can be configured in two ways: • Using the web-based Dominion KX II-101 Remote Console, which requires the unit to have a network connection to your workstation. • Using a terminal emulation program like HyperTerminal, which requires a direct connection from the unit's ADMIN port to your workstation. The cable for this connection is included with the Dominion KX II-101.
Chapter 3: Prepare Raritan Devices You will receive confirmation that the password was successfully changed. 10. Click OK. The Port Access page opens. Assigning an IP Address 1. In the Dominion KX II-101 Remote Console, choose Device Settings > Network Settings. The Network Basic Settings page opens. 2. In the Device Name field, specify a meaningful name for your Dominion KX II-101 unit; up to 16 alphanumeric and special characters, no spaces. 3.
Chapter 3: Prepare Raritan Devices Using a Terminal Emulation Program You can use the Admin serial console with a terminal emulation program like HyperTerminal to set the following configuration parameters for the Dominion KX II-101: • IP address • Subnet mask address • Gateway address • IP access control • LAN speed • LAN interface mode To use a terminal emulation program with the Dominion KX II-101, you must first connect the included RS-232 serial cable from the Admin port on the Dominion K
Chapter 3: Prepare Raritan Devices Flow control: None 4. Connect to the Dominion KX II-101. The login screen appears. 5. Type the administrator user name and press Enter. You are prompted to enter your password. 6. Type your password and press Enter. The Admin Port prompt appears.
Chapter 3: Prepare Raritan Devices 7. At the Admin Port > prompt, type config and press Enter. 8. At the Config > prompt, type network and press Enter. 9. To view the current interface settings, at the Interface > prompt, type interface and press Enter. 10. To configure new network settings, at the Network prompt, type interface followed by one of the following commands and its appropriate argument (option), then press Enter.
Chapter 3: Prepare Raritan Devices Dominion SX Devices The following section provides you with the necessary background information and steps to install and configure Raritan Dominion SX units to conform to CC-SG's requirements. Note: Be sure to document the device name, IP address, administrative username and password, and attached systems (port number, type, system name) in Installation Template (on page 53). Attach Power Cord and Installation Computer 1.
Chapter 3: Prepare Raritan Devices Connect to Network and Attach Serial Devices 1. Power OFF the SX unit. 2. Disconnect from the installation computer, and move the Dominion SX to the location where it will be added to CC-SG. 3. Connect one end of a straight-through Cat5 cable to the SX. 4. Connect the other end of the Cat5 cable to the network. 5.
Chapter 3: Prepare Raritan Devices Dominion KSX Devices The following section provides you with the necessary background information and steps to install and configure Raritan KSX units to conform to CC-SG's requirements. Note: Be sure to document the device name, IP address, administrative username and password, and attached systems (port number, type, system name) in Installation Template (on page 53).
Chapter 3: Prepare Raritan Devices Diagram Key Serial Console Ports. Most Cisco RJ45 or Sun RJ45 Serial Ports require Rollover Cable (p/n CRLVR-15) KVM Console Ports, KVM Console Cable (p/n CCPTxxx) * Connection to Local or Admin Port, depending on unit type. The local port and the Admin Port locations depend on the Dominion KSX model you purchased. Dominion KSX units have a label on the underside of the chassis identifying the hardware version.
Chapter 3: Prepare Raritan Devices Connect to Network and Attach Serial Devices 1. [Optional] Disconnect the PS/2 keyboard and multi-sync monitor from the Admin Console ports. Or leave them attached for future monitoring or configuration. 2. Connect a standard Ethernet cable (included) from the network port labeled LAN1 to an Ethernet switch, hub, or router. 3.
Chapter 3: Prepare Raritan Devices 1. AC Power To connect the power supply: 1. Attach the included AC power cord to the Dominion KSX II and plug into an AC power outlet. 2. Network Ports Dominion KSX II provides two Ethernet ports for failover purposes (not for load-balancing). By default, only LAN1 is active and the automatic failover is disabled.
Chapter 3: Prepare Raritan Devices 4. KVM Target Server Ports The Dominion KSX II uses standard UTP cabling (Cat5/5e/6) to connect to each target server. See Appendix A: Specifications in the Raritan Dominion KSX II User Guide. To connect a KVM target server to the Dominion KSX II: 1. Use the appropriate Computer Interface Module (CIM). Refer to Supported Operating Systems and CIMs in the Raritan Dominion KSX II User Guide for more information about the CIMs to use with each operating system. 2.
Chapter 3: Prepare Raritan Devices outlets will not be correctly detected, especially after swapping 8 and 20 outlet power strip models. 6. Serial Target Ports To connect a serial target to the KSX II, use a Cat5 cable with an appropriate serial adapter. The following table lists the necessary Dominion KSX II hardware (adapters and/or cables) for connecting the Dominion KSX II to common Vendor/Model combinations.
Chapter 3: Prepare Raritan Devices Dominion KSX II Initial Configuration The first time you power up the Dominion KSX II unit, there is some initial configuration that you need to perform through the Dominion KSX II Local Console: • Change the default password. • Assign the IP Address. Assign an IP Address These procedures describe how to assign an IP Address using the Network Settings page.
Chapter 3: Prepare Raritan Devices 4. If you specify an IP configuration of None, type the TCP/IP parameters for your Dominion KSX II unit: IP address, Subnet mask, Gateway IP address, Primary DNS server IP address, and (optional) Secondary DNS server IP address. 5. Click OK. Your Dominion KSX II unit is now network accessible.
Chapter 3: Prepare Raritan Devices With both methods, you must add Managed Powerstrip interfaces to nodes to create power associations between the outlets and the nodes they power. See Interfaces for Managed Powerstrip Connections. Special Note about Dominion PX Regardless of which method you choose to configure a PX, you should configure all power associations using a single method, that is, as a powerstrip of the managed device or as a PX device, but not both.
Chapter 3: Prepare Raritan Devices Connecting the Dominion PX to a Computer You must connect the Dominion PX to a computer to configure it, using a serial connection between the Dominion PX and the computer. If you plan to use this connection to log into the CLP command line interface, leave the cable connected after the configuration is complete. The computer must have a communications program such as HyperTerminal or PuTTY.
Chapter 3: Prepare Raritan Devices Item # Description 1 LAN Port 2 Serial Port 3 Network Port 2. Plug the other end of the null-modem cable with the DB9 connector into the serial port (COM) of the computer. Connecting the Dominion PX to Your Network To use the Web interface to administer the Dominion PX, you must connect the Dominion PX to your local area network (LAN). 1. Take a standard Category 5e UTP cable and connect one end to the LAN port on the front of the Dominion PX.
Chapter 3: Prepare Raritan Devices Bits per second = 9600 Data bits = 8 Stop bits = 1 Parity = None Flow control = None Note: The “Flow control” parameter must be set to “None” to ensure that the communications program will work correctly with the Dominion PX. 2. Point the communications program at the serial port connecting the Dominion PX, and open a terminal window. 3. Press the Enter key to display the opening configuration prompt. 4.
Chapter 3: Prepare Raritan Devices Note: The Dominion PX's IP address is automatically displayed in the system prompt. The default IP address is 192.168.0.192. The default IP configuration method is DHCP, and the default IP address will be replaced by the address assigned by DHCP or BOOTP, or the static IP address you entered, as soon as the configuration process is complete. To use the factory default IP address, type in none as the IP autoconfiguration command, and accept the default value.
Chapter 3: Prepare Raritan Devices 8. By default, the LAN interface speed is set to Auto, which allows the system to select the optimum speed. To keep the default, press Enter. To set the speed to 10 or 100 Mbps, type the speed you want and press Enter. You are prompted to select the duplex mode for the LAN interface. 9. By default, the LAN interface duplex mode is set to Auto, which allows the system to pick the optimum mode.
Chapter 3: Prepare Raritan Devices If you want to terminate the configuration process, type c and press Enter. The configuration is cancelled and you are returned to the opening prompt. 11. If you entered y to confirm the configuration, a message appears when the configuration is complete. You will be returned to the opening prompt. You are now ready to begin using your Dominion PX.
Chapter 3: Prepare Raritan Devices 3. Power ON the IP-Reach. Set IP Reach IP Address: 1. After the system boots, IP-Reach displays the Setup Wizard on the Admin Console screen.
Chapter 3: Prepare Raritan Devices Note: During initial configuration, the IP-Reach Setup Wizard helps you quickly set up IP-Reach for the first time. The IP-Reach Setup Wizard appears only when accessing the Administrative Menus on a non-configured IP-Reach.
Chapter 3: Prepare Raritan Devices 2. Press B on the Admin Console keyboard to begin configuring IP-Reach. 3. Based on your configuration, type the requested information. Note: Do not obtain the IP-Address via DHCP. Obtain the IP-Address, the subnet mask, and default gateway from your network system administrator. 4. Press CTRL+S to save the settings. 5. On the Network Configuration Screen, assign a unique name (e.g. Server_Room) and IP Address parameters for IP-Reach. 6. The Main Menu appears.
Chapter 4 Install CC-SG Basic installation of CC-SG comprises 3 steps: 1. Rack-mount the CC-SG unit. 2. Physically connect all cables. Each CC-SG model has a different setup. Follow the instructions for your CC-SG model number. 3. Set the CC-SG IP address. Next Steps: When you have completed the installation, please refer to Raritan's CC-SG Administrators Guide for additional information on configuring your CC-SG. Use Guided Setup to easily set up your CC-SG environment. In This Chapter 1.
Chapter 4: Install CC-SG 2. Attach the 2 included AC power cords to the power ports on the rear panel of the CC-SG unit. Plug the other ends of the AC power cords into independent UPS protected outlets. 3. Connect a video monitor and keyboard using KVM cables to the corresponding ports on the rear panel of the CC-SG unit. Physical Connections for CC-SG V1 Units Numbers on the diagram below correspond to the step numbers in this procedure. 1.
Chapter 4: Install CC-SG Note: The CC-SG V1 hardware ships with Gigabit Ethernet NIC adaptors. As long as the NIC interfaces are using the default auto-negotiation setting, practically any cable can successfully be used between the interfaces and an Ethernet port. Depending on the cable, full 1000Mbps connectivity may not be possible, but minimally you should get 100Mbps. Physical Connections for CC-SG G1 Units Numbers on the diagram correspond to the step numbers in this procedure. 1.
Appendix A Installation Template You can use the installation template to assist you in documenting your network configuration. In This Chapter Blank Template........................................................................................53 Sample Template ....................................................................................
Appendix A: Installation Template User Groups Name Privileges Policy name1 Password User Group Member#1 Member#2 (Specify members by Category/Element) Member#1 Member#2 (Specify members by Category/Element) Day Time Control/ Deny Policy name2 Users Name Device Groups Name Node Groups Name Policies Name 54 Device Group Node Group
Appendix A: Installation Template Sample Template CommandCenter Secure Gateway IP address netmask default gateway admin name admin password admin raritan Associations Category Name string/integer node/device/ both Element Element Element location string both Datacenter 1 Datacenter 2 engineering node_type string node Microsoft Unix Network IP Address Admin Name/ Password Category/ Element1 Category/ Element2 SX ccadmin/ rar123 location/ Datacenter 1 KX ccadmin/ rar123 loca
Appendix A: Installation Template Ports Name (system) Device Name Device Port # MS_serv1 Eng_KX1 1 Sun_Serv2 Eng_KX1 2 Cisco_Rtr1 DC1_SX1 1 DC2_Web1 DC1_SX1 2 Name Privileges Policy name1 Sysadmin all (default) full access (default) Unixadmins Node access only unixadmin_p ol Msadmins Node access only msadmin_pol Netadmins Node access only netadmin_pol User Groups 56 Policy name2
Appendix A: Installation Template Users Name Password User Group Henryh rar123 sysadmin Georgeh rar123 sysadmin Ricka rar123 msadmins Danf rar123 unixadmins Member#1 Member#2 (Specify members by Category/Element) Name Member#1 Member#2 (Specify members by Category/Element) unixport_grp node_type=unix msport_grp node_type=microsof t netport_grp node_type=network Device Groups Name Node Groups 57
Appendix A: Installation Template Policies 58 Name Day Time Control/ Deny Device Group Node Group unixadmin_po l all all control unixport_grp msadmin_pol all all control msport_grp netadmin_pol all all control netport_grp
Appendix B Remote Power Management In CC-SG, you can implement remote power management for nodes using supported Raritan powerstrips and Dominion series products. Check the Compatibility Matrix for supported powerstrips and devices. You can find the Compatiblity Matrix on the Raritan web site under Firmware and Documentation in the CommandCenter Secure Gateway section. This section shows examples of configuring powerstrips that are connected to other Raritan devices.
Appendix B: Remote Power Management Example: Remote Power Management Using SX, KX, and Powerstrip The following diagram illustrates the physical connections for managing remote power control. 1. Connect the red RJ45 connector end of the CSCSPCS-10 cable to the RJ45 port on the powerstrip. 2. Connect the other end of the CSCSPCS-10 power control cable to any serial port on the Dominion SX. 3. Connect the node to a Dominion KX with standard CAT5 cable with a DCIM-PS2 attached.
Appendix B: Remote Power Management Example: Remote Power Management for Multiple Power Connections Many data center devices, network routers, switches, and servers are equipped with redundant power or multiple power supplies requiring several AC electrical connections. In the following scenario two separate power strips are provided for the node.
Appendix C CC-SG and Network Configuration This appendix contains network requirements, including addresses, protocols, and ports, of a typical CC-SG deployment. It includes information about how to configure your network for both external access and internal security and routing policy enforcement. Details are provided for the benefit of a TCP/IP network administrator. The TCP/IP administrator's role and responsibilities may extend beyond that of a CC-SG administrator.
Appendix C: CC-SG and Network Configuration Port Number Protocol 51000 TCP Purpose Details SX Target Access (Direct Mode) AES128 encrypted if configured. Possible exceptions to the required open ports: Port 80 can be closed if all access to the CC-SG is via HTTPS addresses. Ports 5000 and 51000 can be closed if CC-SG Proxy mode is used for any connections from the firewall(s). CC-SG Communication Channels Each communication channel is documented.
Appendix C: CC-SG and Network Configuration Communication Direction Port Number Protocol Configurable? Details CC-SG to Raritan Device 5000 TCP yes RDM protocol RC4/AES128 encrypted Raritan Device to CC-SG 5001 UDP no CC-SG to Dominion PX 623 UDP no heartbeat CC-SG Clustering When the optional CC-SG clustering feature is used, the following ports must be available for the inter-connecting sub-networks. If the optional clustering feature is not used, none of these ports has to be open.
Appendix C: CC-SG and Network Configuration Access to Infrastructure Services The CC-SG can be configured to use several industry-standard services like DHCP, DNS, and NTP. These ports and protocols are used to allow CC-SG to communicate with these optional servers.
Appendix C: CC-SG and Network Configuration PC Clients to Nodes Another significant role of CC-SG is to connect PC clients to various nodes. These nodes can be serial or KVM console connections to Raritan devices (called Out-of-Band connections). Another mode is to use In-Band access methods such as VNC, RDP, or SSH. Another facet of PC client to node communication is whether: • The PC client connects directly to the node either via a Raritan device or In-Band access. This is called Direct Mode.
Appendix C: CC-SG and Network Configuration Communication Direction Port Number Protocol Configurable? Details CC-SG to DRAC 80 or 443 TCP no Vendor standard CC-SG to RSA 80 or 443 TCP no Vendor standard CC-SG and SNMP Simple Network Management Protocol (SNMP) allows CC-SG to push SNMP traps (event notifications) to an existing SNMP manager on the network. CC-SG also supports SNMP GET/SET operations with third-party Enterprise Management Solutions such as HP OpenView.
Appendix C: CC-SG and Network Configuration CC-SG Internal Ports CC-SG uses several ports for internal functions, and its local firewall function blocks access to these ports. However, some external scanners may detect these as “blocked” or “filtered.” External access to these ports is not required and can be further blocked.
U.S./Canada/Latin America Monday - Friday 8 a.m. - 8 p.m. ET Phone: 800-724-8090 or 732-764-8886 For CommandCenter NOC: Press 6, then Press 1 For CommandCenter Secure Gateway: Press 6, then Press 2 Fax: 732-764-8887 Email for CommandCenter NOC: tech-ccnoc@raritan.com Email for all other products: tech@raritan.com China Europe Europe Monday - Friday 8:30 a.m. - 5 p.m. GMT+1 CET Phone: +31-10-2844040 Email: tech.europe@raritan.com United Kingdom Monday - Friday 8:30 a.m. to 5 p.m.
