星期三, 3月 14, 2012

Serial Over LAN

http://www.opengear.com/SP-IPMI_SOL.html 



This article explores the core elements of Serial over Lan applications and how they work with Opengear console servers.

Opengear offers a variety of connectivity methods to access Serial Over LAN securely from a remote location. Our solutions provide an aggregate IPMI gateway to remote sites, branch offices, co-location facilities and data centers both in-band and out-of-band. The unique blend of security filters offered in our software and hardware platforms gives administrators enhanced IPMI abilities including SOL. Best of all, our solutions are low cost - starting at just a few hundred dollars. 

We make managing servers using SOL easier, more secure from anywhere in the world. To deploy SOL at the remote site we offer our small form factor ACM5000 and IM4004-5 products. For the larger branch office site, colocation, or data center we offer our IMG4216-25 and IM42000 line of products. Contact our sales team today for assistance in finding which product best fits your remote management application.

One of the powerful tools in IPMI is Serial Over LAN (SOL) which provides serial line access over the management LAN. The baseboard management controller (BMC) microcontroller embedded on the server motherboard does this by redirecting information destined for the serial port over to the LAN. With SOL console redirection system administrators can remotely view the text-based console on their remote servers from anywhere and perform any task that doesn't require a GUI:
  • access the Linux serial console to install or reconfigure the OS or run utilities
  • remote access to Emergency Management Services (EMS) or Special Administration Console (SAC) for Window to remotely view the boot, operating system loader or emergency management consoles
  • receive alerts sent out by IPMI over the SOL connection, then use IPMI messaging to query platform status or review hardware logs (through the same SOL connection)
  • view how valuable POST and boot messages and remotely reconfigure the BIOS (when redirected to serial)
Dell IPMI SOL 

So SOL out-of-band remote console can be used from any location to diagnose and repair problems - eliminating expensive out of hours trips to the datacenter. 

Transporting serial data over IP networks using telnet, serial over IP, SOL and the likes, is the way forward for server serial communications. Just as the KVM functions in embedded service processors is displacing the need for external KVM /KVMoIP appliances, so the SOL capability of BMCs and console redirection in service processors is reducing the need for serial console servers for server console management. 

SOL tools

If you are fortunate enough to have a service processor in your server, such as an iLO, DRAC or RSA, then it is easy to remotely connect to your server's serial COM port console - without using IPMI SOL. The iLO for example does this with an onboard UART together with special mirroring and communication firmware in the management processor. Once you telnet, SSL or SSH connect to the iLO card and run REMCONS to connect to COM1/2, you have uninterrupted access to the text console whether the system is booting, launching an OS, has the OS up, or has crashed. 

However many servers do not have service processors installed. They invariably will have a BMC, as they are becoming a default feature of rack mount servers, and as such they will have IPMI access to this BMC and a SOL connection. 

SOL is based on RMCP a request-response protocol delivered using UDP datagrams to port 623 and it needs a special utility to extract the serial text. Fortunately there are a number of such utilities available:
  • The main server vendors have their tools such as SOLProxy from Dell and SMBridge from IBM, and there are various third-party applications such as PowerCockpit from Mountain View Data
  • Another popular solution is open source offerings like ipmitools that provide full support for IPMI v1.5 and IPMI v2.0. While ipmitools is only for Unix-like operating systems Windows clients can run it using cygwin
SOL provides an excellent tool for basic local management console communications. It uses simple protocol that can access and control local server processors in distressed circumstances. However SOL talks through the BMC which is a simple microcontroller and the protocol it uses does not have the security required for remote communications. Also SOL uses UDP, so remote access is not simply supported using the standard secure administration tools like SSH. 

Remote access using SOL 

The IPMI SOL uses UDP 623. This is not a TCP/IP port and while firewalls can be configured so SOL can routed locally, you cannot normally send UDP over secure TCP services such as SSH, SSL or PPTP. However it is imperative that remote administrators have secure access to the important serial console messages that are being SOL redirected so there are a number of methods to achieve this:
  • One approach is to have all the BMC Ethernet ports connected to the management LAN or VLAN, and then have a VPN or private network extension to that management network that supports UDP transport. This is an excellent means of secure remote SOL communications for the larger data center, but can be expensive and prohibitively complex for smaller branch office networks
  • A simpler approach is to have a dedicated management appliance on the secure management LAN at each remote branch site, and then run a SOL proxy in that appliance. At the simplest level, the appliance would run ipmitools then capture the SOL serial data stream. This data stream could be interpreted (e.g. for power control/status and alerting). Opengear takes this SOL proxy approach in the IM4200 products. The text data stream from the SOL proxy could also be presented to remote administrators (e.g. by enabling remote users to HTTPS to the appliance and view the SOL text on a java telnet applet). The disadvantage of this approach is that native management tools provided by the server vendor (such as Del's OpenManage) may be expecting to receive SOL information at their remote client end
  • A third approach is to convert the SOL UDP communication into a TCP form so it can be securely routed to the remote user. Opengear does this with SDTConnector to securely tunnel SOL UDP through SSH. SDTConnector delivers point-n-click simple connection between remote administrators and the CM/IM4000 devices. The administrator can run the likes of SOLProxy or SMBridge at their remote site and securely connect through the SSH tunnel to the managed server. You get all the benefits of using IBM's Director or Dell's OpenManage native management tools to access and react to the SOL information.

沒有留言: