Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
BY R A J E E V ON M A R C H 3 , 2 0 1 2 1 C O M M E N T IN A D M I N
Some scenarios where DRAC to be accessed over Firewall, NW team would need
the exact TCP/UDP port details to be allowed. Below list would help,
22 Secure Shell, SSH
23 Telnet
80 http
443 https
161 SNMP
3668 Virtual Media Server
5900 Console Redirection
5901 Console Redirection
from outside. In such cases when you need to connect to the DRAC
console from outside a solution is to tunnel over SSHyour DRAC
traffic.
In order for this to work you need to tunnel ports 443 (SSL) and and
5900,5901 (VNC). This can be achieved with openssh with a
command like this:
1ssh -L 443:dracip:443 -L 5900:dracip:5900 -L 5901:dracip:5901 -l user -N ssh_host
Its Friday, 4:59pm and youre itching to get home, thats when you get a call saying that
the server in the remote office is locked up. All the employees of the branch office have
left for the day and shutdown all of their PCs. Theres no way to get into that local
network and remote control the server or reboot it without fighting through rush hour
traffic, trying to remember the security code to the front door, and then playing the see
which key fits game on 3 sets of locked doors. This could be avoided if you had just
opened access to your DRAC to your IP ranges at your main office. Heres how:
First Identify what ports your version of the Dell Remote Access Controller uses, heres a
short list:
DRAC 4
5900TCP
3668TCP
2068TCP
8192TCP
443TCP (I recommend changing this from within the DRACs UI)
DRAC 5
3668TCP
3669TCP
5900TCP
5901TCP
443TCP (I recommend changing this from within the DRACs UI)
iDRAC 6 & iDRAC 7
443TCP (I recommend changing this from within the DRACs UI)
5900TCP
623TCP
For this example Im going to be using a SonicWall TZ 210 Router, and were going to be
Setting up access to a iDRAC 6 thats IP address is 192.168.1.12.
Im also going to be adding all of these services into a Service Group, that way I only
have to make 1 set of firewall and NAT rules instead of 3. If your firewall does not
support this, just make 3(or 5) individual rules, one for each service.
The first thing Im going to do is change the DRACs internal web server to use port 4433
instead of port 443, because Im already running services over port 443 for something
else, and more than likely you are too.
You change this by logging into the DRAC, under the Network/Security section there
will be tab for Services Change the HTTPS port number to 4433.
Next lets create the services, On the Sonicwall. Log into the Sonicwall and on left hand
Figure 1.
pane, expand Firewall, and click Services. Click Add to Create a new service, enter
a name, I typically use DRAC Service 1 or something similar. Change the Protocol
to TCP, and Enter your Port range, for the first service wed enter 623and 623 again in
the second box See Figure 1.
Figure 2.
Once youve created all 3 Services you can create a new Service Group, I called
mine DRAC Services, and I add all 3of the services that we just created to this group.
See Figure 2.
Next weve got to create some address objects. Expand theNetwork on the Sonicwalls
left hand pane and click Address Objects. Click Add to create a new Address
Object. Were going to need to create two address objects. One for the DRAC which will
be 192.168.1.12 and located on the LAN, and the other will be for Our (Your) main
offices public IP(s) and will be located on the WAN. Youre Address Object for the
DRAC should look like figure 3.
Figure 3.
Next well create our Firewall rule, expand Firewall on the Sonicwalls left hand pane
Figure 4.
and click on Access Rules. Were going to be creating a new rule from the WAN to the
LAN. When you create the rule it should look like Figure 4, only with slight changes to
the names of the Address Objects you created.
Action: Allow
From Zone: WAN
To Zone: LAN
Service: DRAC Services( or whatever you named your service group)
Source: This will be whatever you named your Main Offices Public IP address Address
Object
Destination: WAN Primary IP (this is because youll be accessing the DRAC from the
Public IP of the remote office and not from its Internal IP address)
Were almost done now, we just need to create our NAT rule, and then well be ready to
test.
Expand Network on the Sonicwalls left hand pane, and click on NAT Policies. Click
Figure 5.
Add to create a new NAT rule. Youre NAT rule should look similar to Figure 5.
Original Source: This will be whatever you named your Main Offices Public IP address
Address Object
Translated Source: Original
Original Destination: WAN Primary IP (this is because youll be accessing the DRAC
from the Public IP of the remote office and not from its Internal IP address)
Translated Destination: This will be whatever you named your DRACs Address Object.
Original Service: DRAC Services( or whatever you named your service group)
Translated Service: Original
Inbound Interface: Any
Outbound Interface: Any
Thats it! You should now be able to go to https://YourBranchoOfficesPublicIP:4433
and log into your DRAC. Note: Ive had some issues with the iDRAC6 Active X control
not working remotely, change it over to Java and it works fine. Im not sure if this is an
issue with just my PC or with something within the Active X control. Let me know if the
Active X control works for you after youve followed these instructions.
==
The Dell Remote Access Card (DRAC) communicates via the following ports:
22 Secure Shell, SSH
23 Telnet
80 http
443 https
161 SNMP
3668 Virtual Media Server
5900 Console Redirection
5901 Console Redirection
If you have a firewall in between you and the server, ensure that you have the above ports opened.