using-a-reverse-ssh-connection-for-out-of-band-access

Using a Reverse SSH Connection for Out-of-Band Access

Challenge:

In order to simplify the process of dealing with problems at a remote network equipment installation, support personnel need access to remote devices via both Ethernet and console port. In the event that normal network communication with the site is down, technicians also need a secondary out-of-band solution for communication with the site in order to remedy network outages without the need to travel to the site in person.

Solution:

A DSM Series Console Server is installed at the remote site and connected to the site’s secure LAN and a phone line. In order to provide remote access to console port command functions on devices at the site, the DSM is also connected to console ports on critical devices at the site. When WAN access to the site is up, remote personnel can establish an Ethernet connection to the DSM and then use the DSM’s SSH Hosting capabilities to create an Ethernet connection to each device at the site via Reverse SSH. In addition, remote personnel can also access console port command functions on any device at the site that is connected to a DSM serial port.


Using a Reverse SSH Connection for Out-of-Band Access


In the event that outside network access to the secure LAN at the site is down, remote support personnel can dial into the DSM and then access each device via Ethernet or console as described in the previous paragraph. When the outside network access is disrupted by a malfunctioning router or switch at the remote site, support personnel can correct the problem and restore outside network access without the need to travel to the site to deal with the problem in person.

In cases where additional out-of-band communication options are required, a DSM-E Series GigE Console Server can be used in place of a standard DSM Console Server. Since DSM-E Series Console Servers include dual 10/100/1000Base-T Ethernet ports, this allows technicians and support personnel to access the site via both primary/production network and secondary/maintenance network, or if desired, via both primary network plus 3G/4G/LTE cellular broadband or satellite modem.

Results:

This provides a number of different options for communication with the remote site. Support personnel can connect to the DSM Console Server via either Ethernet or Dial-up and once connected, can then communicate with network elements at the site via either reverse SSH or console port. The DSM’s SSH Hosting functionality allows direct network communication with more devices than are allowed by the number of ports on the DSM console server.

If desired, remote administrators can also employ the DSM Console Server’s Reverse SSH capabilities to establish an encrypted tunnel that bypasses the site’s firewall, essentially creating a secure VPN that can be used to communicate with routers, switches and other network elements.

In order to keep track of noteworthy conditions and events at the remote site, the DSM Console Server’s monitoring and alarm functions can be used to detect unresponsive devices, high rack temperatures, power supply irregularities and other potential signs of trouble. When rack temperatures, ping response or other monitored conditions exceed user-defined trigger levels, the DSM can provide immediate notification via email, text message or SNMP Trap, allowing prompt response to minor problems before they have the chance to grow into major emergencies. When suspect conditions are detected at the site, the DSM can also create a log that records the details of each event plus all user activity at the site.



A console server that supports reverse, outbound SSH connections can provide technical support personnel with a secure, versatile tool for communicating with devices at remote sites that would otherwise be inaccessible. In addition to providing access to console port command functions like other console servers, a console server with SSH Hosting capabilities also allows technicians to communicate with remote devices on secure LANs via network when outside network access is down or impractical.

In addition to allowing access to devices at remote sites via both Ethernet and console port, technicians can also communicate with the remote site via both dial-up and network connection. Working together, these features simplify the process of communicating with individual devices at the site for routine communication and maintenance needs and also enable NOC personnel to deal with network outages and other problems at network equipment installations without the hassles and expenses of physical service calls or truck rolls.

For more information or a free, live demo, please contact WTI.