| Posted by dukemaster, 01-31-2017, 01:37 AM | |
A number of provides have setup some kind of proxy system, that lets you launch into the Supermicro IPMI Java KVM interface directly from their control panel.
This allows me to access the IPMI without having to setup another VPN, while still protected the IPMI from being exposed directly to the internet.
Providers where I have seen this:
OVH
Choopa
SwiftWay
Constant.com (reselling Choopa)
You basically login to the Providers billing/control system, and click a link and get sent the Java Web Start .jnlp file that connects you to the KVM. I assume it is basically connecting to the IPMI and doing the login process for you to get the session, and then passing the file along to you, with the IP address rewritten, and allowing your IP through some kind of ACL, and creating the mapping for the various ports. But now that I have seen it in a few places, I wonder if there is a standardized solution for this.
Does anyone know how this works?
I have seen other providers like LeaseWeb and SnelServers using IPMI to provide the basic functionality, like reset/power control, and getting sensor data like temperatures, but this is not that.
|
| Posted by Adam-AEC, 02-06-2017, 01:36 AM | |
I'd say you basically just explained it, in pseudo-functionality.
A process on the webserver/gateway is kicked off to visit the Supermicro IPMI Web interface and log in with credentials, which then visits the appropriate page to start the console. The JNLP is downloaded by the process.
The JNLP is just XML, with only a few key pieces we care about: The IP address and the port. Extract and preserve the original values, put in the new values of our gateway and a port we can use on the gateway host.
Once the JNLP file is modified, we would:
1. Setup a DNAT which forwards traffic on our new port to the IP address and port of the IPMI interface.
2. Send the JNLP file down the wire to the browser, allowing the user to start the connection.
Of course - there is a few more pieces to this puzzle. We likely want to firewall traffic to the exposed port to only the client which requested the console access. You'll want to handle cleanups so the DNAT isn't left persisted longer than necessary. You'll need some sort of port registry to know which ports in a port range are in use or are available.
|
| Posted by NortheBridge, 02-06-2017, 06:48 AM | |
You've pretty much described it; it's a pseudo-function that's good for those that don't need full IPMI web interface access. As far as I have seen, anyone who has instituted such a system only gets you access to the Java KVM Console. Sometimes you need more then that, we prefer to have access to the full iLO/iDRAC/IPMI toolset rather than just the console because sometimes the Java KVM can't do things that you can do with the full IPMI toolset.
In the case of iLO, the .NET runtime works far better than Java. With Supermicro, mounting NFS ISOs works better through the IPMI toolset then through the Java KVM which works for mounting a local disk over VPN if you can hold the boot process to mount the disk without an NFS share. Sometimes the Java KVM won't mount a disk at all whether NFS or not whereas in the full IPMI toolset there's no issue.
The way SoftLayer and LeaseWeb do it is far more preferable to the way OVH (et. al.) do it.
Until the others can devise the proxy system to provide access to the full BMC, their OOB is handicapped in comparison.
|
| Posted by madRoosterTony, 02-06-2017, 12:08 PM | |
The introduction of Supermicro's HTML5 KVM should make this all a bit more interesting as it starts to hit more and more motherboards. We still prefer to require VPN access currently as it provides better security, but have been following the proxy idea being used by many for a while and waiting for someone to come up with a way for it to be as secure as pure VPN.
|
|
 Add to Favourites
 Print this Article
|
