Best practice for Integrated Lights-Out

Posted on 2012-08-24
Medium Priority
Last Modified: 2012-08-27
We are about to purchase a Integrated Lights-Out 3 (for a ProLiant DL380 G7 server) ADAVANCED licence. The main purpose is to have external access to the remote console, in case there is a problem during the server bootup process.
It currently has a private internal address assigned but unless we connect via VPN, which relies on one of the virtual machines i.e. our firewall...
Would it be safe to simply create an access rule for Integrated Lights-Out with a very long and complex password since it would be directly exposed to the internet? The remote console would have access to Hyper-V and everything else, including our data.
Are there any other more secure ways of doing this, perhaps some sort of TMG publishing rule?
Question by:mark-199
LVL 56

Accepted Solution

andyalder earned 1000 total points
ID: 38331377
>unless we connect via VPN, which relies on one of the virtual machines...

Can't you setup VPN access via your router/firewall from outside instead of terminating the endpoint on a virtual machine that's currently shutdown? I know there are some very cheap ADSL routers that can't terminate VPN connections but surely it would be cheaper to buy one that can for $150 rather than spend hours obfuscating the iLO settings?
LVL 19

Assisted Solution

by:Gabriel Orozco
Gabriel Orozco earned 1000 total points
ID: 38334812
iLO handles SSL.
if you setup a good enough password + ssl it should be ok.

Still I believe you need to have iLO on its own network, independent from the production network so you can enter always to see what happened.

for that, I would back what andyalder said. Implement a second access with at least a SSL vpn, avoid using the same switch than in production, the same power contact/supply, and you will have a reasonable configuration.

Author Closing Comment

ID: 38336169
Thank you both for your advice. As it happens we have an independent test environment with SSL VPN access that runs on a separate line in its own environment. I can connect the iLO to a private address on our test envrionment and then access it via SSL VPN.

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
Backups and Disaster RecoveryIn this post, we’ll look at strategies for backups and disaster recovery.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question