The Lights Out Management feature allows you to remotely manage the power state and serial console to Safeguard for Privileged Passwords using the baseboard management controller (BMC). When a LAN interface is configured, this allows the Appliance Administrator to power on an appliance remotely or to interact with the Recovery Kiosk.
It is the responsibility of the Appliance Administrator to enable and configure the Lights Out Management feature. When Lights Out Management is enabled, the Appliance Administrator can set or change the password and modify the network information for the baseboard management console (BMC). When disabled, Safeguard for Privileged Passwords immediately resets the password to a random value and resets the network settings to default values.
IMPORTANT: This feature requires a LAN interface to be enabled and configured. One Identity Safeguard for Privileged Passwords's BMC supports the following LAN interfaces to provide this functionality:
- SSH
- IPMI v2
- Web
- Serial over Lan
It is strongly recommended that the LAN interface only be enabled in trusted environments.
To enable Lights Out Management
- Access Lights Out Management in one of two ways:
- Click the Enable Lights Out Management toggle to enable or disable this feature. Set
toggle on or
toggle off.
- Once enabled, enter the following information about the BMC:
- IP address: The IPv4 address of the host machine.
- Netmask: The network mask IPv4 address.
- Default Gateway: The default gateway IPv4 address.
-
Click the Set BMC Admin Password button to set the password for the host machine.
Maximum password length: 20 characters.
NOTE: If this feature was previously enabled, you will see an Update BMC Admin Password button instead. Optionally, click the Update BMC Admin Password button to reset the password for the host machine.
- Click OK to save the settings on the host machine.
NOTE: Once Lights Out Management is enabled in Safeguard for Privileged Passwords, you can access the BMC via a web interface or by using SSH to connect to the IPMI port to remotely manage the power state and serial console to Safeguard for Privileged Passwords. The default user for accessing the BMC is ADMIN.
On Networking, view and configure the primary network interface, and if applicable, a proxy server to relay web traffic, and the sessions network interface.
It is the responsibility of the Appliance Administrator to ensure the network interfaces are configured correctly.
|
CAUTION: For Azure, network settings user interfaces are read-only. Network settings configured by the Azure Administrator. Changing the internal network address on a clustered appliance will break the cluster and require the appliance to be unjoined/rejoined. |
(web client) To modify the networking configuration settings
- Click
Settings on the left. The Settings: Appliance page displays.
- Click Networking
to configure the appliance.
- Continue to the Network settings
(desktop client) To modify the networking configuration settings
- Navigate to Administrative Tools | Settings | Appliance | Networking.
- Click the
Edit icon next to the Network Interface or Proxy Server heading to edit or configure the network properties.
- Network settings
Network settings
Complete the network settings.
Network Interface X0 (primary interface)
Table 110: Network Interface X0 properties
MAC Address |
The media access control address (MAC address), a unique identifier assigned to the network interface for communications |
IP Address |
The IPv4 address of the network interface |
Netmask |
The IPv4 network mask |
Default Gateway |
The IPv4 default gateway |
IPv6 Address |
The IPv6 address of the network interface |
IPv6 Prefix Length |
The IPv6 subnet prefix length |
IPv6 Gateway |
The IPv6 default gateway |
DNS Servers |
The IP address for the primary DNS servers |
DNS Suffixes |
The network suffixes for the DNS servers
NOTE: You can modify the network suffixes for the DNS servers by clicking the Edit icon next to the Network Interface X0 heading. |
Proxy Server X0
The Proxy Server X0 settings must be configured if your company policies do not allow devices to connect directly to the web. Once configured, Safeguard for Privileged Passwords uses the configured proxy server for outbound web requests to external integrated services, such as Starling.
NOTE: Only HTTP web proxy is supported.
Table 111: Proxy Server X0 properties
Proxy URI |
The IP address or DNS name of the proxy server. |
Port |
The port number used by the proxy server to listen for HTTP requests.
Value: Integer from 1 to 65535.
NOTE: If different ports are specified in the proxy URI and the Port field, the Port field takes precedence. |
Username |
The user name used to connect to the proxy server.
NOTE: The username and password are only required if your proxy server requires them to be specified. |
Password |
The password required to connect to the proxy server.
NOTE: The username and password are only required if your proxy server requires them to be specified. |
Network Interface X1 (embedded sessions interface)
NOTE: If one or more Safeguard Sessions Appliances are joined to Safeguard for Privileged Passwords, X1 is not available in Safeguard for Privileged Passwords.
Table 112: Network Interface X1 properties
MAC Address |
The MAC address, a unique identifier assigned to the session interface for communications |
IP Address |
The IPv4 address of the session interface |
Netmask |
The IPv4 network mask |
Default Gateway |
The IPv4 default gateway |
IPv6 Address |
The IPv6 address of the session interface |
IPv6 Prefix Length |
The IPv6 subnet prefix length |
IPv6 Gateway |
The IPv6 default gateway |
DNS Servers |
The IP address for the primary DNS servers |
DNS Suffixes |
The network suffixes for the DNS servers |
It is the responsibility of the Appliance Administrator to ensure the operating system is configured. Operating system licensing is automatic in the Azure deployment.
Use the Operating System Licensing pane to view and configure the operating system of a virtual appliance.
- Navigate to Administrative Tools | Settings | Appliance | Operating System Licensing. Click
Refresh anytime to refresh the settings.
- The display shows if Windows is licensed with KMS or licensed with a product key. Click Details to see additional information.
- Click
Edit to change the operating system license and select one of the following options.
- License automatically with KMS: If you select this option, Safeguard will use DNS to locate the KMS server automatically.
- Specify a KMS server: If KMS is not registered with DNS, enter the network IP address of your KMS server.
- Specify a license key: If selected, your appliance will need to be connected to the internet for the necessary verification to add your organization's Microsoft activation key.
- Click OK.
To analyze and diagnose issues, One Identity Support may ask the Appliance Administrator or Operations Administrator to send a support bundle containing system and configuration information.
To create a support bundle
-
Navigate to Administrative Tools | Settings | Appliance | Support Bundle.
NOTE: Select the Include Session Log check box if you want to include the Sessions debug log in the support bundle. This check box is only available if you are using the hardware SPP Appliance and are licensed for and are using the embedded sessions module.
- Click Generate Support Bundle.
- Browse to select a location to save the support bundle .zip file and click Save.
- Send the support bundle to One Identity Support. For more information, see About us.