topic Remote console, SSL certificates, and port 80 in ProLiant Servers (ML,DL,SL)

Remote console, SSL certificates, and port 80

Richardw-au — Thu, 13 Aug 2015 05:46:56 GMT

Hi All

Hopefully there’s somebody out there than can help with this issue.

I have a StoreEasy 1450 with ILO4 out on a customer site. The customer has configured a port forward from 4433 to 443 so I can get access to the ILO interface.

I can log in to ILO but when I try and launch the remote console nothing happens.

After a bit of Googling I believe it may be trying to redirect through port 80 due to an untrusted certificate.

http://h20565.www2.hpe.com/hpsc/doc/public/display?sp4ts.oid=5195931&docId=mmr_kc-0106591&lang=en-us&cc=us&docLocale=en_US

However the above article states that Java RC would work, but for me it does not.

The site is added to trusted sites in IE, and I have tried with protected mode off.

IE, Chrome and Firefox all the same, nothing happens and no clue why.

So I have installed a Digicert certificate which is trusted by the browser, but maybe not by the web server in ILO, not 100% sure about that.

Still no joy.

Ports 443 and 80 are in use so there is no option to use them.

I’m pretty sure it’s not a client side issue.

ILO Firmware is 2.10

The digicert SSL certificate was sent with a certificate for an intermediate trusted CA, but it looks like only one SSL certificate can be installed in ILO.

I believe this must be a very common usage scenario given most small businesses only have one public IP address, and would be hosting a website on port 80

Any succinct thoughts and suggestions gratefully received.

Re: Remote console, SSL certificates, and port 80

Jimmy Vance — Thu, 13 Aug 2015 09:49:27 GMT

The document you mention could be part of an issue you're seeing. As a test, you could download the stand alone IRC application that doesn't require it to be downloaded from the iLO. Is there also a port forward setup for 17990? iLO uses port 17990 for remote console.

HP Lights-Out Stand Alone Remote Console for Windows

http://h20566.www2.hpe.com/hpsc/swd/public/detail?sp4ts.oid=5264039&swItemId=MTX_4f842ceb31cf48d392e22705a8&swEnvOid=4060#tab-history

I've seen others recommend as a best practice to use a VPN to access the remote network instead of poking a bunch of holes in a firewall/router.

Default iLO port values

Secure Shell (SSH) Port - 22
Remote Console Port - 17990
Web Server Non-SSL Port (HTTP) - 80
Web Server SSL Port (HTTPS) - 443
Virtual Media Port - 17988
SNMP Port - 161
SNMP Trap Port - 162

Re: Remote console, SSL certificates, and port 80

Richardw-au — Tue, 18 Aug 2015 01:14:16 GMT

Hi Jimmy

Thanks for your suggestion.

i now have a port forward on the external IP on port 17990 to the ILO NIC. But the remote console still doesnt launch, nor does the standalone remote console connect.

i can telnet to port 17990.

From standalone remote console i get this :

Received an unexpected EOF or 0 bytes from the transport stream

Any ideas what that means?

Re: Remote console, SSL certificates, and port 80

Jimmy Vance — Wed, 19 Aug 2015 15:47:07 GMT

@Richardw-au wrote:
Hi Jimmy
Thanks for your suggestion.
i now have a port forward on the external IP on port 17990 to the ILO NIC. But the remote console still doesnt launch, nor does the standalone remote console connect.
i can telnet to port 17990.
From standalone remote console i get this :
Received an unexpected EOF or 0 bytes from the transport stream
Any ideas what that means?

Using the standalone client I was able to access the iLO remote console. Besides 17990 you also need to have a port forward for port 443

if the customer is using 443 for a webserver, you can use another port and redirect to 443

On the firewall (linux iptables) I was testing with I had

external internal

17990 17990

4003 443

using the standalone client you can put everything on the command line, or in the GUI box for Netwrok addres use hostname:port

from the command line it is

irc.exe -addr address:[https_port] -name login_name -password password

irc.exe -help will list the options

Re: Remote console, SSL certificates, and port 80

Richardw-au — Wed, 09 Sep 2015 05:03:43 GMT

Hi Jimmy

Apologies for the delay - i've been dealing with HP support on this also, and that has been a painful experience!

Initially i tried specifying port 17990 on the standalone remote client, and it didnt connect.

The one thing of value i got from hours of sessions with HP support was that i needed to enable IRC requires a trusted certificate in iLO setting on the Remote Console page security tab.

I then retried the Standalone RC using the redirected SSL port and after a really long wait, about 3 minutes, i saw the remote console!

Hope this is of assistance to somebody, and thanks to you for the suggestions.

Re: Remote console, SSL certificates, and port 80

hablutzel1 — Thu, 13 Dec 2018 19:04:27 GMT

It didn't work for me.

HP should really address this issue as there is no always the possibility to use port 443 facing the Internet (it is already occupied, organization policy mandates to use a different port, etc).