Adding managed console servers to Lighthouse

The article provides an overview how Lighthouse manages console servers, and how to add a console server to Lighthouse central management (aka console server enrollment).

For the practical instructions only, skip ahead to Enrolling a console server.

Note that these instructions are primarily useful for manually enrolling a small number of console servers.  For bulk console server provisioning and enrollment, see this article.

SSH management tunnels

Lighthouse central management uses a persistent, public key authenticated SSH tunnels to maintain connectivity to managed console servers.

All network communications between Lighthouse and each console server (e.g. access to the web UI), and the console server's managed devices (e.g. the serial consoles of network equipment), is tunneled through this SSH management tunnel.

The management tunnel may be established in one of two ways depending on whether the console server is "local" or "remote" to Lighthouse:

Local Console Servers: This configuration is often used in large, central networks, e.g. a data center. If Lighthouse has a reliable route to the console server, Lighthouse may establish the management tunnel directly.  At boot, Lighthouse performs a ping sweep of the local subnet to detect local console servers.

Remote Console Servers: This configuration is most often used in distributed networks, e.g. a central Lighthouse managing branch office console servers.  If the console server is on a remote or firewalled network, or is configured for failover, the console server may first establish a northbound Call Home tunnel to Lighthouse.  Lighthouse then uses the Call Home tunnel to establish the management tunnel. 

Configuration synchronization

Lighthouse retrieves configuration information about managed devices, users, and their access permissions from console servers as they are enrolled.

Configuration from all console servers is aggregated to form a central view and point of access, enabling a retrieved user to reach all their permitted managed console servers and devices with a single sign on.

Configuration is not automatically re-synchronized, this must be done manually using Configure -> Managed Console Servers -> Retrieve Managed Devices from the web UI, or node-sync from the CLI.

Lighthouse does not provide central configuration management, except in an ad-hoc fashion using bulk CLI config commands via node-command.

Enrolling a console server

• Login to the Lighthouse web UI as root
  
• Click Configure -> Managed Console Servers
• Determine whether the the console server will be added as a Local or Remote Console Server
• Note: See SSH management tunnels above for the distinction
• For a Remote Console Server:
• Setup Call Home using these instructions
• In the list of Detected Console Servers -> Remote Console Servers, select the console server using its unique Call Home Listening Port Home port
• For a Local Console Server:
• In the list of Detected Console Servers -> Local Console Servers, select the console server using its unique local IP address
• If the console server has not been detected, scroll down to New Console Server
• Click Add
• Enter a unique Name for the console server, e.g. its hostname
• Optionally enter a Description for the console server, e.g. its location or application
• Check the detected console server's IP Address/DNS Name
• Note: For Remote Console Servers this is always 127.0.0.1
• Check the SSH Port is correct
• Note: for Remote Console Servers this must match the console server's Call Home Listening Port
• Enter the Remote Root Password of the console server
• Note: This is used to exchange SSH keys during enrollment, then forgotten
• Unless you are making extensive use of the built-in Nagios system, ensure Monitor Managed Devices and Monitor Auto-Responses are unchecked
• Note: Checking Monitor Managed Devices will use a great deal of bandwidth and may be unsuitable for metered network connections such as cellular
• Set the Number of Serial Ports to the total number of configured and unconfigured serial + USB console ports for this console server
• Leave the Proxy Port Base fields and all other fields blank
• Click Apply

The enrollment and initial configuration sync may take several minutes.

When complete, successful enrollment is indicated by a valid Configure -> Managed Console Servers -> Managed Devices Last Retrieved timestamp. If this is showing as "Never", enrollment has failed – please Delete and re-Add the console server.