Call Home establishes an SSH network tunnel from an Opengear device to a central Lighthouse server or VM. Using the Call Home tunnel, Lighthouse connects to the Opengear device to establish a parallel management tunnel to perform central management and serve proxied remote access to the Opengear device via the Lighthouse central IP address.
All communications between the Lighthouse and Opengear device are sent via the management tunnel.
Since Call Home and management tunnels are northbound connections (outbound from Opengear device and inbound to Lighthouse), this architecture is particularly useful when:
- The Opengear device is configured to failover between multiple network connections – during failover, the tunnels are rerouted over the failover connection, automatically re-establishing central connectivity
- The Opengear device is on a firewalled network that blocks inbound SSH
- The Opengear device is connected to a cellular carrier that has implemented carrier grade NAT, blocking all inbound access
- Opengear device Calls Home to register with Lighthouse
- Lighthouse enrolls Opengear device and sets up management tunnel
- Lighthouse manages Opengear device via management tunnel loopback ports
- User accesses Opengear device via Lighthouse proxies, connected via management tunnel loopback ports
(For details, see the sections below: Call Home tunnel in detail, Management tunnel in detail and Which network ports are used?)
Call Home registration & authentication
The Opengear device first establishes a Call Home tunnel to register with Lighthouse as a candidate for management.
When establishing Call Home, the Opengear device uses the special cms "registrar" user account on Lighthouse. This built-in account is authenticated using the Call Home Password set on Lighthouse under Configure -> System Administration.
The registrar account permits a successfully authenticated client to upload its SSH public key, which is then added to the registrar account's list of authorized keys, i.e. /etc/config/ssh_root_rsa_key.pub on the Opengear device is added to /etc/config/registrar/.ssh/authorized_keys on Lighthouse. The registrar account is otherwise restricted with no other access privileges.
The uploaded SSH key is used for ongoing authentication, so the Call Home Password can be safely changed without disrupting the connection.
Testing the Call Home connection
To test Call Home registration, login to the Opengear device CLI as a root or an admin user and run:
If you are prompted for a password, it has failed – remove and re-add Call Home. If you are prompted to confirm an SSH key fingerprint, it has failed – remove and re-add Call Home.
If successful, you will see the following banner and nothing else:
User 'cms' does not have shell access on this device
Call Home tunnel in detail
Call Home is a reverse SSH port forward. SSH reverse port forwarding is an SSH feature that allows a client-initiated (i.e. Opengear device-initiated) SSH connection to bind a listening port on the server (Lighthouse) and forward it back over the tunnel, to a service on the client.
The Call Home tunnel redirects a unique, free TCP port (in the port range of 49152 to 65535 – e.g. port 54321) on Lighthouse back to its SSH server (TCP port 22). This is the Call Home Listening Port.
Once Call Home is established, Lighthouse can SSH to the listening port on its own loopback interface (e.g. 127.0.0.1:54321) and be connected to the Opengear device.
Note: When adding the Call Home connection, leave Listening Port blank (this is the default, the option to set it is hidden under Advanced). This allows Lighthouse to select an unused port, otherwise port clashes may occur.
Lighthouse enrollment and remote access
Now Lighthouse can connect to the Opengear device via Call Home loopback, it can use this connection to enroll the Opengear device and set up central management.
Opengear devices connected via Call Home can be viewed in the UI under Configure -> Managed Console Servers -> Remote Console Servers and enrolled by selecting and Adding. Central management of the Opengear device by Lighthouse requires that Lighthouse is granted root permissions.
When adding the Opengear device, specify the Remote Root Password. During enrollment, Lighthouse copies its SSH public key of the built in nagios user to the Opengear device's list of authorized keys, i.e. /etc/config/nagios/.ssh/id_rsa.pub on Lighthouse is added to /etc/config/ssh_authorized_keys on the Opengear device.
This uploaded SSH key is used for ongoing authentication, so the Opengear device's root password can be safely changed without disrupting the connection.
Note: When using bulk provisioning, the Lighthouse key must be pre-authorized on the Opengear device rather than requiring the root password to be input.
Note: If your Lighthouse is being accessed by the Opengear device via a port forward on a third-party device, you must tell Lighthouse the external IP and port of the port forward. Refer to this article for details.
Testing the management connection
To test enrollment, login to the Lighthouse CLI as a root or an admin user and run:
Take note of the Call Home listening port number after localhost: for the Opengear device you are testing, e.g.: localhost:54321
su nagios ssh -p 54321 root@localhost
If you are prompted for a password, it has failed – remove and re-enroll. If you are prompted to confirm an SSH key fingerprint, it has failed – remove and re-enroll.
If successful, you will obtain a root shell on the Opengear device with no intermediate prompts.
Management tunnel in detail
Similar to the Call Home tunnel, the management tunnel is a collection of SSH port forwards.
The management tunnel redirects unique, free TCP ports (in the port range of 49152 to 65535 – e.g. port 61234) on Lighthouse back to its SSH server (TCP port 22) and its web server (TCP port 80) used for proxied user access via Access Console Servers -> Management Access and node-command.
Additionally the tunnel creates a local port forward used by the Opengear device's Nagios NSCA client for redirecting monitoring data securely over the tunnel.
Which network ports are used?
All communications between the Lighthouse and Opengear devices are tunnelled over the Call Home and management tunnels, i.e. the only port used is inbound TCP port 22 on Lighthouse.
The user primarily accesses Lighthouse using inbound TCP ports 22 and 443. All access to Opengear devices and their managed devices is proxied via the Lighthouse's IP address.
Access Console Servers -> Management Access -> Browse (Web UI proxy) and Access Console Servers -> Management Access -> Web Terminal (Console Gateway UI) use inbound TCP port 443 on Lighthouse only.
Console Gateway CLI uses inbound TCP port 22 on Lighthouse.
Access Console Servers -> Management Access -> SSH and Access Console Servers -> Management Access -> SDT Connector use the unique SSH server port for that specific Opengear device, in the range of TCP port 49152 to 65535, inbound on Lighthouse.
You can view the unique SSH server port for a specific Opengear device by hovering your mouse over the Access Console Servers -> Management Access -> SSH link in the UI, or from the CLI running:
Take note of the Opengear device's node index as displayed at the start of each section, e.g. 79: localhost:54321 has the index of 79. Specify the index after node in the following command:
config -g config.cms.nodes.node79.forwards.forward1.port
Tunnel keepalives and manual restart
Both the Call Home and management tunnels use SSH ServerAliveInterval keepalives every 15 seconds with a ServerAliveCountMax of 3 to maintain connectivity and restart the tunnel if there is no response for approximately 45 seconds (e.g. after a network dropout).
To manually restart the tunnels immediately, login to the Opengear device as root or an admin group user and run:
Note: This will terminate all SSH client connections established by the Opengear device, connections established to the Opengear device are not affected.