Remotely accessing Novell servers using SecureConsole

It's possible to have too much flexibility when accessing your Novell servers. Ron Nutter introduces you to SecureConsole, which provides a greater level of control.

If you need to remotely access your Novell servers as a NetWare Administrator, you typically use REMOTE.NLM if you’re on an IPX network or RCONAG6.NLM if you’re running your NetWare servers in a pure IP configuration. Both are good solutions, but they provide too much control of your server. You get access to all of the screens on the server and you can even inadvertently take a server down if you aren't careful.

For smaller networks, this isn’t a problem. But for larger networks, it's not unusual for a person to have a specific task (e.g., handling the NDPS-based printers) that may dictate they only have access to one or two screens on a particular server.

This is where SecureConsole from Protocom can make your job easier. SecureConsole gives you the choice of accessing your servers by IPX or IP, and you can control the available screens on a user-by-user basis.

Installing SecureConsole
Take a few minutes before installing SecureConsole on your servers to do a little planning. SecureConsole is a very sophisticated and versatile product, and any time spent planning will be time well spent. There are two ways to install SecureConsole.

The first method involves using NWCONFIG.NLM as you do with most NLM-based products for Novell. Although not mentioned in the manual, make sure neither REMOTE.NLM nor RCONAG6.NLM is loaded on either of the servers on which you are going to install SecureConsole. I experienced an abend on a server that I was installing SecureConsole on—it just happened to have REMOTE.NLM loaded. I don’t know if the two were definitely related, but it can't hurt to take an extra minute and unload the two modules listed above. Check INETCFG and in the server's AUTOEXEC.NCF file to ensure that these modules aren't being loaded there either.

To install SecureConsole, insert the SecureConsole CD into the server and type load install at the server’s console prompt. Select the Production Options menu option and press [Enter]. Press [F3] and provide the path to the files. Follow the prompts to complete the installation of SecureConsole.

The second method of installation, which isn’t mentioned in the manual, involves inserting the SecureConsole CD into the workstation's CD-ROM drive and running the installation process from there. You should be logged in as either Admin or as a user with full rights to the root of the NDS tree. This user will have default rights within the NetWare Administrator property tabs for SecureConsole to assign rights to server screens to other users.

When the SecureConsole For NetWare screen appears on the workstation, click the Install SecureConsole NLMs tab to start the installation process. If you get an error about being unable to create an installation log file, click OK on the error message, browse to the path where you want to save the installation log, type the filename of the file to which you want to save the install information, and click Save.

When the SecureConsole Installation screen appears, verify that the servers onto which you want to install SecureConsole appear in the Server List portion of the window. If you want to install to more than one server at a time, hold down either [Shift] or [Ctrl] and select the servers onto which you want to install the product; then, click Install.

Once you have selected the server(s) to which you want to install, click Install to continue. The next screen prompts you for a password that matches the user ID that was detected. Type the password and click OK to continue. The progress of the installation is written to the Activity Log portion of the screen. When the installation of the NLMs is finished, click Exit to return to the SecureConsole For NetWare screen.

Configuring NetWare Administrator snap-ins
Next, you'll need to install the necessary snap-ins for NetWare Administrator that are needed to administer SecureConsole. Click Install NetWare Administrator Snap-In to begin this process. When the Welcome screen appears, click Next to continue. After reviewing the license agreement, click Yes to continue.

If you're using NetWare Administrator, leave the Server Installation option selected. If you're using a version of NetWare prior to 5.x, select Client Installation. Once you have selected the proper snap-in installation for your network, click Next.

Now you'll select the correct version of NetWare Administrator for configuring the snap-ins. Since we're using NetWare 5.1, we will select the NetWare Administrator check box. If you're using a different version or multiple versions, select the check boxes appropriate for your configuration and click Next to continue.

You will be prompted to confirm the proper drive letter and directory path to which the snap-ins are to be installed for each version of NetWare Administrator that you're using. Confirm that the correct paths are being used and click Next. A gas-gauge-like display will indicate the progress of the files being installed. Once this is complete, you will see a Setup Complete screen. Click Finish to return to the SecureConsole For NetWare screen.

Installing the SecureRemote application
The last major step is to install the SecureRemote application. You'll need to install this application on each workstation from which you wish to access the server(s) that has SecureConsole installed. Click Install SecureRemote, and when the SecureRemote Setup screen appears, click Next. After reviewing the license agreement, click Yes.

Now you'll see the default path (C:\Program Files\SecureRemote) to which the application will be installed. Unless you need to change it, accept the default and click Next to continue.

Accept the default Protocom folder for the SecureRemote application. A gas-gauge-like display will display the installation progress. If you don't have Winsock2 installed, you'll see a warning message that indicates SecureRemote requires Winsock2. The install will stop at this screen until you have installed Winsock2. You should only run into this problem if you're using Windows 95 or earlier as a client platform. When the installation process has finished, you'll see the Setup Complete screen. Click Finish to return to the SecureConsole For NetWare screen.

A final option you can select on the SecureConsole For NetWare screen enables you to generate a one-time emergency password for use with SecureConsole. This one-time-use password or PIN allows access to the servers only once, and never again. You don't need to select this option now—you can do it later in NetWare Administrator.

Configuring SecureConsole
Now that you have everything installed, you can move on to the administration of SecureConsole. Go into NetWare Administrator and double-click the NDS object for the server on which you've installed SecureConsole. Several additional buttons will now be available to you. The number of buttons you'll see depends on the number of other services already present on this server. They are labeled Console Security, Emergency User, Console Security Configuration, Console Auditing, Modify Messages, and Authorized Commands.

The button that you will probably use the most is Console Security. This button enables you to control who can access SecureConsole and tasks they can perform. To add an additional user in SecureConsole, click Add. Browse the NDS tree until you find the user for whom you want to add access. Double-click the username, and the username will appear in the User And Groups window. If you have several users or an entire group that needs access, you have the option of controlling access by group as well.

Once the user or group has been added, you can add the screens and/or commands that they will be allowed to use. For a user or group that will need access to everything, click Screens and double-click all command and screen options that appear under Resources Available. This gives the user or group total access to everything on the server. If you want the user or group to have less access, you must select only the screens and or commands to which you want them to have access.

To provide one-time or "emergency" access for a user who can serve as the backup for entering console commands or performing tasks in the NLMs that are already loaded, you can create an Emergency User. Click Emergency User and then click Add. This username doesn’t have to exist in NDS in order to work.

When the New Emergency User Name screen appears, type the username and click OK. You will then be prompted to provide a password for this emergency user. Type the password and click OK to continue. By default, this access will always be active, just as if it were a regular user that you had assigned under the Console Security button. Click View Details under the Emergency User button and you will be able to make the password you just entered a one-time password or require use of a VASCO Digipass hardware token for authentication. Next, you’ll need to assign the screens and/or commands to which you want the emergency user to have access.

SecureConsole can keep an audit trail of what the emergency user does while logged in to the server—a feature that RConsole isn’t capable of. Click Console Auditing, and the Load Audit Log displays a list of what has been done on the server. Depending on what you need to look for, you also have the option of viewing just a few of the records or displaying only what was disallowed on the server by SecureConsole. You can save the log to a text file.

This Daily Drill Down has just scratched the service of what SecureConsole is capable of. As you can see, this product allows you to control who can access specific screens or commands on the server. It minimizes the risk of an individual accidentally downing the server or issuing a command that could cause a problem on one or more services running on the server. If you need to know what happens on your servers at a console and command level, this is the product for you!

Editor's Picks