Tunneling ILO over ssh

Do you want to access HP ILO via a SSH tunnel?

HP’s iLO (Integrated Lights Out) is great, especially if you wish to administer the server remotely for the installation of the OS, check the video output for a kernel panic when the OS is unresponsive, configure the BIOS, or just so that you can avoid standing in a cold server room or because you’re just not at the premises.

The servers that I administer come with iLO1, iLO2 or iLO3 and it’s great to see the interface developing at every release.

If the remote server is located on a remote LAN that does not expose the server to the outside world e.g. a DMZ you can tunnel a connection over ssh to provide access both to the remote iLO web interface over https, and the remote console that allows you to access the display of the remote machine via a browser based Java applet, as if you were using keyboard, mouse and monitor plugged into the machine itself.

So, how do you access iLO remote console over ssh?

To do so, you just need to forward a couple of ports via a handy ssh server somewhere on the remote network.

You may need to refer to some of the port settings within the iLO administration pages, I’ve included a screenshot of where to find them within iLO1 below:

hp ilo1 administration globalsettings remote console port

The below steps assume that you have a proven, working ssh server on the remote network and the necessary ports are forwarded on your remote router to allow you access to the remote network and therefore, the iLO on the remote server.

  1. find the necessary ports for java, Administration -> Access Settings -> Servicenote the port that your iLO is listening on for “remote console” – this is the port that the server will expect the Java remote console to be able to communicate over.
  2. Now you need to create the relevant ssh tunnel, I’ve broken this down to a command with some bash variables to make it easier to understand what’s what.
    1. the IP of iLO on your remote network
      iloaddress=192.168.1.10
    2. the local https port to forward
      localhttps=8443
    3. the https port the iLO is listening on
      remotehttps=443
    4. local port to forward for Remote Console (probably should be the same as the Remote Console Port within: Administration -> Access Settings -> Service)
      localconsole=17990
    5. the Remote Console Port within: Administration -> Access Settings -> Service
      remoteconsole=17990
    6. Your username for ssh-ing into a server on the remote network
      sshusername=<your-user-name>
    7. Your remote IP or domain name for the remote network
      sshserver=my-secret-router.dyndns.org
    8. the port on the remote router for forwarding to an ssh server on the remote network
      sshport=2205
  3. Now run the ssh command to bring up the tunnel using the above parameters:
    ssh -fnNL ${localhttps}:${iloaddress}:${remotehttps} -L ${localconsole}:${iloaddress}:${remoteconsole} ${sshusername}@${sshserver} -p ${sshport}
  4. Finally, if all is well, access the iLO via your browser, I’m launching it via the command line here to provide the correct port based upon the pre-populated variables:
    firefox https://127.0.0.1:${remoteconsole}
  5. You can check that the tunnel command is still running with the following command:
    ps faux | grep -v grep | grep "ssh -fnNL ${localhttps}:${iloaddress}:${remotehttps}\|USER"
  6. Handily, this also gives you the PID(Process id) of your tunnel, so you can kill your tunnel like this:
    kill <process id>

Let’s put the above together as a single block that you can paste into a text editor to make it into a bash script, all in one go along with bash comments to document it (once you’ve edited the parameters of course):

#!/bin/bash
# the IP of iLO on your remote network
iloaddress=192.168.1.10
# the local https port to forward
localhttps=8443
# the https port the iLO is listening on
remotehttps=443
# local port to forward for Remote Console
localconsole=17990
# the Remote Console Port
remoteconsole=17990
# Your username for ssh-ing into a server on the remote network
sshusername=<your-user-name>
# Your remote IP or domain name for the remote network
sshserver=my-secret-router.dyndns.org
# the port on the remote router for forwarding
sshport=2205
# launch tunnel
ssh -fnNL ${localhttps}:${iloaddress}:${remotehttps} -L ${localconsole}:${iloaddress}:${remoteconsole} ${sshusername}@${sshserver} -p ${sshport}
# check tunnel
ps faux | grep -v grep | grep "ssh -fnNL ${localhttps}:${iloaddress}:${remotehttps}\|USER"
# launch browser
firefox https://127.0.0.1:${remoteconsole} &

Remember to make the script executable once you’ve saved it with a chmod +x /path/to/script


Leave a Reply

Comment Spam Protection by WP-SpamFree