|
|
Cisco Bridged Telnet offers Cisco Service Engineers (CSEs) transparent firewall access to Cisco CallManager servers on your site.
Cisco Bridged Telnet works by enabling a Telnet client inside the Cisco Systems firewall to connect to a Telnet daemon behind your firewall. This secure connection allows remote monitoring and maintenance of your Cisco CallManager servers---without requiring firewall modifications.
 |
Note This service is provided only with your permission. A network administrator must be available at your site to help initiate the process. |
The Cisco Bridged Telnet system design provides the basis for communication with any Cisco CallManager installations on your site.
Each of the components and applications is described here, along with a scenario outlining how you can use them.
CSEs can use techniques other than Cisco Bridged Telnet to provide remote connectivity to a customer site, but using other methods may impose unacceptable conditions.
Dial-in access requires installation of a dedicated phone line and modem at your site, so it may be impractical. Using Telnet directly can establish a Transmission Control Protocol/Internet Protocol (TCP/IP) connection, but it requires opening your firewall, which can compromise security and cause delays in service.
Virtually all internal networks use firewall applications to restrict outside access to internal host systems. These applications protect your network by restricting IP connections between the network and the public internet.
Firewalls work by automatically blocking TCP/IP connections initiated from the outside, unless the software is reconfigured to allow such access.
Corporate networks normally permit communication with the public internet, but only if connections directed to outside hosts originate from inside the firewall.
Cisco Bridged Telnet takes advantage of the fact that Telnet connections can easily be initiated from behind a firewall. Using an external proxy machine, the system relays TCP/IP communications from behind your firewall to a host behind another firewall at the Cisco Technical Assistance Center (TAC).
Using this relay server maintains the integrity of both firewalls, yet supports secure communication between each of the shielded remote systems. (See Figure 2-1).
The external relay server establishes the connection between your network and Cisco Systems by building a Telnet tunnel. This enables you to transmit the IP address and password identifier of your Cisco CallManager server to your CSE.
|
Note The password is a text string mutually agreed upon by your administrator and the CSE. |
Your administrator starts the process by initiating the Telnet tunnel, which establishes a TCP connection from inside your firewall out to the relay server on the public internet. The Telnet tunnel then establishes another connection to your local Telnet server, creating a two-way link between the entities.
|
Note The Telnet client running at the Cisco TAC is compliant with systems running on Windows NT, Windows 2000, or UNIX operating systems. |
Once the Cisco CallManager at your site accepts the password, the Telnet client running at the Cisco TAC connects to the Telnet daemon running behind your firewall. The resulting connection is transparent, allowing the same access as if the machine were being used locally.
Once the Telnet connection is stable, the CSE can implement all of the Remote Serviceability functionality to perform maintenance, diagnostic and troubleshooting tasks on your Cisco CallManager server.
You can view the commands sent by the CSE and the responses issued by your Cisco CallManager server, but the commands and responses may not always be completely formatted. See the "Telnet Server" section for more information.
The Cisco relay server runs on the Windows NT platform. It is a node on the public internet which is configured as a multi-user system. Any Cisco customer using the Cisco Bridged Telnet service can access it freely.
The relay server may be a dedicated device or, during a pilot period, it may be attached on an ad hoc basis when the need arises.
The relay server resides outside of the Cisco Systems firewall, but it is a secure and controlled system which is owned, managed and operated by Cisco Systems.
|
Note If easy access to the public internet is not available to the relay server, a dial-in connection may be made to an ISP that allows direct internet access to its devices. |
The Telnet client runs at the Cisco site on a UNIX host or Windows NT system. It provides terminal emulation over TCP/IP, providing a remote shell allowing entry into the server at your site.
The Telnet client provides command line access to the Cisco CallManager host through the Cisco relay server.
The Telnet server resides on your network and runs on the Cisco CallManager server. The Windows 2000 operating system runs on this server and supports execution of the text-based commands used on the local system.
The Telnet proxy, tndconnect, runs on this server and links your Telnet server to the Cisco relay server.
|
Note The tndconnect window running on the your Windows 2000 system will display the commands and responses being issued between the Cisco TAC and your Cisco CallManager system. However, depending on its terminal type support, the Windows 2000 Telnet daemon may eliminate spaces between the elements. A later release will improve readability. |
The Cisco Bridged Telnet system is built from four software components.
1. The Telnet Daemon Connect (tndconnect) program runs on a Cisco CallManager server at your site.
2. The relay application (relayapp) is a program that runs on the Cisco relay or "connect" server.
3. The Windows 2000 Telnet Daemon is Microsoft software that runs on the Cisco CallManager server at your site.
4. The standard Telnet client runs behind the firewall at the Cisco TAC.
The tndconnect program is a command-line executable which is invoked from a Windows 2000 command prompt window.
Remote Serviceability users invoke the tndconnect program from a command window on the Cisco CallManager server. This program contacts the relayapp application on the relay server, which resides on the public internet.
After you invoke tndconnect at your site, the CSE uses Telnet to reach relayapp to gain access to your system. Logging into that system maps the Telnet sessions together, allowing technical support access to the your site.
Each of the executables has command line parameters which control the operating characteristics of each program, such as passwords and TCP ports.
The tndconnect program acts as a proxy that provides the connection from your site to an external application residing on the relay server.
If you use this connector program, you must specify certain command line parameters, as listed below. Some of these parameters are optional.
The tndconnect program resides on your Cisco CallManager server at C:\Program Files\Cisco\Bin. It is invoked on a command line, e.g.:
tndconnect -host relayservername -password cisco -file connect.log -port 80 -verbose -noecho
|
Note You can terminate tndconnect by entering Control-C in the window. |
Each of these parameters is defined below.
-host <relay hostname>
-password <any 4+ character string>
-file <logfile name>
-port <optional port number>
-verbose
-target <optional DNS name of Cisco CallManager system>
-noecho
The tndconnect program can be invoked with the /? argument on a command line to give information on the entire system.
This command returns information on all of the command line options.
The tndconnect program performs the tasks which provide the CSE with the ability to log in to your Cisco CallManager system.
|
Note If the Telnet daemon is not running when the program is executed, tndconnect prints an error message on your console and the command terminates. |
When the tndconnect program starts, the command parser sets the values specified in the command line. If no specific parameters are set in the command line, default values are used, except for the -host and -password parameters. Those values must be entered each time tndconnect is run.
When the CSE connects to the relay application, a signal instructs the tndconnect program to create TCP/IP structures and connect to the local Telnet daemon.
If the -target option is not used, tndconnect defaults to your local Telnet server.
|
Note You may have to add the name of the Cisco relay application server to the hosts file of the local system if DNS cannot locate it. If so, add a line with IP address and hostname to the file C:\WINNT\system32\drivers\etc\hosts to provide that hostname. |
The tndconnect program sends the information to the Cisco relay server, where the CSE logs in. The CSE then provides the IP address and password of the Cisco CallManager and enters a return, which prompts the appearance of a login screen. The CSE then logs into the Cisco CallManager system using the password provided by the customer.
Once a connection is established, a timer starts which eventually terminates the connection if no traffic is observed. The tunnel to your site established by tndconnect is automatically terminated after 30 minutes of inactivity. If you deliberately disconnect, you must manually restart the Telnet Connector program each time you use it.
The session can also be terminated by any socket failure, or by closing the connection from either Cisco or the customer site. A close can occur when the CSE disconnects, the relay program ends, or if the Telnet daemon terminates. Termination may also occur if TCP detects connection failure, if either of the Telnet sessions closes, or if you terminate the tndconnect program by pressing Control-C.
When the connection terminates, the program terminates and the tunnel constructed between the Cisco CallManager Telnet server and the relay server is taken down.
Under the Cisco Bridged Telnet system, the Telnet client and daemon are standard, unmodified components and exchange data just as they would if they were connected directly.
Any system running the Cisco CallManager must run the standard Windows 2000 Telnet daemon service. Since this program expects clients to connect into it, an additional software component, tndconnect, is needed to both connect to the Telnet daemon and establish a connection out of the corporate network and into the Telnet relay program. The Telnet daemon and tndconnect work together to provide an end-to-end connection through which Telnet session traffic may flow.
The Telnet server component can be run as a service in the background on the Cisco CallManager Windows 2000 system. The primary function of the daemon is to respond to a connection request. Once a Telnet session is established, you can execute command line programs.
All of these considerations affect the choice of Telnet daemon software.
Since both Telnet daemon and File Transfer Protocol (FTP) servers are part of Windows 2000 standard features, it is logical to use these connectivity methods for Remote Serviceability.
You may want to activate Cisco Bridged Telnet to call in problems that require diagnosis of a remote Cisco CallManager server by a CSE. The following sequence of events represents a common scenario.
|
Note Please verify that the local Telnet session works, and that a suitable userid and password have been chosen for the Cisco TAC to log in. |
Step 2 The CSE gives you a one-time password and the DNS name of the Cisco relay server, and those parameters are used to open communications.
Step 3 If the Telnet daemon is not already running, you should start it by using the Windows 2000 System Control Panel, Services option.
Step 4 You run tndconnect to initiate a tunnel session between the Telnet Daemon and the Cisco relay server. The command-line syntax allows transmission of a one-time password, which acts as a correlator to the one supplied by the CSE upon connection to the relay server.
|
Note Tunnels allow secure transmission of data streams between networks, making the routing appear transparent. They are created by using software which communicates through the firewall protecting the destination network. |
Step 5 After bit manipulation encrypts the one-time password for transmission, tndconnect transmits it to relayapp for identification.
When transmission is complete, your system is set up for Cisco TAC diagnostics. If you wish, you may observe the support engineer's commands and responses in the tndconnect window.
When the Cisco TAC engineer disconnects, the tndconnect program will terminate.
Posted: Mon Jun 12 18:22:52 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.
