Support FAQ 377 | Do I need a public IP for out of band access?

Do I need a public IP for out of band (OoB) or Failover access?

For a remote administrator to "directly" access a console server over the broadband or cellular OoB link:

The console server needs to have a Public IP address. Without this it is invisible on the Internet to any user or application trying to initiate an incoming connection
There must be a routable connection to this IP address i.e. it must not have a firewall blocking all incoming traffic (at minimum it must allow SSH and/or HTTPS access)
The IP address should also be static. If you are provided with a dynamic Public IP address, then a Dynamic DNS service will need to be configured to enable the remote administrator to access using the allocated domain name For more details refer faq 348

This can be an issue when configuring broadband and cellular OoB connections. Telco carriers generally offer a mobile data service with dynamic Private IP address assignment, by default. Similarly ISPs generally provide DSL services and the like with dynamic Public IP addresses - however they commonly have some inbound firewall filtering. For a fee, most carriers and ISPs will provide you with an accessible Public IP address.

However there are other access alternatives. Even with a Private, non-routable, dynamic IP address the console server can still initiate an outbound connection and these can be set up establish "indirect" VPN and Call Home access paths:

CMS appliance
Opengear CMS6100 appliance or VCMS virtual appliance provides a central management solution. The console server on the private network initiates an outgoing "call-home" to the CMS, which then maintains a secure transparent bridged connection between the remote administrator and the console server. For more details refer faq372-Call-Home
VPN connection
Advanced console servers have an embedded OpenVPN and IPsec client and servers. This enables secure VPN tunnels to be set up between distributed console servers and a third party VPN or IPsec server at the enterprise central management site. For more details refer faq367-OpenVPN or faq362

When a remote administrator directly accesses a console server using a dial-up modem, specific client and server IP addresses are nominated for the connection (refer faq268)

Do I need a public IP for failover access?

If you configure broadband or cellular Failover mode, in the event of a disruption in access over the principal management network, the console server will bring up the cellular connection or switch across to the failover LAN connection. And as with OoB, if this failover connection does not come with a routable Public IP address you will need to set up VPN or Call Home.

These re-establish connection through the failover network (and the dyndns address is updated if you have a public IP). For Call Home the connection is via the CMS address + forwarded port. For IPsec/OpenVPN you connect from the other side of the VPN using the internal LAN address of the console server (same whether you're failed over or using primary link).

If you are using Dial Out Failover mode (refer faq274) and connecting to an ISP who allocates you a dynamic Public IP address, you will need to configure a Dynamic DNS service (refer faq348)