Best IDRAC config

HashTag

What do you folks think is the best setup for IDRAC. Dedicated servers using public IPv4 of course and as for idrac and customers utilizing idrac for management do you guys give them static IP's or some sort of VPN access via IDRAC port?

SpryServers_Tab

Best to use private network and have clients VPN in for any type of remote management.

First-Root

Access to ipmi, ilo, idrac only through vpn.

Clouvider

@FR_Michael said:
Access to ipmi, ilo, idrac only through vpn.

And I second that!

FHR

NEVER, under any circumstances, expose IPMI/iDRAC/iLO to the public internet!

MikePT

@FHR said:
NEVER, under any circumstances, expose IPMI/iDRAC/iLO to the public internet!

^
Definitely. Nullroute the IP at least and allow the client to connect through VPN or whitelist his IP for the IPMI, automate it.

Public IPMIs are a disaster waiting to happen.

HashTag

@SpryServers_Tab said:
Best to use private network and have clients VPN in for any type of remote management.

What type of VPN would allow clients to connect only to their assigned IDRAC IP though?

HashTag

@FR_Michael said:
Access to ipmi, ilo, idrac only through vpn.

What type of VPN as far as protocol goes?

dragon2611

@HashTag said:

What type of VPN would allow clients to connect only to their assigned IDRAC IP though?

One where the VPN concentrator can enforce ACL's based on the user connecting.

SpryServers_Tab

@HashTag said:

@FR_Michael said:
Access to ipmi, ilo, idrac only through vpn.

What type of VPN as far as protocol goes?

Well the protcol doesn't matter. You'd write the acls in the firewall. For full isolation though, you'd have to do the rules on the switch level, set up custom vrfs.

Personally, we put IPMI/DRAC/ILO on a protected/internal ips only VLAN. Then have a VPN that allows authenticated clients access to the IPMIs. We limit access to customers only, but not per customer. The customer will have his/her own user/password to access their specific server.

techhelper1

SpryServers_Tab said: Well the protcol doesn't matter. You'd write the acls in the firewall. For full isolation though, you'd have to do the rules on the switch level, set up custom vrfs.

This, but VLAN isolation as well, so no one from other VLANs can access another clients server. Going to the extent of VRFs is not required at all.

Personally, we put IPMI/DRAC/ILO on a protected/internal ips only VLAN. Then have a VPN that allows authenticated clients access to the IPMIs.

So you just give access to everyones IPMI at a simple request of VPN credentials? That sounds like a big security flaw.

---

I know of a provider that splits up the private NIC + IPMI into their own VLAN, and assigns IPs accordingly.

The OpenVPN setup only hands out the ranges that belongs to you, and firewalls the rest off. If you blow up your own servers, that's on you.

SpryServers_Tab

Well looks to all be a moot point here as OP was banned 🤣

deank

He was a scammer.

eol

ScamTag.

jvnadr

@JackH @trewq It would be a nice thing if in a banned member's wall we could see the reason or the ban and if it is a temp or perm one. Just a suggestion

eol

And if its a temporary ban, can we see the time?