DRAC console redirection over a SSH tunnel

2-minute read
dell drac ssh

The Dell Remote Access Controller or DRAC is an interface card by Dell which provides out-of-band management. The controller has its own processor, memory, battery, network connection, and access to the system bus. Key features include power management, virtual media access and remote console, all available through a supported web browser. This gives system administrators the ability to configure a machine as if they were sitting at the local console (terminal).

Since the DRAC card has its own IP separated from the one of the host server it is very common to assign for it a private IP; or even if it has a public IP it might be protected by a corporate firewall, making it very simple to connect from the corporate office, but not from outside. In such cases when you need to connect to the DRAC console from outside a solution is to tunnel over SSH your DRAC traffic.

In order for this to work you need to tunnel ports 443 (SSL) and and 5900,5901 (VNC). This can be achieved with openssh with a command like this:

ssh -L 443:dracip:443 -L 5900:dracip:5900 -L 5901:dracip:5901 -l user -N ssh_host

or similar from other ssh clients by mapping the respective ports.

If you would forward just 443, this will allow you to use the web interface of the DRAC card (and all its features, like power management, etc), but not the remote console redirection (5900,5901 are needed for the console to work).

After connecting the ssh tunnel you can just open in your local browser https://localhost/ and get the DRAC interface. The console redirection and it will work as expected.

Note: this solution has the limitation that it will work for only one DRAC console. You can tunnel over ssh multiple drac ips on port 443, like for ex:

  • localhost:443 -> dracip1:443
  • localhost:444 -> dracip2:443, etc. but the remote console will require the ports 5900, 59001 and thus only one can work at the same time.

If you are running the DRAC console over a public IP, and you want to reach it from outside directly you will need to open in your firewall connections to the same ports TCP 443, 5900 and 5901.

comments powered by Disqus