Allow Access to a Dell Remote Access Controller (DRAC or iDRAC) through a firewall

It’s Friday, 4:59pm and you’re itching to get home, that’s when you get a call saying that the server in the remote office is locked up. All the employees of the branch office have left for the day and shutdown all of their PCs. There’s no way to get into that local network and remote control the server or reboot it without fighting through rush hour traffic, trying to remember the security code to the front door, and then playing the ‘see which key fits game’ on 3 sets of locked doors. This could be avoided if you had just opened access to your DRAC to your IP ranges at your main office. Here’s how:

First Identify what ports your version of the Dell Remote Access Controller uses, here’s a short list:

DRAC 4
5900TCP
3668TCP
2068TCP
8192TCP
443TCP (I recommend changing this from within the DRAC’s UI)

DRAC 5
3668TCP
3669TCP
5900TCP
5901TCP
443TCP (I recommend changing this from within the DRAC’s UI)

iDRAC 6 & iDRAC 7
443TCP (I recommend changing this from within the DRAC’s UI)
5900TCP
623TCP

For this example I’m going to be using a SonicWall TZ 210 Router, and we’re going to be Setting up access to a iDRAC 6 that’s IP address is 192.168.1.12.

I’m also going to be adding all of these services into a Service Group, that way I only have to make 1 set of firewall and NAT rules instead of 3. If your firewall does not support this, just make 3(or 5) individual rules, one for each service.

The first thing I’m going to do is change the DRAC’s internal web server to use port 4433 instead of port 443, because I’m already running services over port 443 for something else, and more than likely you are too.

You change this by logging into the DRAC, under the Network/Security section there will be tab for Services Change the HTTPS port number to 4433.

Next let’s create the services, On the Sonicwall. Log into the Sonicwall and on left hand

Figure 1.

pane, expand Firewall, and click Services. Click Add… to Create a new service, enter a name, I typically use DRAC Service 1 or something similar. Change the Protocol to TCP, and Enter your Port range, for the first service we’d enter 623 and 623 again in the second box See Figure 1.

Figure 2.

Once you’ve created all 3 Services you can create a new Service Group, I called mine DRAC Services, and I add all 3of the services that we just created to this group. See Figure 2.

Next we’ve got to create some address objects. Expand the Network on the Sonicwall’s left hand pane and click Address Objects. Click Add… to create a new Address Object. We’re going to need to create two address objects. One for the DRAC which will be 192.168.1.12 and located on the LAN, and the other will be for Our (Your) main office’s public IP(s) and will be located on the WAN. You’re Address Object for the DRAC should look like figure 3.

Figure 3.

Next we’ll create our Firewall rule, expand Firewall on the Sonicwall’s left hand pane

Figure 4.

and click on Access Rules. We’re going to be creating a new rule from the WAN to the LAN. When you create the rule it should look like Figure 4, only with slight changes to the names of the Address Objects you created.

Action: Allow
From Zone: WAN
To Zone: LAN
Service: DRAC Services( or whatever you named your service group)
Source: This will be whatever you named your Main Office’s Public IP address Address Object
Destination: WAN Primary IP (this is because you’ll be accessing the DRAC from the Public IP of the remote office and not from it’s Internal IP address)

We’re almost done now, we just need to create our NAT rule, and then we’ll be ready to test.

Expand Network on the Sonicwall’s left hand pane, and click on NAT Policies. Click

Figure 5.

Add… to create a new NAT rule. You’re NAT rule should look similar to Figure 5.

Original Source: This will be whatever you named your Main Office’s Public IP address Address Object
Translated Source: Original
Original Destination: WAN Primary IP (this is because you’ll be accessing the DRAC from the Public IP of the remote office and not from it’s Internal IP address)
Translated Destination: This will be whatever you named your DRAC’s Address Object.
Original Service: DRAC Services( or whatever you named your service group)
Translated Service: Original
Inbound Interface: Any
Outbound Interface: Any

That’s it! You should now be able to go to https://YourBranchoOffice’sPublicIP:4433 and log into your DRAC. Note: I’ve had some issues with the iDRAC6 Active X control not working remotely, change it over to Java and it works fine. I’m not sure if this is an issue with just my PC or with something within the Active X control. Let me know if the Active X control works for you after you’ve followed these instructions.

9 thoughts on “Allow Access to a Dell Remote Access Controller (DRAC or iDRAC) through a firewall

  1. Brad

    I’m trying to do just this and although I have the services and rules setup, I cannot seem to get through nor can I ping even just our public IP. Would there be any rules or protection services that would block any attempts?
    We have a TZ-180W.

    Thank you.

    Reply
    1. SeanLaBrie Post author

      Brad,

      If you can’t ping it from the outside it’s because you’ve either not approved ICMP on the WAN interface, or not forward ICMP Echo through the SonicWall to the IP of the DRAC (if that’s what you are trying to ping).

      Next, the most likely problem is that you’re using port 443 on the DRAC for the HTTPS port, this is not normally a problem unless you’ve also got 443 pointed to another server on a rule further up on your SonicWall’s ACL. If you’ve already got 443 going to a different web server you’ve going to need to choose another port, you do this both on the SonicWall and on the DRAC’s configuration web page.

      -Sean

      Reply
  2. Pingback: Configuring a Dell 6248 Switch Stack for use with a EqualLogic PS4000E Storage Array | The Day to Day Findings of an IT Engineer

  3. Don

    Dude, this is the BEST tutorial I’ve found. Your explanation on how to set everything up step-by-step was perfect. I have a SonicWALL at our office and this is going to help me out tremendously. Thanks a million!!

    Reply
  4. rick

    My Testing Environment:
    I have iDRAC7 Enterprise and changed its HTTPS port number to 4433. My Sonicwall Pro 3060 (very old), I created the 3 services base on your instruction. Next, in my firewall rule, I allowed the 3 services with Source (public IP) to Destination (private IP, iDRAC7). Finally, I created a one-to-one NAT, public IP to private IP, iDRAC7. I have no luck loading the page, https://publicIP:4433. Any suggestions? Thank you.

    Reply
  5. Rob B.

    Great job with this. I needed the ports for the iDRAC 7, and found your article right away. I’m a whiz with a Sonicwall, and would have set it up exactly the way you did. Nice work, and thanks for the help!

    Reply
  6. Blake Fletcher

    Hi Sean,
    do you have any experience doing this with a watchguard? I work at a CMIT in Denver and I’m having a heck of time configuring this to work right.

    Reply
  7. senad

    Where do you change the port number in DRAC 4 ?
    Hitting CTRL- D and then setup does not have any option for that.

    Reply
    1. admin

      I believe you’d do this from the website, not from the BIOS/Boot menu. Drac4 may not allow you to change the port number.

      Reply

Leave a Reply to SeanLaBrie Cancel reply

Your email address will not be published. Required fields are marked *