Configuring Supermicro IPMI Remote Console Through SOCKS Proxy: Solving VNC Socket Timeout Issues


2 views

When working with Supermicro servers utilizing Winbond WPCM450 BMC (like X8DT3 motherboards), the Java-based remote console consists of two distinct components:

  1. The JNLP launcher (proxy-aware)
  2. The native VNC renderer (non-proxy-aware)

The connection fails because:

1. JNLP successfully downloads through SOCKS proxy (port 3333 in our case)
2. Java Web Start executes the viewer
3. Native VNC component attempts direct connection to BMC (192.168.1.100:5900)
4. Corporate firewall blocks direct connection
5. 60-second timeout occurs

Option 1: SSH Tunnel with Dynamic Port Forwarding

For individual connections:

ssh -N -L 5900:192.168.1.100:5900 -L 5901:192.168.1.100:5901 \
-L 623:192.168.1.100:623 user@jump_host

Option 2: Automated Proxy Configuration for Bulk Management

Create a wrapper script:

#!/bin/bash
# ipmi_proxy_wrapper.sh
SOCKS_PORT=3333
TARGET_IP=$1

ssh -f -N -D $SOCKS_PORT user@proxy_gateway
export SOCKS_SERVER=localhost:$SOCKS_PORT

/usr/bin/javaws http://$TARGET_IP/jviewer.jnlp &

For environments requiring strict proxy adherence:

sudo apt install tsocks
cat > /etc/tsocks.conf <

Using Ansible for Mass Configuration:

- name: Configure IPMI SOCKS proxy
  hosts: ipmi_servers
  tasks:
    - name: Create persistent SSH tunnels
      ansible.builtin.command: |
        ssh -f -N -D {{ socks_port }} \
        -o ExitOnForwardFailure=yes \
        -o ServerAliveInterval=60 \
        user@{{ proxy_host }}

To verify proxy connectivity:

# Check Java proxy settings
java -DsocksProxyHost=localhost -DsocksProxyPort=3333 \
-Dnet.spy.log.ProxyImpl=true myApp

# Network tracing
strace -f -e trace=network -o ipmi_trace.log javaws jviewer.jnlp

For enterprise networks, consider deploying a dedicated IPMI proxy service that handles the protocol translation between your corporate network and the management VLAN.

When managing Supermicro servers with WPCM450-based BMCs in isolated management networks (e.g., 192.168.1.0/24), accessing the Java-based Remote Console through SOCKS proxies presents unique challenges. While basic IPMI web interface functions work fine through the proxy, the JNLP-launched console app fails to establish video connections.

The root issue lies in how Java Web Start handles nested network connections:

1. JNLP file download → Success (via SOCKS proxy)
2. Java Web Start execution → Success
3. VNC socket connection (ports 5900/5901) → Fails (bypasses proxy)

Option 1: SSH Tunnel with Dynamic Port Forwarding

# Establish SOCKS proxy on port 3333
ssh -N -v -D 3333 user@jumpbox.example.com

# Configure Java to use SOCKS proxy
java -DsocksProxyHost=127.0.0.1 -DsocksProxyPort=3333 -jar jviewer.jnlp

Option 2: Forced SOCKS Proxy at System Level

# On Linux systems:
export _JAVA_OPTIONS="-DsocksProxyHost=127.0.0.1 -DsocksProxyPort=3333"

# Windows registry modification:
[HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Runtime Environment]
"JavaRuntime"="-DsocksProxyHost=127.0.0.1 -DsocksProxyPort=3333"

VPN-Based Solution: Create a site-to-site VPN tunnel to the management network instead of proxy tunneling.

IPMI Dedicated Gateway: Set up a reverse proxy server with:

socat TCP-LISTEN:443,fork SOCKS4A:127.0.0.1:192.168.1.100:443,socksport=3333
  • Verify SOCKS connectivity with curl --socks5 127.0.0.1:3333 http://192.168.1.100
  • Check Java proxy settings with System.getProperty("socksProxyHost")
  • Monitor network traffic with tcpdump -i any port 5900 or port 5901

For managing 100+ servers, consider:

# Batch SSH tunnel creation
for i in {1..100}; do
  ssh -N -f -L $((5900+i)):192.168.1.$i:5900 jumpbox &
done

# Or using Ansible:
- name: Create IPMI tunnels
  local_action:
    module: shell
    cmd: "ssh -N -f -L {{ 5900 + inventory_hostname|int }}:{{ ipmi_address }}:5900 jumpbox"