IP KVMs
IP versions of a keyboard-video-mouse switch provide all the benefits of a conventional KVM plus wider access, but be prepared for high prices and increased security risks. Our Editor's
August 12, 2005
Remote-access software also requires that the network and the network stack be in working order. If a server loses its network connection, whether by OS failure, unplugged network link or failing network card, you're out of luck. An IP KVM, however, lets you access the server no matter what its software state, assuming the person who unplugged the network connection to the server left the KVM attached to the network. The devices we tested let us access the BIOS, boot into Windows safe mode and watch system shutdown messages. In addition, the devices from Avocent, Raritan, Cyclades, Minicom and StarTech can dial in over modems, so you might be able to reach remote devices and figure out what caused the network meltdown.
Architecture and Integration
KVMs once relied exclusively on proprietary cabling for carrying analog video and mouse-keyboard signals. Aten and StarTech sent us low-priced units with proprietary cabling. The other appliances we tested use digital signals carried over Category 5, Cat 5E or Cat 6 cable. We attached custom proprietary dongles to the video and keyboard ports on each of our servers, then connected a Cat 5 cable from each dongle to the KVM concentrator.
We prefer Cat 5 to proprietary cable, and not just for the obvious cost and convenience reasons. For one, Cat 5 may take up less space: Cyclades says it can carry a signal over 500 feet, and Minicom claims 660 feet (though we didn't test connections over more than the 100-meter spec). Also, note that we don't say "Ethernet cable"--we didn't plug the dongle into an Ethernet switch, but instead had to home run connections to the KVM concentrator. Data centers with properly designed and organized patch panels should handle this easily. A few years ago our Syracuse labs switched from a proprietary to a Cat 5-based KVM, and the move greatly simplified our lives.
IP KVM Features |
Remote access is provided by a Windows executable, ActiveX control, Java applet or any combination of those. Raritan's Dominion, for example, allows for both a locally installed Windows program and a Web ActiveX viewer. All the products we tested allow for Web access. We pointed our browser to the IP KVM or centralized management device and authenticated. The Java or ActiveX viewer program was loaded and, voila, console access.
Larger organizations take note: Managing multiple IP KVMs is frustrating if each unit is administered as a separate entity, and only half the products we tested got it right here. Avocent, Raritan and Cyclades aggregate all deployed IP KVMs into one management interface. With the Aten, Minicom and StarTech devices, you'll have to manage and log into each separately.
Those with conventional KVMs will be glad to hear it's easy to integrate them into an IP KVM infrastructure. We just took the console port of our non-IP KVM and plugged it into a node port on the IP KVM. This even worked with devices from different vendors, with one annoying exception: If your non-IP and IP KVMs share the same hot key for, say, bringing up the on-screen menu, you could run into trouble. For example, Unix users may find that a control-control press will cause the on-screen menu to pop up frequently and when least expected. Nearly all the IP KVMs we tested have a limited number of hot keys. The notable exception is Cyclades' devices, which let you configure hot keys. Nice touch.
All the standalone IP-enabler boxes plug into a conventional KVM, and IP enables it. We converted our entire lab to an IP-accessible KVM this way. If you're happy with your existing KVM system, this may be the way to go. Though you may lose some functionality found in the IP-enabled devices, such as access-control granularity, many of features we evaluated will work.We're pleased that the vendors are embracing power and serial-device management through the KVM interface. If a server crashes hard, the only fix may be a power cycle. All products we tested offer this capability with external power-control units. Serial-device access is also important. Administrators need remote-console access to switches, routers and firewalls, but the consoles for these devices are often accessible only by a serial cable. Avocent, Minicom, Raritan and StarTech provided adapters that let us plug a serial device directly into a port on the KVM. Cyclades uses a separate console server appliance that integrates into its KVM centralized management interface, and Aten offers a remote console server, but it's a standalone product.
We evaluated the IP KVMs in five areas: performance, KVM features, management, reporting and price. Performance scores were based on how close to an on-console feel the product provided. We were disappointed that none of the devices, even at 100 Mbps, offered a true Memorex experience--there was always a bit of a lag or visible redraw, though Avocent's DSR switches came the closest when used on a LAN. We gave separate grades for fast links and slow links. Fast links include a 100-Mbps LAN connection with no added latency, a T1 with 20-ms latency and a 512-Kbps cable/DSL line with 200-ms latency. Our slow-link test included a 512-Kbps link with 200-ms latency and 2 percent packet loss and a 33.6-Kbps simulated modem connection (see "How We Tested IP KVMs," page 62, for more details).
At slower speeds, the performance of all the products we tested was disappointing, even at 8- and 4-bit color depths. Surprisingly, we found that enabling encryption of all video and keyboard data added little overhead and had no noticeable effect except on the modem-speed test. As for bandwidth usage, data is sent only when a key is pressed, the mouse is moved or the screen changes. And only changed display data is sent, not the entire screen. A remote session with a static screen displayed should consume a slight amount of bandwidth, limited to just the on-screen clock updates. Conversely, an application that alters or changes a large number of pixels, such as a scrolling log file or graphical real-time charts, will suck up bandwidth.
We divided IP KVM features into local, also known as on-console, and remote and platform support. On the local console side, all the devices offer similar capabilities, including on-screen display and autoscan mode. As for remote support, being able to open multiple simultaneous video windows comes in handy, and the switches from Raritan, Cyclades and Avocent nailed this. Aten's device let us view as many as 16 simultaneous video signals, but we could control only one server at a time.
Access control is another important feature. The appliances from Avocent, Cyclades, Minicom and Raritan all let us restrict which users or groups could view or control each KVM port. Aten's allowed similar containment, though the end user can't see which ports he or she can access. StarTech let us individually password-protect each port.Only the devices from Avocent, Cyclades and Raritan offer centralized management of IP KVM units. We like Minicom DX Matrix's unique interface for displaying and cascading non-IP units, but each IP KVM still must be managed separately. Aten and StarTech follow an "each IP KVM is separate" model. All the devices except those from Aten and StarTech support integration with LDAP and Active Directory. The units from StarTech, Raritan and Cyclades support RADIUS, and Avocent says this support is on its road map. We were frustrated by the Aten device's lack of directory support and believe this will discourage even midsize companies from purchasing the KN9116.
We were disappointed in most products' reporting features--the capabilities of the Avocent products were an exception. We wanted detailed audit logs showing when users connected to and disconnected from specific ports. The devices from Raritan and Cyclades offer this capability, but the Avocent units went further, letting us classify and sort events by priority level and type, export data to CSV format, send alerts over SNMP, and set up e-mail alert triggers.
Pricing was tricky to compute. We had specified 40 ports in a 32-port IP KVM and an 8-port IP KVM; this setup would give us two devices to test management. But some vendors offer only 16-port configurations. We took these varying sizes into consideration when computing our price score and added on the cost of additional components, such as centralized management devices, cables/dongles and software add-ons. Avocent charges for centralized management software; Cyclades, for its centralized management appliance. Although the Raritan Dominion line includes native centralized management, the company also offers an add-on product for beefier control, but didn't send it for testing.
Grades were lackluster overall, with no device earning higher than C+--there's lots of room for improvement. The top vendors all charge a lot more than the cost of remote-access software, which diminishes the benefits derived from going with an IP KVM: better control during reboots, boot screen views, access to broken network drivers for repairs and so forth. If these features aren't used often, or if you don't consider them worth the cost, less-expensive remote-access software may be good enough, especially for smaller organizations.
In addition, the lower-priced products are weak on enterprise functionality, and every device we tested should perform better. The performance we saw was in line with other screen-sharing remote-access technologies but didn't provide anything close to a local console feel. We wanted remote and local access to exhibit comparable performance when connected over the same LAN. At slower speeds, we wanted better redraw rates, especially when dragging windows around. Still, all the products matched conventional KVMs, and remote IP access will be of enough value for many organizations that they'll overlook sluggish performance.Avocent's products offered the best mix of performance, management, reporting and features. Its devices earned our Editor's Choice award. And though its products are also the most expensive, we believe they're enterprise-ready. The appliances from Cyclades and Raritan also placed strong, thanks to centralized management and access-control capabilities. Minicom's DX Matrix System would be best for midsize organizations. It has excellent access-control capabilities, but the lack of centralized management for multiple IP units cost it in scoring.
StarTech's and Aten's devices are best-suited for smaller environments because of their relatively anemic access-control and management capabilities. Still, these products also came in at the lowest prices and are good values. Our "as tested" price includes 40 ports, IP access, 40 connectors and five administrators. See more detailed pricing in our features chart.
Software We could operate Avocent's DSR test IP KVMs as independent units or gain centralized management through Avocent's DSView 3 software. Only Avocent required us to install its management piece on a Windows server, a less-than-optimal arrangement. We'd recommend setting up additional DSView servers for load balancing or redundancy, if you can afford it--Avocent charges $2,495 for the first DSView hub with five users and $2,995 for additional groups of five.
We accessed the Java viewer program using Web browsers on Windows, Linux and Mac test machines. We couldn't get it to play nice with the Mac Safari browser on OS X, but Firefox worked fine.
The local KVM user can broadcast mouse and keyboard strokes. We could select which nodes to broadcast to, and key inputs were passed to each node simultaneously. This could be handy in a clustered environment, where all machines have similar configurations. We could set a wide range of access permissions for remote users or groups; for example, we could define permissions for changing settings, access ports or cycling power per port. Furthermore, permissions can be set on the KVM units, letting us specify which users can change KVM settings, disconnect sessions, reboot the KVM or perform a firmware upgrade.
Avnocent DSR 4020 and DSR 1021Click to Enlarge |
Avocent's user-pre-emption-level concept will appeal to the latent despot in everyone. Each user can be assigned a level from 1 to 4. Users with an equal or higher level may interrupt or terminate lower-level users' sessions. A higher-level admin can take over the operation, share control or lurk in a watch-only mode.
As for sharing, whenever we accessed a port on the local KVM that was also occupied by a remote user, we could kick the remote user off. Avocent was the only vendor not to allow a remote and local user to simultaneously access the same port, a capability we'd like to see added to this product.
Finally, Avocent really has its act together in reporting features. Events are broken down into six priority levels, and we could sort and limit which events were recorded. We also liked the products' e-mail alert capabilities. We set up alerts for config changes and devices being added to the database.Avocent DSR 4020 and DSR 1021 KVM over IP switches and DSView 3 Management Software. Price as tested: $23,490. Avocent Corp., (866) 286-2368, (256) 430-4000. www.avocent.com
Cyclades sent us the two KVMs requested plus a centralized management appliance and a console server. Cyclades' 32-port IP KVM is less expensive than those from Avocent or Raritan, which helped its score. Each Cyclades IP KVM can operate independently, just like Avocent's, but centralized management is handled through an $8,950 appliance instead of a Windows server. Without the appliance, only two remote users can simultaneously access the KVM. Also disappointing, the remote software requires the use of an ActiveX control, thus limiting browser and platform support.
Similar to the Avocent devices, Cyclades' units offer excellent access-control capabilities. We could set access and control permissions on a per-port and per-KVM basis, and defining security profiles that specify IP permit/deny blocks, actions and date/time restrictions was relatively simple. However, local and remote users can't share console access--when we had a local user connect to a node that was being remotely accessed, we could choose to boot the remote user or set him to read-only mode. It can be argued that this is a security benefit, but we'd like the option to allow shared access.
Cyclades AlterPath |
We were also disappointed that the AlterPaths allow only two simultaneous remote users, one of the lowest numbers among the devices we tested. We also wanted serial-device access directly integrated into the KVM, but Cyclades sent a separate, centrally manageable 1U console-server appliance, to which all the serial devices connected. Serial and KVM devices can be managed through this interface, but we prefer the flexibility gained from plugging a serial device into the KVM.Finally, Cyclades' products use an odd hot key, control-K. Most of the other products we tested use a double tap of a modifier key. Fortunately, this key can be changed to an arbitrary setting, a feature unique to the AlterPath.
AlterPath KVM/net 32 and AlterPath KVM/net 16. Price as tested: $18,902. Cyclades Corp., (888) 292-5233, (510) 771-6100. www.cyclades.com
Raritan's was the lowest priced centrally manageable IP KVM system when all components sent for this review were factored in, though its 32-port KVM by itself costs several thousand more than Cyclades and Avocent units. Unlike the Cyclades and Avocent devices, the Dominion KVMs don't need a dedicated central management appliance to offer centralized management support. We simply logged into the KVM and could autodiscover or manually add all other Dominion KX KVMs on the network. Raritan does sell a centralized management console that provides added features, but we did not review it.
Serial device access was provided by an RS-232 to VGA/PS-2/Sun keyboard adapter. We could use this device on our existing KVM in addition to the ones we tested, and we don't want to send it back. Key commands like alt-tab aren't passed through to the remote machine, so the product allows for the creation of macros. This is a powerful feature, as complex key commands can be built.
Raritan lagged behind our two leaders because the Dominions are weak in group support. For example, you can't group ports. Instead, we were given a list of all ports and device names for each KVM, with little ability to organize them further, but users can be organized into groups for access-control purposes. We could set view, control or deny capabilities on a per-group basis and define IP access lists on a system or group level. LDAP and RADIUS external authentication support is available, but to use Active Directory we had to make some schema modifications manually.Dominion KX216 and Dominion KX432. Price as tested: $13,852. Raritan Computer, (800) 724-8090, (732) 764-8886. www.raritan.com
Minicom had a unique method of organizing KVM ports. Its DX Matrix System comprises a conventional KVM plugged into an IP-enabled user station. Although multiple IP units cannot be centrally managed, we could cascade multiple non-IP KVMs. Each port is displayed in a graphical interface that looks like a cross between Windows Explorer and an X Window application. We created folders and subfolders and moved ports into them. Each port can be in only one folder or subfolder--aliasing isn't supported. We created local user and group access control lists for view, control and power cycling on a per-port basis. Minicom claims to offer the greatest distance between a PC and the KVM unit, supporting up to 660 feet over Cat5 cable, but we didn't have a cable long enough to test this.
Minicom DX Matrix SystemClick to Enlarge |
Access control is available for remote users as well. Unique to Minicom's devices is a lockout feature--after a specified number of failed logins, we could block the user from attempting to connect for a set number of minutes. This should help thwart brute-force attacks. Minicom also has a chat environment where messages can be sent to all remote users currently connected to the KVM. However, only one remote server can be displayed at a time, and not all key commands are passed through.
DX Matrix System. Price as tested: $11,772. Minicom Advanced System, (800) 486-2154, (908) 486-2100. www.minicom.comAten's KN9116 is one of the more affordable products we tested, but it has fewer features than its rivals each IP KVM is a standalone unit, with no centralized management. We could control access on a per-port, IP-address or MAC-address basis, but only one remote user is supported at a time--when we tried to connect a second user to the system, we got the cryptic message, "The server is busy now. Try again later please." Aten's product is the only one not to offer simultaneous remote-user support, though a remote and local user can share the same server.
Alten Technology KN9116 Click to Enlarge |
Remote access is provided through a Windows executable or Java client. The Windows app captured and passed all key commands except alt-tab and ctrl-alt-delete. The Java client can't capture special key commands; it uses a virtual on-screen keyboard instead. Even though we could control only one server at a time, a panel mode shows thumbnail video images from one, four, nine or all 16 ports.
KN9116 16-Port KVM on the Net. Price as tested: $7,447. Aten Technology, (888) 99-ATEN, (949) 428-1111. www.aten-usa.com
Despite its position at the bottom of our scorecard, the USB + PS/2 is relatively inexpensive and suitable for small businesses. We found its access-control capabilities limited, with no way to specify views or control settings on a per-user basis, but we could block access by IP address or DNS name. Individual ports on the KVM can be assigned a password for local and remote users, but that's about it.Access to the IP KVM is handled through VNC, though we could access only one server at a time with the built-in client. Although StarTech includes a Java-based VNC client on the KVM switch, you can theoretically use any VNC program to connect. An on-screen display let us pass through special keyboard commands like alt-tab, but there's limited support for creating macros.
USB + PS/2 Digital KVM Switches. Price as tested: $7,285. StarTech.com, (800) 265-1844, (519) 455-9675. www.startech.com
Michael J. DeMaria is an associate technology editor based at Network Computing's Syracuse University's Real-World Labs®. Write to him at [email protected].
We asked each vendor to send us two IP KVMs, one with eight ports and one with 32. (Vendors without both configurations didn't suffer in our testing or grading--we only factored size differences in when it came to our pricing scores). We attached standard 1U rackmount computers to each IP KVM and used an SMC Networks TigerStack switch to test serial-device connections. We placed one monitor and keyboard on a local port of the KVM and added a second monitor and keyboard for our "remote user."
How We Tested IP KVMsClick to Enlarge |
We simulated remote connections, ranging from T1 to dial-up modem, using a Shunra Storm (www.shunra. com, now selling as Shunra Virtual Enterprise) in bridge mode. The Storm was used to reduce available bandwidth, introduce latency and/or drop random packets. We determined performance and response rate by a subjective analysis of screen redraw, mouse movement, color depth, response rate and whether the images were blocky or fuzzy. Whenever possible, we observed performance at all available color depths. Several metrics were employed to cause screen content to redraw, including opening and moving an Internet Explorer window with a loaded Web page, moving around windows in the OS, clicking on icons, navigating the start menu and playing video files of varying sizes.
All Network Computing product reviews are conducted by current or former IT professionals in our Real-World Labs® or partner labs, according to our own test criteria. Vendor involvement is limited to assistance in configuration and troubleshooting. Network Computing schedules reviews based solely on our editorial judgment of reader needs, and we conduct tests and publish results without vendor influence.
IP KVMs offer conventional keyboard-video-mouse controls over a LAN, WAN or Internet connection, but they're not cheap: To get 40 ports, centralized management, decent reporting and a reasonably rich feature set, you'll spend $13,000 to $20,000. Lower-rated devices lacking management capabilities still run $7,000 plus. We wouldn't mind the price so much if performance were good. But it's nowhere near what we'd hoped for. Until prices drop and products achieve a more console-like feel, we believe many companies would do just as well with inexpensive remote-access software, especially if they run mainly homogeneous shops.
The upshot is that even our Editor's Choice winner, Avocent, earned only a C+. Its DSR devices are the most expensive, but we'd recommend them to large-enterprise buyers, thanks to their manageability, broad platform support and excellent reporting.
R E V I E W
IP KVMs
Sorry,
your browser
is not Java
enabled
Welcome to NETWORK COMPUTING's Interactive Report Card, v2. To launch it, click on the Interactive Report Card ® icon above. The program components take a few moments to load.
Once launched, enter your own product feature weights and click the Recalc button. The Interactive Report Card ® will re-sort (and re-grade!) the products based on the new category weights you entered.
Click here for more information about our Interactive Report Card ®.
You May Also Like