altiris out of band managementcomponent7.1 sp1 from...

Altiris™ Out of BandManagement Component 7.1SP1 from Symantec™Implementation Guide

Altiris™ Out of Band Management Component 7.1 SP1from Symantec™ Implementation Guide

The software described in this book is furnished under a license agreement and may be usedonly in accordance with the terms of the agreement.

Legal NoticeCopyright © 2011 Symantec Corporation. All rights reserved.

Symantec, the Symantec Logo, Altiris, and any Altiris or Symantec trademarks used in theproduct are trademarks or registered trademarks of Symantec Corporation or its affiliatesin the U.S. and other countries. Other names may be trademarks of their respective owners.

The product described in this document is distributed under licenses restricting its use,copying, distribution, and decompilation/reverse engineering. No part of this documentmay be reproduced in any form by any means without prior written authorization ofSymantec Corporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TOBE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTALOR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINEDIN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer softwareas defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights inCommercial Computer Software or Commercial Computer Software Documentation", asapplicable, and any successor regulations. Any use, modification, reproduction release,performance, display or disclosure of the Licensed Software and Documentation by the U.S.Government shall be solely in accordance with the terms of this Agreement.

Symantec Corporation350 Ellis StreetMountain View, CA 94043

http://www.symantec.com

http://www.symantec.com

Technical SupportSymantec Technical Support maintains support centers globally. TechnicalSupport’s primary role is to respond to specific queries about product featuresand functionality. The Technical Support group also creates content for our onlineKnowledge Base. The Technical Support group works collaboratively with theother functional areas within Symantec to answer your questions in a timelyfashion. For example, the Technical Support group works with Product Engineeringand Symantec Security Response to provide alerting services and virus definitionupdates.

Symantec’s support offerings include the following:

■ A range of support options that give you the flexibility to select the rightamount of service for any size organization

■ Telephone and/or Web-based support that provides rapid response andup-to-the-minute information

■ Upgrade assurance that delivers software upgrades

■ Global support purchased on a regional business hours or 24 hours a day, 7days a week basis

■ Premium service offerings that include Account Management Services

For information about Symantec’s support offerings, you can visit our Web siteat the following URL:

www.symantec.com/business/support/

All support services will be delivered in accordance with your support agreementand the then-current enterprise technical support policy.

Contacting Technical SupportCustomers with a current support agreement may access Technical Supportinformation at the following URL:


Before contacting Technical Support, make sure you have satisfied the systemrequirements that are listed in your product documentation. Also, you should beat the computer on which the problem occurred, in case it is necessary to replicatethe problem.

When you contact Technical Support, please have the following informationavailable:

■ Product release level



■ Hardware information

■ Available memory, disk space, and NIC information

■ Operating system

■ Version and patch level

■ Network topology

■ Router, gateway, and IP address information

■ Problem description:

■ Error messages and log files

■ Troubleshooting that was performed before contacting Symantec

■ Recent software configuration changes and network changes

Licensing and registrationIf your Symantec product requires registration or a license key, access our technicalsupport Web page at the following URL:


Customer serviceCustomer service information is available at the following URL:


Customer Service is available to assist with non-technical questions, such as thefollowing types of issues:

■ Questions regarding product licensing or serialization

■ Product registration updates, such as address or name changes

■ General product information (features, language availability, local dealers)

■ Latest information about product updates and upgrades

■ Information about upgrade assurance and support contracts

■ Information about the Symantec Buying Programs

■ Advice about Symantec's technical support options

■ Nontechnical presales questions

■ Issues that are related to CD-ROMs or manuals



Support agreement resourcesIf you want to contact Symantec regarding an existing support agreement, pleasecontact the support agreement administration team for your region as follows:

[email protected] and Japan

[email protected], Middle-East, and Africa

[email protected] America and Latin America

mailto:[email protected]



Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Chapter 1 Introducing Out of Band ManagementComponent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

About Out of Band Management Component ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13About out-of-band management ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14About supported out-of-band management technologies ... . . . . . . . . . . . . 15Altiris products that can manage computers out of band .... . . . . . . . . . . . 15

What’s new in Out of Band Management Component 7.1 SP1 .... . . . . . . . . . . . 15How Out of Band Management Component works .... . . . . . . . . . . . . . . . . . . . . . . . . . . 16

About the Symantec Management Console ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16About Intel AMT .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17About Intel AMT Setup and Configuration Service ... . . . . . . . . . . . . . . . . . . . . 18About Intel AMT versions and features ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18About Intel AMT configuration modes .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19About Intel AMT security ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21About Intel AMT related credentials ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22About Intel AMT wireless support ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24About ASF .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24About DASH .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Comparison of Intel AMT, ASF, and DASH .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

What you can do with Out of Band Management Component ... . . . . . . . . . . . . . 26About Intel AMT tasks ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26About ASF tasks ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27About DASH tasks ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Where to get more information .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Chapter 2 Planning for Out of Band Management Componentinstallation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

About environment requirements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32About configuring DNS .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33About configuring DHCP .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34About configuring SQL server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34About integrating with Microsoft Active Directory .... . . . . . . . . . . . . . . . . . . . . . . . . . 35About installing Microsoft IIS ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Contents

Installing and configuring CA .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36About installing .NET Framework on an OOB site server ... . . . . . . . . . . . . . . . . . . . 38About planning OOB site servers hierarchy .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Configuring a firewall to allow Intel SCS and SQL server

connections .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39About ports used by Intel AMT .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40About installing Out of Band Management Component in a lab

environment .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40About managing Intel AMT computers without the Symantec

Management Agent installed .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Chapter 3 Installing Out of Band ManagementComponent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

System requirements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43About Out of Band Management Component requirements ... . . . . . . . . . 43About client computer software and hardware

requirements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Installing the Out of Band Management Component product ... . . . . . . . . . . . . . 45Installing an OOB site server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Upgrading the Out of Band Management Component product ... . . . . . . . . . . . 46Uninstalling Out of Band Management Component ... . . . . . . . . . . . . . . . . . . . . . . . . . 46

Uninstalling the Out of Band Task Plug-in ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Uninstalling Out of Band Management Component from

Notification Server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Chapter 4 Preparing target computers for management . . . . . . . . . . . . . . 49

Preparing target computers for management ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Installing the Symantec Management Agent ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Configuring the Symantec Management Agent settings for

evaluation use .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Discovering out-of-band capable computers ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Installing the Out of Band Task Plug-in ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Chapter 5 Configuring Out of Band ManagementComponent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Integrating Intel SCS with Active Directory .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Contents8

Chapter 6 Configuring Intel AMT computers for out-of-bandmanagement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

About configuring Intel AMT computers for out-of-bandmanagement ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57About Intel AMT initialization .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58About Intel AMT setup and configuration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Prerequisites for Intel AMT configuration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Configuring Intel AMT computers for out-of-band management ... . . . . . . . . 61

Creating Intel AMT configuration profiles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Configuring the automatic Intel AMT configuration profile

assignment ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Initializing Intel AMT computers using the Remote Configuration

feature ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Initializing Intel AMT computers manually ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Setting up and configuring initialized Intel AMT computers ... . . . . . . . 82

About resending Hello messages ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89Resending Hello messages with the Delayed Configuration

policy ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89Resending Hello messages with the Send Intel AMT Hello

Message task .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90Configuring Intel AMT computers in small business mode .... . . . . . . . . . . . . . . . 91

Chapter 7 Configuring TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

About TLS .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95About configuring and enabling TLS .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95Configuring TLS .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Exporting the CA Root Certificate for the Altiris Real-TimeSystem Manager software .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Configuring the connection profile to use TLS .... . . . . . . . . . . . . . . . . . . . . . . . . . 97Configuring Intel AMT computers to use TLS .... . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Configuring TLS with mutual authentication .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100Creating and installing a client certificate using an Enterprise

CA .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100Configuring Intel AMT computers to use TLS mutual

authentication .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Chapter 8 Configuring ASF/DASH computers for out-of-bandmanagement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Configuring ASF/DASH computers for out-of-bandmanagement ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113Installing the Broadcom ASF management software .... . . . . . . . . . . . . . . . 115

9Contents

Collecting ASF/DASH configuration and hardwareinventory .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Configuring ASF/DASH computers for out-of-bandmanagement ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

What to do next ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Chapter 9 Deploying OOB site servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

About site services ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119About OOB site servers ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120Prerequisites for OOB site server installation .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120Installing an OOB site server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Viewing Out of Band Potential Site Servers ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122Configuring the OOB site server installation settings ... . . . . . . . . . . . . . . . 122Rolling out the OOB site server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Upgrading the Out of Band Site Server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123Uninstalling an OOB site server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124Configuring the default OOB site server location .... . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Chapter 10 About Out of Band Management Componentpages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Auxiliary profiles: 802.1x Profiles page .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128802.1x Profiles: Add 802.1x Profile dialog box .... . . . . . . . . . . . . . . . . . . . . . . . . 128Select Certificate Generation Properties dialog box .... . . . . . . . . . . . . . . . . . 130Add Certificate Generation Properties dialog box .... . . . . . . . . . . . . . . . . . . . 130Select Certificate Template dialog box .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Auxiliary profiles: Management Presence Servers page .... . . . . . . . . . . . . . . . . . 131Management Presence Servers: Add Management Presence Server

dialog box .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131Auxiliary profiles: Remote Access Policies page .... . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Remote Access Policies: Create Remote Policy dialog box .... . . . . . . . . . 133Auxiliary Profiles: Wireless Profiles page .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Wireless Profiles: Add Wireless Profile dialog box .... . . . . . . . . . . . . . . . . . . 134Trusted Root Certificates page .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Trusted Root Certificates: Select a Certificate Authority dialogbox .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Trusted Root Certificates: Import Trusted Root Certificate dialogbox .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Configuration Profiles page .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135Setup and configuration profile: General tab .... . . . . . . . . . . . . . . . . . . . . . . . . . 135Setup and configuration profile: Network tab .... . . . . . . . . . . . . . . . . . . . . . . . . 137Setup and configuration profile: TLS tab .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138Setup and configuration profile: ACL tab .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Contents10

Setup and configuration profile: Wireless Profiles tab .... . . . . . . . . . . . . . 142Setup and configuration profile: Power Policy tab .... . . . . . . . . . . . . . . . . . . . 143Setup and configuration profile: Domains tab .... . . . . . . . . . . . . . . . . . . . . . . . . 144Setup and configuration profile: Remote Access tab .... . . . . . . . . . . . . . . . . 145

DNS configuration page .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146General page .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

Select Active Directory Organizational Unit dialog box .... . . . . . . . . . . . . 148Maintenance page .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148Security keys page .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149Service location page .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152Users page .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152Delayed Setup and Configuration page .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153Intel AMT Computers page .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154Profile assignments page .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157Resource Synchronization page .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Assign profile dialog box .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159Get ASF/DASH Configuration Inventory task .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160Update ASF Configuration Settings task .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160Update DASH Configuration Settings task .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164OOB Site Service page .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165Certificate Enrollment task .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168Firewall Configuration task .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168FQDN Synchronization task .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169Install Intel Setup and Configuration Server task .... . . . . . . . . . . . . . . . . . . . . . . . . . 169Install OOB Site Service agent task .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169Install Out of Band Management Site Service Agent and Intel Setup

and Configuration Server job .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169Intel Setup and Configuration Server Upgrade job .... . . . . . . . . . . . . . . . . . . . . . . . . 170Intel Setup and Configuration Server Upgrade Job: internal task .... . . . . . 170OOB Site Server Inventory task .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170Send Intel AMT Hello Message task .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

Appendix A Troubleshooting Out of Band ManagementComponent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Viewing Intel SCS logs ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171About Intel SCS error messages ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173About Intel AMT setup and configuration issues ... . . . . . . . . . . . . . . . . . . . . . . . . . . . 177About Intel SCS console integration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178About Intel AMT filters update ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178Troubleshooting OOB site server installation .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

11Contents

Appendix B Reference topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

About passwords used with Intel AMT .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181About populating filters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182How Resource Synchronization policy works .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185Remote Configuration certificate requirements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186Remote Configuration certificate – differences between releases ... . . . . . . 187

Intel AMT Release 2.2 ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187Intel AMT Release 3.0 ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187Intel AMT Release 2.6 ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

Contents12

Introducing Out of BandManagement Component

This chapter includes the following topics:

■ About Out of Band Management Component

■ What’s new in Out of Band Management Component 7.1 SP1

■ How Out of Band Management Component works

■ What you can do with Out of Band Management Component

■ Where to get more information

About Out of Band Management ComponentAltiris Out of Band Management Component software (formerly known as AltirisOut of Band Management Solution) lets you discover computers with ASF, DASH,and Intel AMT in your environment and configure the computers for out-of-bandmanagement.

Out-of-band management is the ability to manage client computers regardless ofthe state of their power, operating system, or management agents. You canremotely change the power state of the computer, collect hardware inventory,and perform other management tasks that would normally require a visit to aclient computer.

See “About out-of-band management” on page 14.

1Chapter

Figure 1-1 Out of Band Management Component features

About out-of-band managementRemote management of client computers often requires the managed computerto be turned on with an operating system running. When a computer is turnedon with a running operating system, the computer is considered in-band.

Out-of-band is when a client computer is in one of the following out-of-band states:

■ The computer is plugged in but is not actively running (off, standby,hibernating).

■ The operating system is not loaded (software or boot failure).

■ The software-based management agent is not available.

Out-of-band management is the ability to manage computers in these states.Computers with Intel AMT, ASF, DASH, or IPMI capabilities can be managed outof band.

See “About Intel AMT” on page 17.

See “About ASF” on page 24.

See “About DASH” on page 25.

Introducing Out of Band Management ComponentAbout Out of Band Management Component

14

About supported out-of-band management technologiesOut of Band Management Component supports computers with the followingout-of-band management technologies:

■ Intel® Active Management Technology (Intel® AMT) 2.0 and later (also knownas Intel® vPro and Intel® Centrino® Pro technology)See “About Intel AMT” on page 17.

■ Broadcom ASF 2.0 and Intel ASF 2.0See “About ASF” on page 24.

■ Broadcom DASHSee “About DASH” on page 25.

Altiris products that can manage computers out of bandYou can manage computers out of band using the following Altiris products:

■ Altiris Real-Time Console Infrastructure

■ Altiris Real-Time System Manager

These Altiris products let you perform the following out-of-band managementtasks:

■ Turn on, turn off, or restart computers.

■ Configure hardware alerts and change the alerts’ destination address.

■ Collect the hardware information that is stored in the NVRAM of the IntelAMT device.

■ Boot a computer from a remote disk or an image on a server and run theoperating system repair or reinstall.

■ Start a remote control session from the Symantec Management Console andaccess BIOS to view and change settings (Intel AMT only).

See “About Out of Band Management Component” on page 13.

What’s new in Out of Band Management Component7.1 SP1

The SP1 release of Out of Band Management Component 7.1 includes new features.

If you are migrating directly from 7.0 to 7.1 SP1, you should read the 7.1 releasenotes. The 7.1 release notes include information about what changed from 7.0 to7.1. They also include changes to system requirements from 7.0, which you must

15Introducing Out of Band Management ComponentWhat’s new in Out of Band Management Component 7.1 SP1

implement to use the 7.1 SP1 product effectively. The 7.1 release notes are availableat the following URL:

http://www.symantec.com/docs/DOC3513

Table 1-1 List of new features

DescriptionFeature

You can install Out of Band Task Agent on thecomputers that are running the followingplatforms:

■ Windows 7 SP1

■ Windows Server 2008 R2 SP1

Support for new platforms.


How Out of Band Management Component worksOut of Band Management Component installs Intel SCS on the Notification Servercomputer and integrates it into the Symantec Management Console. From theSymantec Management Console you can configure Intel SCS settings, discoverIntel AMT capable computers, and configure them for out-of-band management.

See “About the Symantec Management Console” on page 16.

Also, Out of Band Management Component provides you with the tools to discoverASF and DASH capable computers and configure them for out-of-bandmanagement.

You can manage configured Intel AMT, ASF, and DASH computers with Altirissolutions that support out-of-band technologies.

See “Altiris products that can manage computers out of band” on page 15.

About the Symantec Management ConsoleThe Symantec Management Console is the Web browser based administrationconsole for working with Symantec Management Platform and solutions, includingOut of Band Management Component. The console lets you perform tasks, scheduleevents, run reports, perform configuration, configure security, and more. You canrun the console from the Notification Server computer (locally) or from a remotecomputer with a network connection to Notification Server. This means that youcan perform administration tasks from wherever you are.

Introducing Out of Band Management ComponentHow Out of Band Management Component works

16

http://www.symantec.com/docs/DOC3513

The console lets you set security that is specific to each console user. You specifywhich areas of the console a user has access to and the rights that a user has toperform specific actions. For example, one user can run reports while anotheruser can only view reports that have already been run.

You can start the console remotely by typing the following URL into the InternetExplorer's address bar: http://<Notification_Server_name>/altiris/console

For more information on the console, see the Symantec Management PlatformHelp, which can be accessed through the console's Help menu.

About Intel AMTIntel Active Management Technology (Intel AMT) is a part of Intel vPro technology,which provides the following technology capabilities:

Lets you remotely inventory, diagnose, and repair computers—eventhose that are turned off —reducing costly desk-side visits andincreasing user uptime.

Remote manageability

Lets third-party security software identify more threats beforethey reach the operating system. You can isolate infected systemsmore quickly and update computers regardless of their powerstate.

Security

Intel AMT is a solution that is based in hardware and firmware and is connectedto the system's auxiliary power plane. Despite the power state or the operatingsystem state of the client computer, Intel AMT provides IT administrators withaccess to alerts, hardware inventory, power management, network filtering, andagent presence functionality. Intel AMT functionality requires the computer tobe plugged into the power source and connected to the network. Intel AMTfunctionality does not require a software agent to be installed on the clientcomputer.

Altiris Out of Band Management Component, Altiris Real-Time ConsoleInfrastructure, and Altiris Real-Time System Manager software support IntelAMT 2.0 and later.


See “About configuring Intel AMT computers for out-of-band management”on page 57.

See “About Intel AMT tasks” on page 26.

17Introducing Out of Band Management ComponentHow Out of Band Management Component works

About Intel AMT Setup and Configuration ServiceIntel AMT Setup and Configuration Service (Intel SCS) provides you with the toolsto set up and configure Intel AMT devices. Intel SCS is automatically installed onthe OOB site server computer (by default, the Notification Server computer).

See “About OOB site servers” on page 120.

Intel SCS installation creates a new database on the SQL server. This databasestores configuration parameters and administrative connection credentials foreach Intel AMT computer that you set up and configure with Out of BandManagement Component. Out of Band Management Component integrates IntelSCS into the Symantec Management Platform and provides the interface for IntelSCS in the Symantec Management Console.

About Intel AMT versions and featuresOut of Band Management Component supports several versions of Intel AMT.

Table 1-2 Intel AMT versions and features

6.05.15.04.03.02.62.52.22.12.0Feature

D/NDDNDNNDDDesktop (D) or notebook (N) support

XXXXXXXXXXRemote platform (sw\hw) assettracking

XXXXXXXXXXRemote diagnostics and repair

XXXXXXXXXXAgent presence checking and alerting

XXXXXXXXXSystem isolation and recovery

XXXXXXXXXEnterprise mode with TLS\Kerberos

XXXXXXXXXUpgradeable remote firmware

XXXXXXXRemote configuration

X1XXXWireless support (802.11i, VPN)

XXXXXXX802.1x native support

XXXXCIRA (Client Initiated Remote Access)

XXFull compliance to the DASH 1.0standard

XKVM over IP


18

See “How Out of Band Management Component works” on page 16.

1 Notebook computers only

About Intel AMT configuration modesYou can configure Intel AMT computers for out-of-band management in one ofthe two modes:

■ Small business modeSee “About Intel AMT small business mode” on page 19.

■ Enterprise mode.See “About Intel AMT enterprise mode” on page 19.

See “Comparison of Intel AMT small business and enterprise mode” on page 20.

About Intel AMT small business modeIntel AMT small business configuration mode is easy to set up and is recommendedwhen you have a few Intel AMT computers. You can also use this mode if yourenterprise does not have DHCP or DNS services available or if using these servicesis not allowed for security or other reasons.

This mode does not support Transport Layer Security (TLS), so communicationsbetween computers are not encrypted. This mode works well in the environmentsthat do not have a security infrastructure. Because small business mode is designedfor small environments, this mode does not support communications acrosssubnets. If your environment incorporates subnets, use enterprise mode.

See “About TLS” on page 95.

See “About Intel AMT enterprise mode” on page 19.

If you are new to Intel AMT and want to evaluate the technology, you can configurea few computers in small business mode. Small business mode lets you get thingsset up and running more quickly. Setting up an Intel AMT computer in smallbusiness mode is a manual process that is performed though the Intel AMT capablecomputer’s BIOS. Out of Band Management Component is not involved in theconfiguration process. After setup, the computer is ready to be managed out ofband.

See “Configuring Intel AMT computers in small business mode” on page 91.

About Intel AMT enterprise modeIntel AMT enterprise configuration mode is designed to serve the needs of largeenterprises. When this mode is supported with the proper network infrastructureservices, it can provide automated (one-touch or remote) configuration for Intel


AMT devices. This mode also supports the configuration of wireless features onthe Intel AMT device and integration with Microsoft Active Directory.

This mode supports multiple security options: an Intel AMT access control list,and the option to encrypt communications through the use of Transport LayerSecurity (TLS).


Use Out of Band Management Component to control the process of enterprisemode Intel AMT configuration from the Symantec Management Console.


Comparison of Intel AMT small business and enterprise modeIntel AMT small business configuration mode is easy to set up and is recommendedwhen you have a few Intel AMT computers. Intel AMT enterprise configurationmode is designed to serve the needs of large enterprises and is more secure.

See “About Intel AMT small business mode” on page 19.

See “About Intel AMT enterprise mode” on page 19.

Table 1-3 Differences between Intel AMT small business and enterprise modes

Enterprise modeSmall-business modeFeature

Required and providedthrough Intel SCS, which isinstalled with the solution

Not neededSetup and configurationapplication (Out of BandManagement Component)

Can be pre-set up from thefactory, implementedthrough a USB key, ormanually through the MEBx

Must be set up through theMEBx on the computer

Setup and configuration

Intel AMT 2.2, 2.6, 3.0, 4.0,and 5.0 support zero-touchremote configuration method

Not supportedRemote setup andconfiguration

TLS encryption through useof Microsoft certificationauthority

Not supportedEncrypted communications

SupportedNot supportedMicrosoft Active Directoryintegration


20

Table 1-3 Differences between Intel AMT small business and enterprise modes(continued)

Enterprise modeSmall-business modeFeature

SupportedNot supportedWireless managementsupport

SupportedNot supportedNetwork subnet support

SupportedNot supportedAccess control list foraccessing Intel AMT

Centrally managedpasswords through themanagement console

Must manually changepasswords on the computer

Intel AMT password support

About Intel AMT securityOne of the key benefits of Intel AMT over other out-of-band technologies, suchas Wake on LAN, is the security features.

Table 1-4 Intel AMT security features

DescriptionFeature

The user name and the password that you use to connect to the IntelAMT device remotely. These credentials should not be confused withthe MEBx credentials, which by default share the same user nameand password as the remote access Intel AMT credentials.

See “About Intel AMT related credentials” on page 22.

Intel AMTcredentials

The Intel AMT access control list (ACL) manages who has access towhich capabilities within Intel AMT. An ACL entry has a user ID anda list of realms to which a user has access. This access is requiredto use the functionality that is associated with a realm.

Two kinds of ACL entries exist: Kerberos and Digest. The maindifference between them is that Kerberos entries have an ActiveDirectory SID to identify a user or group of users. Digest entrieshave a user name and password for user identification. WhenMicrosoft Active Directory is used, user identities are imported fromActive Directory; otherwise, user identities are added manually.

Access Control List(Enterprise modeonly)

A pair of keys that are used to ensure a secure connection when theconfiguration server configures an Intel AMT device. After a deviceis configured, these keys are no longer used and are deleted fromthe Intel SCS database.

PID-PPS securitykey pair (Enterprisemode only)


Table 1-4 Intel AMT security features (continued)

DescriptionFeature

TLS lets you encrypt communications between the configurationserver and the Intel AMT device after the device has been configured.The encryption can be one direction (from the Intel AMT device tothe configuration server) or both directions (mutual authentication).If you want to use TLS, you must use Intel AMT in enterprise modeand have access to Microsoft certification authority.


TLS encryption(Enterprise modeonly)

Figure 1-2 Out of Band Management Component modes and security

About Intel AMT related credentialsThe Intel AMT administrative credentials and MEBx admin credentials often getconfused as the same credentials, but they are different and have differentpurposes. By default, the administrator account for both credentials is admin andthe password is admin. The MEBx credentials control local access to the MEBx onthe computer and some Intel AMT settings. The Intel AMT administrative


22

credentials control remote access to the Intel AMT settings (for example, whenyou run an out-of-band task from the Symantec Management Console, or accessthe Intel AMT Web UI).

When you access the MEBx for the first time, you must supply the defaultadministrator credentials, and then you are prompted to change the password.This change modifies not only the MEBx admin account password but also theIntel AMT administrative account password.

Later, when you set up and configure Intel AMT computers, you change the IntelAMT administrator password again and make it different from the MEBx one.

Table 1-5 Out of Band Management Component credentials

DescriptionCredentials

Used to locally access the MEBx. The default administratoraccount and password are admin. During the Intel AMTinitialization process, the default password is changed to auser-specified password (as defined in the configuration profile).

See “Creating Intel AMT configuration profiles” on page 62.

MEBx

Used in the remote management of Intel AMT. The defaultadministrator account and password are admin.

During the Intel AMT setup and configuration process, thedefault password is changed to a user-specified or randomlygenerated password (as defined in the configuration profile).


Altiris solutions use these credentials to perform remotemanagement tasks.

Intel AMT

Used to access Intel SCS that is running on the OOB site servercomputer (by default, the Notification Server computer).

At the time of Out of Band Management Component installation,all users in the Symantec Administrators group are added tothe list of the Intel SCS users.

See “Users page” on page 152.

Intel SCS Users

A list of users that can remotely access Intel AMT settings andthe rights that they have.

Intel AMT devices are configured with this list during the setupand the configuration process (as defined in the configurationprofile).


Access control list(Enterprise mode only)


Table 1-5 Out of Band Management Component credentials (continued)

DescriptionCredentials

Used to access the Symantec Management Console. Users canhave rights to access specific data and perform certainmanagement tasks.

For more information, see the SymantecManagement PlatformHelp.

Symantec ManagementConsole

A pair of security keys that are used to ensure securecommunications between the configuration server and the IntelAMT computer. After a computer is configured, these keys areno longer used.

These keys are generated and entered into the Intel AMT deviceduring the initialization process.

See “About Intel AMT initialization” on page 58.

PID-PPS security keypair (Enterprise modeonly)

About Intel AMT wireless support(Intel AMT 2.5, 2.6, 4.0, 6.0 and later)

Out of Band Management Component lets you configure wireless features of IntelAMT through wireless profiles. A wireless profile defines how the system connectsto the wireless access point when the operating system is not loaded. Differentwireless profiles can be created and used to support different access points.


Through wireless profiles you can configure the following features:

■ Key management - Wi-Fi Protected Access (WPA).

■ Robust Secure Network (RSN) key management schemes are supported.

■ Encryption algorithm - Temporal Key Integrity Protocol (TKIP) and CounterMode CBC Mac Protocol (CCMP) are supported.

■ Authentication - A pass phrase or 802.1x profile can be used to ensure thatonly authorized users can establish a connection with the Intel AMT device.

About ASFASF (Alert Standard Format) is an industry standards-based technology that letsIT administrators manage computers regardless of the operating system state.ASF performs completely out of band and only relies on the operating system toconfigure the solution.


24

ASF provides alerting and power management functionality as long as thecomputer is plugged in with Ethernet connection. ASF functionality isaccomplished through hardware on the network card or system board, a softwareagent on the client computer, and management software on the server.

Altiris Out of Band Management Component, Altiris Real-Time ConsoleInfrastructure, and Altiris Real-Time System Manager software support ASF 2.0.

See “About ASF tasks” on page 27.

About DASHDASH (Desktop and Mobile Architecture for System Hardware) is a Webservices-based management technology that enables IT professionals to remotelymanage desktop and mobile computers from anywhere in the world. Thetechnology lets administrators securely turn the power on/off, query systeminventory, and push firmware updates among other things, regardless of the stateof the remote computer.

Altiris Out of Band Management Component, Altiris Real-Time ConsoleInfrastructure, and Altiris Real-Time System Manager software support Broadcomand Intel implementations of DASH.

See “Configuring ASF/DASH computers for out-of-band management” on page 113.

See “About DASH tasks” on page 27.

Comparison of Intel AMT, ASF, and DASHOut of Band Management Component supports Intel AMT, ASF, and DASHout-of-band management technologies.



See “About DASH” on page 25.

Table 1-6 Intel AMT, ASF, and DASH comparison

DASHASFIntel AMTFeature

Supports the networksthat include subnets.

Does not supportsubnets.

Supports the networksthat include subnets.

Networksupport


Table 1-6 Intel AMT, ASF, and DASH comparison (continued)

DASHASFIntel AMTFeature

Supports the user nameand passwordauthentication,encryptedcommunications usingcertificates.

Supports the Operatorand AdministratorAuthentication Keysauthentication forperforming remotepower managementcommands.

Supports the user nameand passwordauthentication, anaccess control list, andTLS encryption(Enterprise mode only)of communications.

Security

Based on an openstandard that isdeveloped throughDMTF.

Based on an openstandard that isdeveloped throughDMTF.

Non-standards based.Standards

Small to largeenvironments withmultiple options forsecurity.

Small to medium sizeenvironments.

Small to largeenvironments withmultiple options forsecurity.

Intendeduse

What you can do with Out of Band ManagementComponent

Out of Band Management Component helps you configure Intel AMT, ASF, orDASH devices on the computers that support these technologies, so thesecomputers can be managed out of band.

See “About Intel AMT tasks” on page 26.

See “About ASF tasks” on page 27.

See “About DASH tasks” on page 27.

About Intel AMT tasksOut of Band Management Component lets you perform the following Intel AMTtasks:

■ Discover Intel AMT capable computers.

■ Set up and configure computers with Intel AMT so that they can be managedout-of-band by other Altiris solutions.

■ Define service configuration parameters for Intel SCS.

Introducing Out of Band Management ComponentWhat you can do with Out of Band Management Component

26

■ Create the profiles that define the setup and the configuration parameters forIntel AMT, including wireless parameters.

■ Manage the list of valid PID-PPS keys that match what is to be installed on theIntel AMT computers that await initialization.

■ Remotely set the host name, either detected automatically or entered manually,for an Intel AMT network interface.

■ View and manage the entries that identify each Intel AMT computer that isconfigured or not configured.

■ Remotely reset or re-configure Intel AMT computers, synchronize clocks,change power-saving policies, and so on.

■ Control the list of users that have access to the Intel SCS console and to theIntel AMT devices and the permissions they have.


About ASF tasksOut of Band Management Component lets you perform the following ASF tasks:

■ Discover ASF-capable computers.

■ Install the ASF management agent on the computers.

■ Collect ASF configuration inventory.

■ Configure the default connection, security, and remote power control settingson client computers with ASF.

■ Configure the ASF alerts that can help you be more proactive in respondingto memory faults, temperature issues, hard drive warnings, chassis intrusion,and so forth. These alerts help you fix issues before they become destructive.


About DASH tasksOut of Band Management Component lets you perform the following DASH tasks:

■ Discover DASH-capable computers.

■ Install the DASH management agent on the computers.

■ Collect DASH configuration inventory.

■ Configure connection and security settings on client computers with DASH.


27Introducing Out of Band Management ComponentWhat you can do with Out of Band Management Component

Where to get more informationUse the following documentation resources to learn about and use this product.

Table 1-7 Documentation resources

LocationDescriptionDocument

The Product Support page, which is available at the following URL:

http://www.symantec.com/business/support/all_products.jsp

When you open your product's support page, look for theDocumentation link on the right side of the page.

Information about newfeatures and importantissues.

Release Notes

The Product Support page, which is available at the following URL:


When you open your product’s support page, look for theDocumentation link on the right side of the page.

Information about howto install, configure, andimplement this product.

ImplementationGuide

■ The Documentation Library, which is available in the SymantecManagement Console on the Help menu.

■ The ProductSupport page, which is available at the following URL:


When you open your product’s support page, look for theDocumentation link on the right side of the page.

Information about howto use this product,including detailedtechnical informationand instructions forperforming commontasks.

User Guide

The Documentation Library, which is available in the SymantecManagement Console on the Help menu.

Context-sensitive help is available for most screens in the SymantecManagement Console.

You can open context-sensitive help in the following ways:

■ The F1 key when the page is active.

■ The Context command, which is available in the SymantecManagement Console on the Help menu.

Information about howto use this product,including detailedtechnical informationand instructions forperforming commontasks.

Help is available at thesolution level and at thesuite level.

This information isavailable in HTML helpformat.

Help

In addition to the product documentation, you can use the following resources tolearn about Symantec products.

Introducing Out of Band Management ComponentWhere to get more information

28




Table 1-8 Symantec product information resources

LocationDescriptionResource

http://www.symantec.com/business/theme.jsp?themeid=support-knowledgebaseArticles, incidents, andissues about Symantecproducts.

SymWISESupportKnowledgebase

http://www.symantec.com/connect/endpoint-managementAn online resource thatcontains forums, articles,blogs, downloads, events,videos, groups, and ideasfor users of Symantecproducts.

SymantecConnect

29Introducing Out of Band Management ComponentWhere to get more information

http://www.symantec.com/business/theme.jsp?themeid=support-knowledgebase

http://www.symantec.com/connect/endpoint-management

Introducing Out of Band Management ComponentWhere to get more information

30

Planning for Out of BandManagement Componentinstallation


■ About environment requirements

■ About configuring DNS

■ About configuring DHCP

■ About configuring SQL server

■ About integrating with Microsoft Active Directory

■ About installing Microsoft IIS

■ Installing and configuring CA

■ About installing .NET Framework on an OOB site server

■ About planning OOB site servers hierarchy

■ Configuring a firewall to allow Intel SCS and SQL server connections

■ About ports used by Intel AMT

■ About installing Out of Band Management Component in a lab environment

■ About managing Intel AMT computers without the Symantec ManagementAgent installed

2Chapter

About environment requirementsThe environment requirements for Out of Band Management Component are asfollows:

■ Before you install Out of Band Management Component, you must configurethe SQL server that you want Intel SCS to use in mixed authentication mode(Windows Authentication and SQL Server Authentication).See “About configuring SQL server” on page 34.

■ You must configure DNS to resolve the ProvisionServer host name to thecomputer with OOB site server installed (by default, the Notification Servercomputer). You can do this before or after you install Out of Band ManagementComponent.See “About configuring DNS” on page 33.See “About OOB site servers” on page 120.

Installing Out of Band Management Component and Out of Band site server inthis environment lets you perform the following actions:

■ Configure ASF- and DASH-capable computers for out-of-band management.

■ Manually set up and configure Intel AMT-capable computers for out-of-bandmanagement without the use of Intel AMT security features.

However, if you plan to use more Intel AMT features (for example, TLS, RemoteConfiguration, Kerberos users, 802.1x profiles), more conditions must be met.You can prepare the environment before or after you install Out of BandManagement Component.

Table 2-1 Out of Band Management Component environment requirementsfor Intel AMT features

RemoteConfiguration

TLSwithmutualauthentication,802.1x profiles

TLSKerberos usersSimpleenterprisemodeIntel AMT setupandconfiguration

Prerequisites

RequiredRequiredRequiredRequiredRequiredWindows 2003SP2 or later

RequiredRequiredOptionalRequiredOptionalActive Directory

Not supportedNot supportedRequiredOptionalOptionalStand-alonecertificationauthority

Planning for Out of Band Management Component installationAbout environment requirements

32

Table 2-1 Out of Band Management Component environment requirementsfor Intel AMT features (continued)

RemoteConfiguration

TLSwithmutualauthentication,802.1x profiles

TLSKerberos usersSimpleenterprisemodeIntel AMT setupandconfiguration

Prerequisites

RequiredRequiredOptional(supported onlywhere ActiveDirectory ispresent)

OptionalOptionalEnterprisecertificationauthority

RequiredOptionalOptionalOptionalOptionalDHCP server(with option 15support)

See “About integrating with Microsoft Active Directory” on page 35.

See “Installing and configuring CA” on page 36.

See “About configuring DHCP” on page 34.

About configuring DNSThe OOB site server computer (by default, the Notification Server computer) mustbe registered in the DNS as ProvisionServer. Intel AMT computers send theirHello packets to this host name. If the OOB site server computer already has aname, other than ProvisionServer, add a CNAME (canonical name) record to theDNS. To do this with a Microsoft DNS server, open the MMC DNS branch, openthe Forward Lookup Zones branch, right-click the entry for the Notification Servercomputer, and click New Alias. Then type ProvisionServer as the alias name.You must create a ProvisionServer entry for each DNS domain.

If you plan on installing multiple OOB site servers to different subnets orgeographic locations, be sure that you configure DNS so that Intel AMT computersat each location contact their OOB site server computer.


After you install Out of Band Management Component, you can test ifProvisionServer resolves to the actual OOB site server computer.

See “DNS configuration page” on page 146.

33Planning for Out of Band Management Component installationAbout configuring DNS

About configuring DHCPThe Dynamic Host Configuration Protocol (DHCP) is an Internet protocol forautomating the configuration of computers that use TCP/IP.

The DHCP can be used for the following purposes:

■ To automatically assign IP addresses.

■ To deliver TCP/IP stack configuration parameters such as the subnet maskand default router.

■ To provide other configuration information such as the addresses for printer,time and news servers.

The DHCP server dynamically provides an IP address to Intel AMT devices.

You must configure your DHCP server to support Option 15 and be able to returnthe local domain suffix.

About configuring SQL serverIntel SCS requires Microsoft SQL Server 2008.

Microsoft SQL Server must be configured in mixed authentication mode (WindowsAuthentication and SQL Server Authentication).

Out of Band Management Component uses two SQL databases: Notification Server'sdatabase (Symantec_CMDB) and Intel SCS (Symantec_CMDB_IntelAMT).

If you want to install multiple OOB site servers to different subnets or geographiclocations, ensure that the SQL server is accessible from all these locations. AllOOB site servers must use the same SQL server and the same database.

See “About planning OOB site servers hierarchy” on page 38.

You must configure the firewall on the SQL server computer to allow connectionsto the SQL server.

See “Configuring a firewall to allow Intel SCS and SQL server connections”on page 39.

You can install SQL server on the Notification Server computer. however, if youplan to use several other Altiris solutions or Altiris solutions that are databaseintensive, consider using a two-server configuration. One computer for NotificationServer and one for SQL server.

Planning for Out of Band Management Component installationAbout configuring DHCP

34

Table 2-2 SQL server installation guidelines

Two-serverconfiguration

One-serverconfiguration

Factor

50002000Maximum number of computers tomanage

ModerateModerateUpdate times for solutions andNotification Server processes

ManySeveralNumber of the solutions that runalong with Out of Band ManagementComponent

155Number of active console users

About integrating with Microsoft Active DirectoryIntel SCS uses Active Directory (AD) for Kerberos authentication using Intel AMTobjects. You must integrate Out of Band Management Component with AD if youwant to add Kerberos users to the Intel AMT Access Control List. Kerberos usersare users in the form of DOMAIN\username.

Integration with AD is also required when you want to use 802.1x authentication.The Intel AMT data that is stored in AD is used in certificate requests for thatIntel AMT computer.

When AD integration is enabled, during setup and configuration of an Intel AMTdevice, Intel SCS creates a directory entry that is based on theIntel-Management-Engine class.

This directory entry contains the following data:

■ An AD object that represents the Intel AMT device.

■ An attribute for connecting the AD computer object to the Intel AMT object.

To integrate Intel SCS with AD, the OOB site server computer (by default, theNotification Server computer) must be a member of a domain.

See “Integrating Intel SCS with Active Directory” on page 55.

About installing Microsoft IISNotification Server, Intel SCS software, and Microsoft certification authority (ifused) all require Microsoft Internet Information Services (IIS) version 6.

35Planning for Out of Band Management Component installationAbout integrating with Microsoft Active Directory

Microsoft IIS is a prerequisite for Notification Server installation, and it is alreadyinstalled on the Notification Server computer. For default Out of Band ManagementComponent installation, no additional steps need to be performed on IIS.

You must install Microsoft IIS on the computer (other than the Notification Servercomputer) that you want to use for the following purposes:

■ As an OOB site serverSee “About OOB site servers” on page 120.

■ As a computer that hosts Microsoft certification authoritySee “Installing and configuring CA” on page 36.

Note: To enable Web enrollment for certificates, install IIS before installing thecertification authority.

Installing and configuring CATo use certain Intel AMT features, you must install and configure the certificationauthority (CA).

Table 2-3 Intel AMT features and the CA they require

CA to installIntel AMT feature

If you do not have Active Directory, install a Stand-aloneCA.

If you have Active Directory, you can install either aStand-alone or an Enterprise CA.

TLS

Install an Enterprise CA.TLS with Mutual Authentication

Install an Enterprise CA.Remote Configuration

Install a Stand-alone CA on the same computer where the OOB site server computer(by default, the Notification Server computer) is installed. If you use a Stand-aloneCA, there can be only one Intel SCS instance in the environment.

Install an Enterprise CA on Microsoft Windows Server 2003 Enterprise Editionwith Service Pack 1 or later. The Enterprise CA host must be a member of an ActiveDirectory domain. It can be the same host as the domain controller. The user whoperforms the installation must be a member of the domain and have sufficientadministration privileges. For example, the user must be a member of the DomainAdmins group.

Planning for Out of Band Management Component installationInstalling and configuring CA

36

Make sure the CA that you installed is configured to generate certificatesautomatically (this is the default setting) so that Intel SCS can request a certificateeach time it performs a setup of an Intel AMT device. Otherwise, you have tointervene each time a device is set up.

Warning: To enable Web enrollment for certificates, install IIS before installingthe CA.

See “About installing Microsoft IIS” on page 35.

To install the CA

1 On the computer where you want to install the CA, click the Windows Startbutton, and then click Control Panel > Add or Remove Programs >Add/Remove Windows Components.

2 On the Windows Components Wizard page, check Certificate Services.

A warning is displayed indicating that the computer name or the domainmembership of the computer cannot be changed while it acts as a certificateserver. Click Yes.

3 Click Details. Make sure that both Certificate Services CA and CertificateServices Web Enrollment Support are checked, and then click OK.

4 Click Next.

5 On the CA Type page, select either Enterprise root CA or Stand-alone rootCA and click Next.

6 On the CA Identifying Information page, type the common name for thisCA.

This is the name by which the CA will be known.

7 Type the distinguished name suffix, if it is not already there.

This is the domain suffix of the host. It is generated automatically in an ActiveDirectory environment.

8 Click Next.

9 Click Next.

10 If there is a message that requests to stop the IIS, click Yes.

The installation runs to completion.

37Planning for Out of Band Management Component installationInstalling and configuring CA

To configure the CA to automatically issue certificates

1 On the computer with CA installed, click the Windows Start button, and thenclick Administrative Tools > Certification Authority.

2 In the Certification Authority window, right-click the first sub-branch andclick Properties.

3 Click the Policy Module tab.

4 Click Properties, and then click Follow the settings in the certificatetemplate, if applicable. Otherwise, automatically issue the certificate.

5 Click OK, respond to the message, and then click OK.

6 Click the root branch and use the buttons on the toolbar to restart the service.

About installing .NET Framework on an OOB siteserver

The .NET Framework is Microsoft’s managed code programming model for buildingapplications on Windows clients, servers, and mobile or embedded devices.

You must install Microsoft .NET Framework 2.0 (with ASP.NET) and MicrosoftData Access Control 2.8 (MDAC) on the computer that you want to use as OOB siteserver.


You can download and install the .NET Framework 2.0 from the Microsoft Website http://www.microsoft.com/downloads/details.aspx?FamilyID=0856eacb-4362-4b0d-8edd-aab15c5e04f5.

In the case of a default OOB site server installation (on the Notification Servercomputer), you don't have to install .NET Framework 2.0 additionally on theNotification Server computer. Notification Server requires and installs the .NETFramework 3.5 software, which includes .NET Framework 2.0 SP1.

About planning OOB site servers hierarchyWhen you install Out of Band Management Component, the OOB site server isinstalled on the Notification Server computer. In a lab environment, you can keepthe OOB site server installed on the Notification Server computer.

In production environment, to reduce the workload on the Notification Servercomputer, you may consider moving the OOB site server to another computer.

Planning for Out of Band Management Component installationAbout installing .NET Framework on an OOB site server

38

http://www.microsoft.com/downloads/details.aspx?FamilyID=0856eacb-4362-4b0d-8edd-aab15c5e04f5

http://www.microsoft.com/downloads/details.aspx?FamilyID=0856eacb-4362-4b0d-8edd-aab15c5e04f5

It is possible that Intel AMT computers in your environment are located in multiplesubnets, domains, or geographic locations, and cannot contact the only OOB siteserver directly (for example, due to network issues). In this case, consider installingan OOB site server at each of those locations.

For the OOB site servers hierarchy to work properly, the following conditionsmust be met:

■ The OOB site server computer must meet the minimum software requirements.See “Prerequisites for OOB site server installation” on page 120.

■ The OOB site server computer can access the same SQL Server that is used byall OOB site servers.See “About configuring SQL server” on page 34.

■ DNS for this location is configured to resolve the ProvisionServer host nameto the OOB site server computer that is installed in this location.See “About configuring DNS” on page 33.


Configuring a firewall to allow Intel SCS and SQLserver connections

You must configure a firewall on the OOB site server computer (by default, theNotification Server computer) to allow incoming traffic to Intel SCS.

On the computer with Microsoft SQL Server installed, you must configure thefirewall to allow incoming traffic to the SQL server.

Configuring firewall software on the client Intel AMT computers is not necessarybecause Intel AMT management is performed at the hardware level.

See “About ports used by Intel AMT” on page 40.

To configure a firewall to allow Intel SCS connections

1 Open the Control Panel on the computer with Intel SCS installed (this is theOOB site server computer, by default, the Notification Server computer ), andthen click Windows Firewall.

2 In the Windows Firewall dialog box, on the Exceptions tab, click AddProgram.

3 Click Browse, navigate to the instance of Intel SCS that you want to accessthrough the firewall, and then click Open.

By default, Intel SCS is located at C:\ProgramFiles\Intel\AMTConfServer\Windows Service\AMTConfigWinService.exe.

39Planning for Out of Band Management Component installationConfiguring a firewall to allow Intel SCS and SQL server connections

4 Click OK.

5 Click OK.

To configure a firewall to allow SQL server connections

1 Open the ControlPanel on the computer with SQL Server installed, and thenclick Windows Firewall.

2 In the Windows Firewall dialog box, on the Exceptions tab, click AddProgram.

3 Click Browse, and navigate to the instance of SQL Server that you want toaccess through the firewall, and then click Open.

For example, browse to C:\Program Files\Microsoft SQL

Server\MSSQL.1\MSSQL\Binn\Sqlservr.exe.

Note that the path may be different depending on where SQL Server 2005 isinstalled and which instance you are using.

4 Click OK.

5 Click OK.

If you still cannot connect to the SQL server remotely, try adding TCP port1433 to the firewall exceptions list.

About ports used by Intel AMTBy default, Intel SCS (a component of the OOB site server) listens on port 9971.Intel AMT devices send their Hello packets to this port.

Intel SCS and Altiris solutions that support out-of-band management communicatewith Intel AMT devices using the following ports:

■ In non-secure mode, Intel AMT devices listen on port 16992

■ In TLS mode, Intel AMT devices listen on port 16993

See “Configuring a firewall to allow Intel SCS and SQL server connections”on page 39.

About installingOut ofBandManagementComponentin a lab environment

To evaluate Out of Band Management Component, you only need a server in a labenvironment with the minimum requirements and a few out-of-band capableclient computers. This configuration lets you run through the installation and

Planning for Out of Band Management Component installationAbout ports used by Intel AMT

40

get a feel for configuring computers and performing basic tasks. In a labenvironment, you can install the SQL server and the OOB site server on the samecomputer where you installed Notification Server.

We recommend that you configure the Symantec Management Agent settings forevaluation use.

See “Configuring the Symantec Management Agent settings for evaluation use”on page 51.

To reduce server workload in production environment, we recommend that youuse different computers for Notification Server, SQL server, and OOB site server.Depending on the amount of Intel AMT computers in your enterprise and thenumber of geographic locations, you can install more OOB site servers.

See “About planning OOB site servers hierarchy” on page 38.

About managing Intel AMT computers without theSymantec Management Agent installed

To use the full set of features that Symantec Management solutions offer, werecommend that you install the Symantec Management Agent on the computersin your environment. However, Out of Band Management Component lets you setup and configure the Intel AMT computers that do not have the SymantecManagement Agent installed.

If you choose not to install the Symantec Management Agent on the computerswith Intel AMT, you cannot perform the following actions:

■ Discover unconfigured Intel AMT capable computers in your environment.

■ Use other Altiris solutions to run in-band management tasks (for example,software inventory, software installation, and so on) on these computers.

■ Run the jobs that contain in-band tasks. For example, turn on the computer(out-of-band) > collect software inventory (in-band) > run a script (in-band) >turn off the computer (out-of-band).

■ Use the Delayed Setup and Configuration policy or Send Intel AMT Hellomessage task to reset an unconfigured Intel AMT device remotely withouttouching the computer.

■ Initialize computers with Intel AMT 2.2. and 2.6 using the RemoteConfiguration feature.

With agentless Intel AMT computers you can perform the following actions:

41Planning for Out of Band Management Component installationAbout managing Intel AMT computers without the Symantec Management Agent installed

■ Use Out of Band Management Component to set up and configure known IntelAMT computers that are initialized, and send configuration requests to theconfiguration server.

■ Run out-of-band management tasks from the Symantec Management Console.For example, you can collect Intel AMT hardware inventory; turn on, turn off,and restart the computers; configure Intel AMT alerts; and so on.

■ Use the SOL/IDE-R, Network Filtering, and other out-of-band features of IntelAMT.

■ Initialize computers with Intel AMT 3.0 and later using the RemoteConfiguration feature.

To create computer resources for agentless Intel AMT computers in the SymantecManagement Console, run the Resource Synchronization policy.

See “Synchronizing Intel SCS and Notification Server resources” on page 88.

After this policy has run, the computer resources appear in the Configured IntelAMT Computers filter. This policy creates resources only for the Intel AMTcomputers that you set up and configured with Out of Band ManagementComponent.

The computers that do not have the Symantec Management Agent installed donot appear in the standard Symantec Management Console filters like WindowsComputers.

Note: To configure ASF and DASH capable computers with Out of BandManagement Component you must install the Symantec Management Agent onthose computers.

Planning for Out of Band Management Component installationAbout managing Intel AMT computers without the Symantec Management Agent installed

42

Installing Out of BandManagement Component


■ System requirements

■ Installing the Out of Band Management Component product

■ Installing an OOB site server

■ Upgrading the Out of Band Management Component product

■ Uninstalling Out of Band Management Component

System requirementsOut of Band Management Component has the following requirements:

■ Out of Band Management Component installation requirementsSee “About Out of Band Management Component requirements” on page 43.

■ Client computer software and hardware requirementsSee “About client computer software and hardware requirements” on page 44.

About Out of Band Management Component requirementsOut of Band Management Component requires the following:

■ Symantec Management Platform 7.1 SP1.When you install Out of Band Management Component through SymantecInstallation Manager, Symantec Management Platform is installed or upgradedautomatically.

3Chapter

For more information on Symantec Management Platform prerequisites andinstallation instructions, see the Symantec Management Platform Help.

■ Microsoft SQL Server 2008.See “About configuring SQL server” on page 34.

■ SQL server is configured in mixed authentication mode.See “About configuring SQL server” on page 34.

Out of Band Management Component also requires that you configure yourenvironment, such as DNS, DHCP, and so on.

See “About environment requirements” on page 32.

You can configure the environment before or after you install Out of BandManagement Component.

Only the English version of Microsoft Windows Server 2008 R2 Operating Systemsupported by Intel SCS 5.4.

About client computer software and hardware requirementsThe client computers that you want to configure for out-of-band managementwith Out of Band Management Component must meet certain hardware andsoftware requirements. The client computers must support one of the out-of-bandmanagement technologies.

Table 3-1 Client computer software requirements

DescriptionRequirement

60 MB free hard disk space

64 MB RAM (128 MB recommended)

Hardware

Windows 2003 Server SP2 or later

Windows XP SP2 or later

Operating system

Table 3-2 Client computer out-of-band technology requirements

DescriptionTechnology

Computers with Intel AMT have an IntelvPro or Centrino Pro label on them.

Intel AMT 2.0, 2.1, 2.2, 2.5, 2.6, 3.0, 4.0, 5.0and later

The Broadcom and Intel implementations ofASF are supported.

Broadcom ASF 2.0 or Intel ASF 2.0

Installing Out of Band Management ComponentSystem requirements

44

Table 3-2 Client computer out-of-band technology requirements (continued)

DescriptionTechnology

Broadcom implementation of DASHtechnology is supported.

Broadcom DASH

Installing the Out of Band Management Componentproduct

Use Symantec Installation Manager to install Out of Band Management Component.

For more information on installing products, see theSymantec InstallationManagerdocumentation.


Installing an OOB site serverAn OOB site server is a site server computer with Intel SCS. If you have installedthe Out of Band Management for the first time, you need to manually install theOOB site server with Intel SCS. To have a faster installation process, you need toconfigure the Symantec Management Agent for evaluation use.



To install an OOB site server

1 In the Symantec Management Console, on the Home menu, click RemoteManagement > Out of Band Management.

2 In the left pane, under Getting Started Intel AMT, click Install OOB SiteServer.

3 On the page Install OOB site server, click Install.

You can view installation process status of the OOB site server on the samepage.

45Installing Out of Band Management ComponentInstalling the Out of Band Management Component product

Upgrading the Out of Band Management Componentproduct

Use Symantec Installation Manager to upgrade Out of Band ManagementComponent.


After you upgrade the product, you must upgrade the Out of Band Task Plug-insthat are installed on the target computers.

To upgrade the Out of Band Task Plug-in

1 In the Symantec Management Console, on the Actions menu, clickAgents/Plug-ins > Rollout Agents/Plug-ins.

2 In the left pane, click Remote Management > Out of Band Management >Out of Band Task Plug-in - Upgrade.

3 Turn on the policy.

To turn on the policy, at the upper right of the page, click the colored circle,and then click On.

4 Click Save changes.

Uninstalling Out of Band Management ComponentTo uninstall Out of Band Management Component perform the following steps:

Table 3-3 Uninstalling Out of Band Management Component

DescriptionActionStep

This step is required if you do not wantto reinstall Out of Band ManagementComponent later.

See “Uninstalling the Out of Band TaskPlug-in” on page 47.

Uninstall the Out of Band TaskPlug-in from the client computers.

Step 1

This step removes the product fromNotification Server.

See “Uninstalling Out of BandManagement Component fromNotification Server” on page 47.

Uninstall Out of BandManagement Component fromNotification Server.

Step 2

Installing Out of Band Management ComponentUpgrading the Out of Band Management Component product

46

Uninstalling the Out of Band Task Plug-inIf you do not want to reinstall the Out of Band Management Component, removethe Out of Band Task Plug-in from the client computers.

The agent uninstallation process can take some time to start, depending on theintervals that are set between the updates of the Symantec Management Agent.


Do not uninstall the Out of Band Management Component software fromNotification Server until the task has run on all computers. When Out of BandManagement Component is uninstalled, there is no automated way to uninstallthe Plug-ins.

To uninstall the Out of Band Task Plug-in


2 In the left pane, click Remote Management > Out of Band Management >Out of Band Task Plug-in - Unistall.




Uninstalling Out of Band Management Component from NotificationServer

Use Symantec Installation Manager to uninstall Out of Band ManagementComponent.

For more information on uninstalling products, see the Symantec InstallationManager documentation.


47Installing Out of Band Management ComponentUninstalling Out of Band Management Component

Installing Out of Band Management ComponentUninstalling Out of Band Management Component

48

Preparing target computersfor management


■ Preparing target computers for management

Preparing target computers for managementBefore you can use Out of Band Management Component, you must prepare thecomputers that you want to manage.

Table 4-1 Process for preparing target computers for management


Discovery helps you find the hostnames of the computers on which youcan install the Symantec ManagementAgent.

Discover manageable computersin your environment.

Step 1

4Chapter

Table 4-1 Process for preparing target computers for management (continued)


The Symantec Management Agent letsNotification Server get informationfrom and interact with the clientcomputers.

See “Installing the SymantecManagement Agent” on page 51.

For the configuration and managementof Intel AMT computers, the SymantecManagement Agent is optional.However, for easier Intel AMT setupand configuration, we recommend thatyou install the agent.

See “About managing Intel AMTcomputers without the SymantecManagement Agent installed”on page 41.

Install the Symantec ManagementAgent to target computers.

Step 2

For easier configuration and evaluationof Out of Band ManagementComponent, make the SymantecManagement Agent requestconfiguration from Notification Servermore frequently.

See “Configuring the SymantecManagement Agent settings forevaluation use” on page 51.

(Optional) Configure the SymantecManagement Agent settings forevaluation use.

Step 3

The Out of Band Discovery policy letsyou find the computers that are capableof out-of-band management.

See “Discovering out-of-band capablecomputers” on page 52.

Discover out-of-band capablecomputers.

Step 4

Preparing target computers for managementPreparing target computers for management

50

Table 4-1 Process for preparing target computers for management (continued)


You must install this Plug-in to the ASFand the DASH computers in yourenvironment.

We recommend installing this Plug-into the Intel AMT computers in yourenvironment for easier setup andconfiguration.

See “Installing the Out of Band TaskPlug-in” on page 53.

Install the Out of Band TaskPlug-in.

Step 5

Installing the Symantec Management AgentThe Symantec Management Agent is the software that establishes communicationbetween Notification Server and the computers in your network. Computers withthe Symantec Management Agent installed on them are called managed computers.Notification Server then interacts with the Symantec Management Agent tomonitor and manage each computer from the Symantec Management Console.

You must install the Symantec Management Agent on the computers you wantto manage with Out of Band Management Component.

For more information on the Symantec Management Agent, see the SymantecManagement Platform Help.

See “Preparing target computers for management” on page 49.

To install the Symantec Management Agent

1 In the Symantec Management Console, on the Actions menu, clickAgents/Plug-ins > Push Symantec Management Agent.

2 On the Symantec Management Agent Install page, install the SymantecManagement Agent to computers in your environment.

For more information on how to install the Symantec Management Agent,see the Symantec Management Platform Help.

Configuring the Symantec Management Agent settings for evaluationuse

(Optional)

51Preparing target computers for managementPreparing target computers for management

By default, the Symantec Management Agent requests new configuration fromNotification Server once per hour. This means that it can take up to one hour fora rollout policy to reach the target computer.

If you are evaluating this solution in a lab environment, you can change theconfiguration request interval to speed up the evaluation process.

The next time the Symantec Management Agent downloads configurationinformation, these settings take effect. If you used the default agent configurationvalues before the change, updates can take up to one hour before these changesare effective.


To configure the Symantec Management Agent for evaluation use

1 In the Symantec Management Console, on the Settings menu, clickAgents/Plug-ins > Targeted Agent Settings.

2 In the left pane, under Policy Name, click the policy that applies to thecomputers that you want to configure. For example, click All Desktopcomputers (excluding 'Site Servers').

3 On the General tab, in the Download new configuration every box, changethe value to 5 minutes.

This forces the agent to check more frequently for changes so you can seethe results of the changes you make more quickly.

4 In the Upload basic inventory every box, change the value to 15 minutes.

This forces inventory data to be sent more frequently.


Discovering out-of-band capable computersIf you want to manage computers out of band, the first step is to know whichcomputers on your network are out-of-band capable. Out of Band ManagementComponent includes the OutofBandDiscovery policy that can help you discoverthese computers. The policy requires that the computers to be checked forout-of-band capability be turned on and running a supported version of theWindows operating system and the Symantec Management Agent. After the policyruns on the client computers, the out-of-band capable computers are added to thecorresponding filters.

See “About client computer software and hardware requirements” on page 44.



52

To discover out-of-band capable computers

1 Install the Symantec Management Agent on the client computers, if they arenot already installed.

See “Installing the Symantec Management Agent” on page 51.


3 In the left pane, click Remote Management > Out of Band Management >Out of Band Discovery.

4 (Optional) By default, the policy is configured to run on all Windowscomputers. If you want to run the policy on a different set of computers,under Applied to, change the resource targets.




To view the list of the out-of-band capable computers

1 In the Symantec Management Console, on the Manage menu, click Filters.

2 In the left pane, click Hardware Filters > Out of Band Management.

3 Click one of the following filters:

■ ASF/DASH Capable Computers

■ Intel AMT Capable Computers

Installing the Out of Band Task Plug-inThe Out of Band Task Plug-in runs on client computers and lets you perform ASFand DASH in-band configuration tasks. It is also used for the Delayed Configurationfeature.

See “About resending Hello messages” on page 89.


To deploy the Out of Band Task Plug-in


2 In the left pane, click Remote Management > Out of Band Management >Out of Band Task Plug-in - Install.

53Preparing target computers for managementPreparing target computers for management

3 (Optional) By default, the policy is configured to run on all Windowscomputers, which the Out of Band Discovery policy has detected asout-of-band capable. If you want to run the policy on a different set ofcomputers, under Applied to, change the resource targets.





54

Configuring Out of BandManagement Component


■ Integrating Intel SCS with Active Directory

Integrating Intel SCS with Active Directory(Intel AMT only)

Microsoft’s Active Directory (AD) is a directory service that integrates withWindows 2003 Server. AD is an optional environment prerequisite.

See “About environment requirements” on page 32.

You must integrate Intel SCS with Active Directory if you want to use the followingIntel AMT features:

■ Kerberos authentication using AMT objects

■ User lists

■ 802.1X Profiles

To integrate Intel SCS with Active Directory

1 Ensure the OOB site server computer (by default, the Notification Servercomputer) is registered in a domain.

2 Create a new organizational unit in the Active Directory for Intel AMT devicesas follows:

■ On the domain controller computer, in the Administrative Tools, clickActive Directory Users and Computers.

5Chapter

■ Right-click on the domain node, and then click New > OrganizationalUnit.

■ Type the name of the unit.Example: IntelAMT

Note: Do not use spaces in the organizational unit’s name.

■ Click OK.

Later, when you assign configuration profiles to Intel AMT devices, you canspecify the organizational unit where the configured Intel AMT devices areregistered.

3 In the Symantec Management Console, on the Settings menu, click AllSettings.

4 In the left pane, click Remote Management > Out of Band Management >Configuration Service Settings > General.

5 Check Active Directory Integration.

6 In the Default AD OU drop-down list, click the name of the organizationalunit that you created.

In this example, click IntelAMT.


Configuring Out of Band Management ComponentIntegrating Intel SCS with Active Directory

56

Configuring Intel AMTcomputers for out-of-bandmanagement


■ About configuring Intel AMT computers for out-of-band management

■ Prerequisites for Intel AMT configuration

■ Configuring Intel AMT computers for out-of-band management

■ About resending Hello messages

■ Configuring Intel AMT computers in small business mode

About configuring Intel AMT computers forout-of-band management

Before you can manage Intel AMT computers out of band, you must configure theIntel AMT devices.

Configuration of Intel AMT computers in enterprise mode consists of the followingstages:

You initialize Intel AMT computers by installing PID-PPS pairs into theIntel AMT firmware either manually or automatically (using the RemoteConfiguration feature).


Initialization

6Chapter

Initialized computers enter the setup mode and start requestingconfiguration by sending Hello messages to the computer with theProvisionServer host name. The ProvisionServer computer is the OOB siteserver that you installed in your environment.


You must configure DNS to resolve the ProvisionServer host name to thatserver.

See “About configuring DNS” on page 33.

Setup

When the OOB site server computer (by default, the Notification Servercomputer) receives a Hello message, a configuration process is initiated.The Intel AMT computer gets configured with the appropriateconfiguration settings that you defined in the Intel AMT configurationprofile.


See “About Intel AMT setup and configuration” on page 59.

Configuration

See “Prerequisites for Intel AMT configuration” on page 61.

See “Configuring Intel AMT computers for out-of-band management” on page 61.

About Intel AMT initializationInitialization (previously known as pre-provisioning) is the process of populatingthe client Intel AMT computers with the Provisioning ID and the ProvisioningPre-Shared Key (PID-PPS) pairs. These pairs are needed for secure communicationsduring the setup and configuration process.

Depending on your infrastructure and the Intel AMT firmware version, you canuse the following methods of initialization:

The zero-touch Remote Configuration method is the easiest way ofinitializing a large amount of Intel AMT computers. This methodworks on Intel AMT 3.0 or later. This method requires you to purchasea certificate.

Using this feature does not require you to visit the physical locationof the computer with Intel AMT.

See “Prerequisites for using the Remote Configuration feature”on page 69.

See “Initializing Intel AMT computers using the Remote Configurationfeature” on page 65.

RemoteConfiguration

Configuring Intel AMT computers for out-of-band managementAbout configuring Intel AMT computers for out-of-band management

58

If you cannot purchase a remote configuration certificate, or if youhave computers with Intel AMT versions that do not support RemoteConfiguration, you must visit the physical location of each Intel AMTcomputer and initialize them manually.

In some cases, you can perform one-touch manual initialization usinga USB key. In other cases, you must type security keys (PID-PPS pairs)into the Intel AMT device manually through the BIOS.

See “Initializing Intel AMT computers manually ” on page 76.

Manualinitialization

When initialized for the first time, the Intel AMT device sends Hello messages toIntel SCS periodically for about six hours. If for some reason the configurationserver is unavailable for more than six hours, Intel AMT setup and configurationfails. To set up and configure the Intel AMT device, you must resend Hellomessages when the configuration server becomes available.


If you want to initialize, set up, and configure Intel AMT capable notebookcomputers, make sure you connect the computers to the wired network.



About Intel AMT setup and configurationSetup and configuration (sometimes referred to as provisioning) is a process ofdata exchange between the Intel AMT device and the configuration server. At theend of the setup and configuration process the Intel AMT computer is ready forout-of-band management.

The setup and configuration process starts right after you initialize the Intel AMTcomputer.


59Configuring Intel AMT computers for out-of-band managementAbout configuring Intel AMT computers for out-of-band management

Figure 6-1 Intel AMT setup and configuration process

The setup and configuration goes through the following steps:

1 An initialized Intel AMT device on the client computer requests an IP addressfrom a DHCP server.

2 The Intel AMT device performs a DNS lookup for ProvisionServer to find theconfiguration server (OOB site server).

If there is no ProvisionServer record in the DNS, and you are not authorizedto add DNS records, you can manually type the IP address of the configurationserver into the Intel AMT computer's MEBx.

3 The Intel AMT device sends a TCP/IP Hello message to the configurationserver.

If for some reason the configuration server is unavailable for more than sixhours, the device stops sending messages.


4 Based on the UUID that is located in the Hello message, Out of BandManagement Component searches the Intel SCS database for the configurationprofile and the host name that you assigned to this Intel AMT device.

Configuring Intel AMT computers for out-of-band managementAbout configuring Intel AMT computers for out-of-band management

60

5 If you use TLS to secure communications, Intel SCS requests a certificate forIntel AMT from a Microsoft certification authority (CA) server.

6 If you enabled integration with Active Directory, Intel SCS defines the deviceas an AMT object in the Microsoft Active Directory domain controller.

7 The Intel SCS service completes configuration using SOAP commands.

After setup and configuration, the computer is ready for out-of-band managementwith Altiris solutions.




Prerequisites for Intel AMT configurationBefore you proceed with Intel AMT setup and configuration, the followingconditions must be met:

■ An OOB site server is installed in your environment and the AMTConfig serviceis running.See “About OOB site servers” on page 120.

■ The OOB site server computer is registered in the DNS as ProvisionServer.See “About configuring DNS” on page 33.

■ You configured the firewall to allow incoming traffic to Intel SCS.See “Configuring a firewall to allow Intel SCS and SQL server connections”on page 39.

■ You discovered out-of-band capable computers and installed the managementagents.See “Preparing target computers for management” on page 49.

Configuring Intel AMT computers for out-of-bandmanagement

To configure Intel AMT computers for out-of-band management in enterprisemode you must complete the following steps:

See “About Intel AMT configuration modes” on page 19.

61Configuring Intel AMT computers for out-of-band managementPrerequisites for Intel AMT configuration

Table 6-1 Process for configuring Intel AMT computers for out-of-bandmanagement


Configuration profiles contain IntelAMT configuration parameters.

See “Creating Intel AMT configurationprofiles” on page 62.

Create a configuration profile.Step 1

Out of Band Management Componentcan assign a configuration profile anda host name to the Intel AMT deviceautomatically, based on the rules thatyou define.

See “Configuring the automatic IntelAMT configuration profile assignment”on page 64.

Configure an automatic profileassignment.

Step 2

To get configured, the Intel AMT devicemust send a configuration request toIntel SCS.

See “About Intel AMT initialization”on page 58.

See “Initializing Intel AMT computersusing the Remote Configurationfeature” on page 65.

See “Initializing Intel AMT computersmanually ” on page 76.

Initialize the Intel AMTcomputers.

Step 3

After you set up and configure the IntelAMT computers, they are ready forout-of-band management.

See “Setting up and configuringinitialized Intel AMT computers”on page 82.

Set up and configure the IntelAMT computers.

Step 4

Creating Intel AMT configuration profilesThe setup and configuration of an Intel AMT device in enterprise mode requiresa configuration (previously known as provision) profile. Configuration profilescontain Intel AMT configuration parameters. Profiles determine which featuresare enabled in the device, what authentication mechanism to use, and which usershave access to device features.

Configuring Intel AMT computers for out-of-band managementConfiguring Intel AMT computers for out-of-band management

62

You can define as many configuration profiles as you want. For example, you canuse a different profile for different sites. Each profile can be assigned to one ormore Intel AMT devices.

A configuration profile can contain auxiliary profiles, which configure additionalIntel AMT features.

You can use the following auxiliary profiles in a configuration profile:

The 802.1x profiles let you specify security settings andcan be applied to configuration and wireless profiles.

802.1x Profiles

Contains the list of Management Presence Servers (MPS)that you can use in a Remote Access Policy.

Management PresenceServers

A remote access policy contains the information that isneeded for the Intel AMT devices to connect to theManagement Presence Servers (MPS). MPS is needed forthe client-initiated remote access (CIRA) functionality.

Remote Access Policies

Certificates are used for the Remote Configuration and TLSfeatures.

Trusted Root Certificates

Wireless profiles let you specify wireless settings and areapplied to configuration profiles. For each configurationprofile, there can be multiple wireless profiles applied toit to specify settings for multiple wireless access points.

See “Configuring Intel AMT wireless settings” on page 64.

Wireless Profiles

Out of Band Management Component installs with a default configuration profilealready created. For evaluation, you can keep the default profile and proceed tothe next step.


To create a new configuration profile


2 In the left pane, click Remote Management > Out of Band Management >Configuration Service Settings > Configuration Profiles.

3 In the right pane, click the Add symbol.

4 In the dialog box, specify the parameters for the profile.

See “Configuration Profiles page” on page 135.

63Configuring Intel AMT computers for out-of-band managementConfiguring Intel AMT computers for out-of-band management

Configuring Intel AMT wireless settings(Intel AMT 2.5, 2.6, 4.0, and 6.0 only)

Wireless profiles are used to configure Intel AMT 2.5, 2.6, 4.0, 6.0 wireless settings.

A wireless profile defines which protocols are used between an Intel AMT deviceand a wireless access point when the Intel AMT computer is in a sleep state andthe operating system’s wireless settings are not accessible. Wireless profilesconform to IEEE 802.11i.

For the computers that are used in different wireless environments, differentwireless profiles can be created and associated with a configuration profile.

An Intel AMT notebook computer that is configured with a wireless profile offersfull Intel AMT management functionality through the wireless connection, exceptfor setup and configuration. Setup and configuration is possible only through awired network connection.


To create a wireless profile


2 In the left pane, click Remote Management > Out of Band Management >Configuration Service Settings > Auxiliary Profiles > Wireless Profiles.

3 On the Wireless Profiles page, click the Add symbol.

4 In the Add Wireless Profile dialog box, configure the wanted settings andclick OK.

See “Auxiliary Profiles: Wireless Profiles page” on page 134.

Configuring the automatic Intel AMT configuration profile assignmentThe ResourceSynchronization policy let you automatically map a configurationprofile to Intel AMT computers in an unconfigured state.

For the automatic mapping to work, you must let Out of Band ManagementComponent detect the FQDN of the Intel AMT device.

You can do this in the following ways:

■ If you want to configure a managed Intel AMT computer with the SymantecManagement Agent installed, let the Symantec Management Agent registerwith Notification Server and send basic inventory.Basic inventory includes the UUID of the Intel AMT device and the FQDN thatis used by the operating system. Out of Band Management Component assignsthis FQDN to the Intel AMT device at the time of setup and configuration.


64

■ If you want to configure unmanaged computers, you can check Use DNS IPresolution to find FQDN when assigning profiles on the ResourceSynchronization page.In this case, Out of Band Management Component performs a DNS lookup andassigns the Intel AMT device a DNS name, rather than the FQDN that is storedin the database.To use this option you must have a properly configured network infrastructurewhere dynamic IP addresses are properly resolved to DNS names. Otherwise,an incorrect FQDN can be assigned to the Intel AMT device and the device willnot be accessible.


To configure automatic profile assignment


2 In the left pane, click Remote Management > Out of Band Management >Intel AMT Computers > Resource Synchronization.

3 Under Profile assignment settings, add a profile to assign to all Intel AMTcomputers that request configuration.

You can add more than one profile, for example, if you want to assign differentprofiles to computers from different domains.

4 If you want to assign an FQDN to an Intel AMT computer that does not havethe Symantec Management Agent installed and whose FQDN is not knownto Notification Server , check Use DNS IP resolution to find FQDN whenassigning profiles.

5 Turn on the policy and click Save changes.

Initializing Intel AMT computers using the Remote Configurationfeature

(Intel AMT 3.0 and later)

The zero-touch Remote Configuration feature lets you initialize Intel AMT 3.0and later computers without a need to visit the computers' location and manuallyinstall the PID-PPS pair. Preparing the infrastructure for the Remote Configurationrequires you to perform some advanced server-side configuration and purchasea certificate. However, when all set, initializing thousands of Intel AMT computersbecomes an easy and automated task.


If you cannot purchase a remote configuration certificate, or if you have computerswith Intel AMT versions that do not support Remote Configuration, you mustinitialize Intel AMT computers manually.


Computers with Intel AMT 3.0 and later support bare-metal Remote Configuration(configuration without the need for an operating system).

Note: Computers with Intel AMT 2.2 and 2.6 are also capable of automatic remoteconfiguration, but require a software agent to initiate the Remote Configurationprocess.

See “Resending Hello messages with the Delayed Configuration policy” on page 89.


Table 6-2 Process for initializing Intel AMT configuring using the RemoteConfiguration feature


Understand what certificates you needand how Remote Configuration works.

See “About the Intel AMT RemoteConfiguration feature” on page 67.

Learn how Remote Configurationworks.

Step 1

You must prepare your environment tosupport Remote Configuration.

See “Prerequisites for using the RemoteConfiguration feature” on page 69.

Make sure you meet therequirements for this feature.

Step 2

You must generate and installcertificates.

See “Configuring your OOB site servercomputer (by default, the NotificationServer computer) for RemoteConfiguration” on page 69.

Configure your OOB site server forremote configuration.

Step 3

Enable the Remote Configurationfeature support in Intel SCS.

See “Enabling the RemoteConfiguration feature in Out of BandManagement Component” on page 75.

Configure Out of BandManagement Component forremote configuration.

Step 4


66

Table 6-2 Process for initializing Intel AMT configuring using the RemoteConfiguration feature (continued)


Start and monitor the RemoteConfiguration process.

See “Starting the Intel AMT RemoteConfiguration” on page 75.

Start the Remote Configuration.Step 5

About the Intel AMT Remote Configuration featureAn Intel AMT device is prepared for remote configuration by having securitycertificate hashes added to the Intel AMT firmware. There are two sources ofhashes within the Intel AMT firmware:

These hashes correspond to certificates from commercial SSL certificateproviders, such as Verisign. Several of these hashes are added to thefirmware by Intel. Others can be added by the computer OEM inpartnership with commercial certificate providers. In this case, you mustrequest a security certificate from the certificate provider thatcorresponds to the hash you want to use.

Certificateprovider

These hashes are based on your own root certification authority. In thiscase, you issue the necessary certificate from your own certificationauthority. You can use this method for evaluation of the RemoteConfiguration feature in a lab environment before you purchase acommercial certificate from a certificate provider.

The hash that you must add to the Intel AMT firmware is displayed atthe Thumbprint field of the trusted root CA certificate.

These hashes can be added to the Intel AMT firmware by an OEM (onyour request) or you can flash the firmware yourself. You can also enterthe hash into the MEBx manually, through the SetupandConfiguration> TLS PKI > Manage Certificate Hashes menu.

Self-provided

When you power-on the computer, the Intel AMT device starts sending Hellomessages to the ProvisionServer host name (OOB site server computer). As partof the Hello message, the Intel AMT device sends all of the hashes to theconfiguration server. Out of Band Management Component authenticates to theIntel AMT device with a certificate compatible with one of the hashed rootcertificates and installs PID-PPS key pairs automatically on the Intel AMT device(initializes the device).

The remote configuration workflow is as follows:


1 The Intel AMT computer is connected to the network and plugged-in for thefirst time.

2 The Intel AMT device opens its network interface for 24 hours, and startssending Hello messages.

Note: The interface is open for 24 hours only the first time that it is enabled.If the time runs out before the setup and configuration completes or the IntelAMT device is unconfigured or partially unconfigured, any subsequent callsto start configuration will open the interface for only six hours.


3 Intel SCS on the configuration server extracts the hashes from the Hellomessage.

4 Intel SCS sends a certificate chain that includes a trusted root certificatematching one of the received hashes.

5 The Intel AMT device validates the Intel SCS certificate. Intel AMT checksthat the OID or the OU is correct and that it is derived from a certificationauthority that matches one of the root certificate hashes.

6 The Intel AMT device verifies that the suffix matches the DNS suffix in theIntel SCS certificate.

7 Intel SCS and the Intel AMT device perform a complete mutual authenticationsession key exchange:

■ The Intel AMT device uses a self-signed certificate and sends its publickey.

■ Intel SCS creates a TLS session master key, encrypts it with the Intel AMTdevice public key, and sends it to the Intel AMT device.

■ The device decrypts the master key with its private key. The key is theshared secret used to establish the setup and configuration TLS session.

8 One-Time Password (OTP) verification: Intel SCS requests the OTP from theIntel AMT device. The device sends the OTP securely. The SCS verifies theOTP for correctness.

9 Intel SCS changes the Intel AMT password from its default and completesthe setup and configuration process.

See “Initializing Intel AMT computers using the Remote Configuration feature”on page 65.


68

Prerequisites for using the Remote Configuration featureBefore you can use the Remote Configuration feature, the following requirementsmust be met:

■ Active Directory is present in your environment.

■ Enterprise certification authority installed in your environment.See “Installing and configuring CA” on page 36.

■ The Intel AMT device is configured to receive its IP address from a DHCPserver. The DHCP server supports option 15 and will return the local domainsuffix.See “About configuring DHCP” on page 34.

■ The Intel AMT device is pre-programmed with at least one active root certificatehash.See “About the Intel AMT Remote Configuration feature” on page 67.

■ The OOB site server computer (by default, the Notification Server computer)is registered with the DNS that is accessible to the Intel AMT device with thename ProvisionServer. The OOB site server computer is in either the samedomain as the device or a domain with the same suffix.See “About configuring DNS” on page 33.


Configuring your OOB site server computer (by default, theNotification Server computer) for Remote ConfigurationTo configure your OOB site server (by default, the Notification Server computer)for the Remote Configuration feature support, you must acquire and install theRemote Configuration certificate. This certificate is used by Intel SCS toauthenticate to the Intel AMT devices.

Table 6-3 Process for configuring your OOB site server computer for RemoteConfiguration


Certificate template defines the formatand content of a certificate.

See “Preparing a certificate templatefor Remote Configuration” on page 70.

Prepare a certificate template.Step 1


Table 6-3 Process for configuring your OOB site server computer for RemoteConfiguration (continued)


You must publich the certificatetemplate so that a certificationauthority (CA) can issue certificatesbased on it.

See “Issuing the new certificatetemplate for Remote Configuration”on page 72.

Issue the new template.Step 2

Certificate request lets you get acertificate from a CA.

See “Preparing a certificate request forRemote Configuration” on page 72.

Prepare a certificate request.Step 3

(Optional)

This step is only required if youpurchase the certificate from anexternal certificate vendor.

See “Acquiring and installing acertificate from an external certificatevendor” on page 74.

Acquire the certificate.Step 4


Preparing a certificate template for Remote Configuration

You must create a new certificate template that you will use to request a certificate.

See “Configuring your OOB site server computer (by default, the NotificationServer computer) for Remote Configuration” on page 69.

To prepare a certificate template for Remote Configuration

1 On the computer with the certification authority (CA) installed, click Start >Run.

2 In the Open box, type mmc, and then click OK.

3 In the Microsoft Management Console, click File > Add/Remote Snap-in.

4 Click Add.

5 Click Certificate Templates, click Add, and then click Close.


70

6 Click OK.

7 In the tree, click Console Root > Certificate Templates.

8 In the right pane, right-click the User template, and then click DuplicateTemplate.

9 Type the template display name.

For example, type AMT Remote Configuration.

10 Check Publish certificate in Active Directory.

11 On the Request Handling tab, check Allow private key to be exported.

12 On the Request Handling tab, click CSPs.

13 In the CSP Selection dialog box, under CSPs, check Microsoft StrongCryptographic Provider, and then click OK.

14 On the Subject Name tab, click Supply in the request.

15 On the Security tab, grant Read, Write, and Enroll permissions to both theDomain Admins group and the Notification Server’s Application Identityaccount.

For more information about the Notification Server’s Application Identityaccount, see the Symantec Management Platform Help.

16 On the Extensions tab, click Application Policies, and then click Edit.

17 In the EditApplicationPoliciesExtension dialog box, click Add, click ServerAuthentication, and then click OK.

18 In the Edit Application Policies Extension dialog box, click ServerAuthentication, and then click Edit.

Verify the Object identifier is 1.3.6.1.5.5.7.3.1 and then click Cancel.

19 Click Add once more, and then, in the Add Application Policy dialog box,click New.

20 In the New Application Policy dialog box, in the Name box, type a name forthe new application policy.

For example, type AMT Remote Configuration OID.

21 In the Object identifier box, type 2.16.840.1.113741.1.2.3 and then clickOK.

22 Click the application policy you just created (in this example, click AMTRemote Configuration OID), and then click OK.


23 Click OK.

24 Click OK to save and close the properties of the new template.

Issuing the new certificate template for Remote Configuration

You must issue the new template that you prepared.


To issue the new template

1 On the computer with the certification authority (CA) installed, click Start >Control Panel > Administrative Tools > Certification Authority.

2 In the left pane, click your CA.

3 Right-click CertificateTemplates, and then click New>CertificateTemplateto Issue.

4 In the Enable Certificate Templates dialog box, click the template that youprepared earlier (in this example, click AMT Remote Configuration), andthen click OK.

Preparing a certificate request for Remote Configuration

You must prepare a certificate request that you will use to create your owncertificate or submit to one of the commercial SSL certificate providers, whoseroot certification authority hash is already in the firmware of the Intel AMT device.

You must do this for each OOB site server in your environment.



To prepare a certificate request

1 Log on to the OOB site server computer (by default, the Notification Servercomputer) using the Application Identity Account.


2 From the OOB site server computer (by default, the Notification Servercomputer), open the Certificate Services Web page of your certificationauthority (CA) (http://<ca_server_name>/certsrv/) in the Internet Explorer.

3 Click Request a certificate.

4 Click advanced certificate request.


72

5 Click Create and submit a request to this CA.

6 From the Certificate Template drop-down list, click the template that youprepared and issued earlier (in this example, click AMT RemoteConfiguration).

See “Preparing a certificate template for Remote Configuration” on page 70.

See “Issuing the new certificate template for Remote Configuration”on page 72.

7 In the Name box, type the FQDN of the OOB site server computer (by default,the Notification Server computer).

For example:

provisionserver.west.yourenterprise.com

8 In the Department box, type the following string exactly as follows:

Intel(R) Client Setup Certificate

9 Fill in the email, company, city, state, and country boxes with your company’sdata.

Note that you must type the full name of the state: for example, type Texas

instead of TX. Verisign® fails to issue the certificate if the state name isabbreviated.

10 Under Key Options, in the Key Size box, type 1024.

11 Check Mark keys as exportable.

12 Under Additional Options, click PKCS10.

13 If you are preparing a certificate request for a commercial certificate provider:

■ Check Save request to a file.

■ Type the full path name of the request file to create in the Fullpathnamebox.For example:c:\request.txt

■ Click Save.The certificate request is created and written to the file that you specified.

■ Acquire and install a certificate from an external certificate vendor.See “Acquiring and installing a certificate from an external certificatevendor” on page 74.

14 If you are preparing a certificate request for your own certification authority:

■ Click Submit.


■ Click Install this certificate to install the certificate.The certificate installs into the Certificates - Current User > Personal >Certificates store. To view this certificate, add the Certificates - CurrentUser snap-in to the Microsoft Management Console.

■ Enable the Remote Configuration feature in Out of Band ManagementComponent.See “Enabling the Remote Configuration feature in Out of BandManagement Component” on page 75.

Acquiring and installing a certificate from an external certificate vendor

(Commercial provided certificates only)

These steps are only required if you want to purchase a Remote Configurationcertificate.

See “About the Intel AMT Remote Configuration feature” on page 67.


To acquire a certificate

1 Contact one of the vendors whose root certificate hashes are built into theIntel AMT firmware. A list of the hashes should be provided by the platformvendor. You can also see the hashes by logging into the MEBx of an Intel AMTcomputer.

2 Go to the certificate vendor’s Web site, submit the certificate request (CSR)that you prepared and purchase an SSL certificate.

See “Preparing a certificate request for Remote Configuration” on page 72.

For example, the following link to Verisign® sitehttp://www.verisign.com/ssl/intel-vpro-technology/index.html describeshow to purchase an appropriate certificate. The site documents the steps thatare required to request, enroll, install, and move an SSL certificate.

3 Save the acquired certificate on the OOB site server computer (by default,the Notification Server computer) into a text file with a .cer extension.

To install the certificate into the current user certificate store

1 Logon to the OOB site server computer (by default, the Notification Servercomputer) using the Application Identity Account.


2 Double-click the .cer file to open the certificate.


74

http://www.verisign.com/ssl/intel-vpro-technology/index.html

3 Click Install Certificate and follow the wizard.

4 In the wizard, click Automatically select the certificate store based on thetype of certificate.

The certificate must be installed into the Certificates - Current User >Personal > Certificates store. To view this certificate, add the Certificates -Current User snap-in to the Microsoft Management Console.

5 Enable the Remote Configuration feature in Out of Band ManagementComponent.

See “Enabling the Remote Configuration feature in Out of Band ManagementComponent” on page 75.

Enabling the Remote Configuration feature in Out of BandManagement ComponentAfter you configured your OOB site server computer (by default, the NotificationServer computer) for Remote Configuration, you must enable the RemoteConfiguration feature in Out of Band Management Component.


To enable the Remote Configuration feature



3 In the right pane, check Allow Remote Configuration.


5 Proceed to the next step.

See “Starting the Intel AMT Remote Configuration” on page 75.

Starting the Intel AMT Remote ConfigurationPlug in the network cable, power cable, and turn on your Intel AMT 3.0 or latercomputer. The Intel AMT device sends its certificate hashes to the OOB site servercomputer (by default, the Notification Server computer). Then, Intel SCSauthenticates to the Intel AMT device with a certificate chain that includes atrusted root certificate matching one of the received hashes (you can view thecertificate's hash on the certificate's Details tab, in the Thumbprint field). After


that, the Intel AMT device checks the hashes and the DNS suffix in the certificate,and goes through the setup and configuration process.

After you plugged in an Intel AMT computer for the first time, it sends Hellomessages to the OOB site server computer (by default, the Notification Servercomputer) only for the first 24 hours. If the computer was not set up and configuredduring that time (due to Intel SCS unavailable, or network problems), you mustmake the Intel AMT device to resend Hello messages.


Note:To start the remote configuration process on computers with Intel AMT 2.2and 2.6, you must use the DelayedConfiguration policy. Only Intel AMT versions3.0 and later support bare-metal remote configuration where no managementagent and no running operating system are required.



Initializing Intel AMT computers manually(all Intel AMT versions)

Manual initialization of Intel AMT computers is performed at the computerlocation and, in most cases, requires an administrator to physically touch thecomputers.

If you have a large number of Intel AMT 3.0 or later computers, we recommendthat you initialize the computers using the Remote Configuration feature.


You can initialize Intel AMT computers manually in the following ways:

■ Ask an OEM to prepare computers for initializationSee “Initializing OEM-prepared computers manually” on page 77.

■ Use a USB keySee “Initializing computers manually using a USB key” on page 77.

■ Type PID-PPS pairs into the MEBxSee “Initializing computers manually through MEBx” on page 80.

The USB and MEBx methods require you to visit each Intel AMT computer'slocation and perform some manual configuration.


76


Initializing OEM-prepared computers manuallyThe OEM (original equipment manufacturer) initialization method lets youpre-program the computers at the factory (on agreement with the OEM) and doesnot require you to touch the computers at the site.

When an OEM delivers computers with the Intel AMT device already initialized,the PID-PPS key pairs are already entered into the Intel AMT device firmware.All that remains is to import the file that contains PID-PPS pairs that are suppliedby the OEM (in the form of a setup.bin file) into the Intel SCS database.

After you plugged in an Intel AMT computer for the first time, it sends Hellomessages to OOB site server computer (by default, the Notification Servercomputer) only for the first 24 hours. If the computer was not set up and configuredduring that time (due to Intel SCS unavailable, or network problems), you mustmake the Intel AMT device to resend Hello messages.



To import security keys supplied by an OEM


2 In the left pane, click Remote Management > Out of Band Management >Configuration Service Settings > Security Keys.

3 On the Security Keys page, click the Import security keys symbol.

4 Browse to the security keys file, and then click Import.

Initializing computers manually using a USB keyIf the Intel AMT device on a computer is not initialized by the OEM, USB keyinitialization is the recommended method. This method is much less labor intensiveand error prone than initialization through MEBx.

To use the USB initialization method with Intel AMT 2.0, 2.2, and 2.6 computers,the MEBx settings on the computer must be in the factory default state.

This means that the following conditions are met:

■ No PID-PPS pairs installed

■ Factory default MEBx and Intel AMT passwords

If you have already accessed the MEBx and changed the factory default password,you cannot use the USB key initialization method unless you reset the MEBx to


factory defaults. Usually, you can reset the MEBx by removing and replacing thesystem board battery or pressing the reset button if the system board has such abutton.

If you do not want to reset the MEBx, use the MEBx initialization method forsystems with changed passwords.

See “Initializing computers manually through MEBx” on page 80.

It is important to have the USB key properly configured. USB key requirementsvary from hardware vendor to vendor, but your USB key should work on mostcomputers if you meet the general USB key requirements.

The USB key requirements are as follows:

■ Format the USB key with FAT16 (some USB keys come formatted with FAT32).

■ We do not recommend using USB keys larger than 512 MB.

■ The setup.bin file must be the only file that is stored on the USB key.


To initialize Intel AMT manually using the USB key



3 (Optional) To use previously generated keys that have not been used, on theSecurity Keys page, click the PID-PPS keys you want to export to the USBkey.

4 On the SecurityKeys page, click the ExportsecuritykeystoUSBkey symbol.

5 If you want to export the keys that you have already generated, in the ExportSecurity Keys to USB Key dialog box, click All or Only Selected.


78

6 If you want to generate new keys, click Generate keys before export, andthen specify the following options for generating the key file:

Type a number equal or greater than the number ofIntel AMT computers you want to initialize with theUSB key. Each key is used only once. There is noproblem with exporting extra keys for use later oreven not at all.

Number of security keys togenerate

The value for Intel AMT computers in factory defaultstate is "admin".

(Intel AMT 2.5, 3.0, 4.0, and 5.0 only) If you changedthe default MEBx password through the computer'sBIOS, specify your password.

Factory default IntelManagement Engine (MEBx)password

This password will replace the default MEBxpassword.

See “About Intel AMT related credentials”on page 22.

Note: You must type a strong password.

See “About passwords used with Intel AMT”on page 181.

NewIntelManagementEnginepassword

7 Click Generate.

A file with the keys is created in the format expected by the platform BIOS.

8 Click the Download USB key file link, and then save the file to the USB key.

9 Click Close.

The exported keys are also added to the Intel SCS database.

10 Go to the physical location of the Intel AMT computer, and then connect thecables (including network), a monitor, and a keyboard.

11 Insert the USB key and power-up or restart the computer.

12 Follow the on-screen instructions to initialize the computer.

The specific PID-PPS key pair that is used to initialize the computer is markedon the USB key as used, so the key cannot be used again.


13 Restart the computer.

The computer starts sending Hello messages to the OOB site server computer(by default, the Notification Server computer). Out of Band ManagementComponent configures the Intel AMT computer with the profile that youassigned to this resource.

14 (Optional) Use the USB key to initialize other computers.

Initializing computers manually through MEBxManual initialization through MEBx requires significantly more time and is moreprone to errors, because you must manually type all of the information. In general,use the USB key initialization if you can.

See “Initializing computers manually using a USB key” on page 77.

If you have Intel AMT 3.0 or later computers in your environment, try the RemoteConfiguration method.


You must use the manual Intel AMT initialization through MEBx in the followingsituations:

■ You have accessed the computer MEBx and changed the factory default MEBxpassword, and thus cannot use the USB initialization method.

■ You have not configured the DNS to resolve the ProvisionServer host nameto the OOB site server computer (by default, the Notification Server computer).See “About configuring DNS” on page 33.(You can still use the USB key method, but you must enter the MEBx afterinitialization and manually type the IP address of the OOB site server).

■ You cannot use the other initialization methods.

■ You want to quickly configure a single computer for evaluation in enterprisemode and make it manageable out of band.

After you initialize the computer, the computer entry should appear in theSymantec Management Console, on the Intel AMT Computers page.


To manually initialize Intel AMT through MEBx




80

3 On the Security Keys page, click the Generate security keys symbol.

4 In the Generate Security Keys dialog box, specify the following, and thenclick OK when done:

Type a number equal or greater than the numberof Intel AMT computers you want to initialize.Each key is used only once. There is no problemwith generating extra keys for use later or evennot at all.

Number of security keys togenerate

The default value is "admin", unless youspecifically asked the OEM to preconfigure IntelAMT computers with a different password.

Factory default IntelManagement Engine password

This password will replace the default MEBxpassword.

See “About Intel AMT related credentials”on page 22.

New Intel Management Enginepassword

5 (Optional) Click the keys you want to use.

6 Click the Print security keys symbol.

A new window opens with the selected keys and passwords listed in aprinter-friendly format.

7 Print the contents of the window, and then close the window.

8 Click the keys that you printed and then click the Mark selected securitykeys as already used symbol.

The keys are removed from the list and added to the Intel SCS database (Ifyou do not use all of the keys you have marked as used, this is not a problem).

9 Go to the physical location of the Intel AMT computer, and then connect thecables, a monitor, and a keyboard.


10 Turn on the computer and press Ctrl+P during initial startup (POST) to enterthe Management Engine BIOS Extension (MEBx).

The Ctrl+P shortcut can vary between OEM-provided BIOSs. Refer to themanufacturer’s documentation for accessing the ME BIOS sub-menu.

The default MEBx password for the computers in the factory-default state is"admin". The first time you log on to the MEBx, you must change the defaultpassword.

The new passwords must be a strong password.

See “About passwords used with Intel AMT” on page 181.

Use the new password from the print-out you made.

11 Enable Intel AMT, if it is not already enabled.

Exiting the MEBx and restarting the computer might be required for theadditional Intel AMT configuration options to appear in the MEBx.

12 If you have the Intel AMT already enabled, before you make any furtherchanges, select Un-Provision > Full Unprovision in the MEBx to reset allIntel AMT settings to their defaults. This removes any settings that can failthe setup and configuration process. We recommend you doing so even ifthis is the first time you accessed the MEBx.

13 Set the Provision Mode to Enterprise, if it is not already set.

14 Modify the Provisioning Server settings. Type the IP of the configurationserver and SCS port (the port that Intel SCS is listening to for Hello messages).By default, the port is 9971.

To view the port, in the Symantec Management Console, click Settings > AllSettings>RemoteManagement>OutofBandManagement>ConfigurationService Settings > General.

15 Type a PID-PPS pair from the print-out you made.

16 Mark the key pair on the paper as used. Each PID-PPS pair can only be usedonce.

17 Configure additional parameters, if necessary.

18 Exit the MEBx.

Setting up and configuring initialized Intel AMT computersThe Intel AMT computers that you initialized are sending configuration requeststo the ProvisionServer host name and are ready for setup and configuration.



82


After you set up and configure Intel AMT computers you can perform the followingactions:

■ Manage Intel AMT computers out of band with Altiris solutions that supportout-of-band technologies.See “Altiris products that can manage computers out of band” on page 15.

■ Configure additional parameters in the setup and configuration profile (suchas users, power-saving options).See “Creating Intel AMT configuration profiles” on page 62.

■ Run Intel AMT maintenance tasks.See “Maintenance page” on page 148.

■ Configure your Intel AMT computers to use TLS or TLS with MutualAuthentication for secure communications.See “About TLS” on page 95.


Table 6-4 Process for setting up and configuring Intel AMT computers


Out of Band Management Componentdisplays Intel SCS management pagesin the Symantec Management Platform.

See “Understanding the Intel SCSinterface” on page 84.

Understand the Intel SCSinterface in the SymantecManagement Platform.

Step 1

Configuration profile defines Intel AMTconfiguration parameters.

See “About assigning a configurationprofile” on page 85.

Assign a configuration profile toIntel AMT computers, if notalready assigned.

Step 2

The Intel SCS pages in the SymantecManagement Console let you view thestatus of Intel AMT devices.

See “About monitoring the setup andconfiguration process” on page 87.

Watch the Intel AMT computersgetting configured.

Step 3


Table 6-4 Process for setting up and configuring Intel AMT computers(continued)


Synchronization creates resources forIntel AMT computers in theNotification Server database. Thisensures that Altiris solutions canmanage Intel AMT computers.

See “Synchronizing Intel SCS andNotification Server resources”on page 88.

Synchronize Intel SCS andNotification Server databases.

Step 4

Understanding the Intel SCS interfaceOut of Band Management Component displays the Intel SCS interface in theSymantec Management Console.

To watch and troubleshoot the setup and configuration process, you need thefollowing two lists of Intel AMT devices:

A list of Intel AMT devices that have sent Hello messages to theSCS. These devices can be configured or unconfigured. You canupdate the configuration of one or all of the already configureddevices, among other operations.

Intel AMT Computers

A list of profile assignments that are created by the administratoror that are created automatically by the Resource Synchronizationpolicy.

See “Configuring the automatic Intel AMT configuration profileassignment” on page 64.

Each entry relates a specific Intel AMT device, defined by its UUIDand Fully Qualified Domain Name (FQDN), to a configurationprofile.

Profile Assignments

Also, the Intel SCS logs can provide you with the information about the setup andconfiguration of Intel AMT computers.

See “Viewing Intel SCS logs” on page 171.

See “Setting up and configuring initialized Intel AMT computers” on page 82.


84

To view the Intel AMT Systems list


2 In the left pane, click Remote Management > Out of Band Management >Intel AMT Computers > Intel AMT Computers.

About assigning a configuration profileIntel AMT setup and configuration is an automatic process that is performed byIntel SCS. To initiate the setup and configuration process, you must assign aconfiguration profile to the Intel AMT device that is displayed in the Intel SCSinterface, on the Intel AMT Computers page.

See “Understanding the Intel SCS interface” on page 84.

After you assign a profile, the Intel AMT device becomes configured and the statusof the corresponding entry in the list changes. You can click the Refresh symbolto see the changes in the status.

You can assign a profile in the following ways:

■ Automatically when a Hello message is received.See “About assigning a profile to multiple computers automatically” on page 85.

■ Manually to a single computer.See “Assigning a profile to a single computer manually” on page 86.

■ Manually to multiple computers.See “Assigning a profile to multiple computers manually” on page 86.


About assigning a profile to multiple computers automatically

You can configure Out of Band Management Component to assign a specificconfiguration profile to all unconfigured Intel AMT computers automatically assoon as Intel SCS receives a configuration request.

See “Configuring the automatic Intel AMT configuration profile assignment”on page 64.

If you followed the instructions provided in this chapter, you have alreadyconfigured the automatic configuration profile assignment. You can open theIntel AMT Computers page and see if the Intel AMT devices that you want toconfigure already have an FQDN and the profile assigned to it.


See “About assigning a configuration profile” on page 85.


Assigning a profile to a single computer manually

By assigning a profile to an Intel AMT resource that is known to Intel SCS, but isin an unconfigured state, you initiate the setup and configuration process.

You can also assign a new profile to a device, that is already configured withanother profile. After doing so, click the Re-configure symbol.

If you do not see the Intel AMT capable computer that you want to set up andconfigure in the list, make sure that the Intel AMT device has been properlyinitialized in the last 6 hours. Make sure that the Intel AMT capable computer isturned on and is connected to the network.




To assign a profile to a single computer manually

1 Open the Intel AMT Computers page.


2 In the grid, click a computer.

3 Click the Assign profile symbol.

4 In the Edit mapping dialog box, type the FQDN of the computer.

This FQDN will be assigned to the Intel AMT device during setup andconfiguration.

5 If you enabled Active Directory integration, select the organizational unitwhere you want to register AMT objects.

Example: IntelAMT


6 From the Profile drop-down list, select a configuration profile.


7 If you want Intel SCS to automatically reconfigure the selected Intel AMTdevice when the settings in the configuration profile change, checkRe-configure if settings change.

8 Click OK.

Assigning a profile to multiple computers manually

Batch profile assignment is possible for the Intel AMT capable computers, whoseFQDN is known to Out of Band Management Component. To let the solution detect


86

the FQDN, you must install the Symantec Management Agent on the targetcomputers.



To assign a profile to multiple computers manually

1 Open the Intel AMT Computers page.


2 (Optional) In the grid, click the computers to which you want to assign aprofile.

3 Click the Create assignments symbol.

4 If you want to replace existing profile assignments, check Override existingprofile assignments.

This option changes the profile assignment, but does not re-configure theIntel AMT device with the new configuration profile.

5 If you want to re-configure Intel AMT devices immediately, checkRe-configure Intel AMT if assignment changes.

If you do not check this option, you can re-configure manually later.

6 Use the symbols on the toolbar to configure the configuration profilemappings.

You can assign different profiles to computers from different domains.

7 Click OK.

About monitoring the setup and configuration processAfter you assign a profile to the Intel AMT device, the setup and configurationprocess starts. You can watch the Intel AMT device status on the Intel AMTComputers page.


The status of the device must change from UnConfigured to InConfiguring, andthen to Configured.

Also, you can watch the Intel SCS logs for messages.


You can troubleshoot the Intel AMT setup and configuration process.

See “About Intel AMT setup and configuration issues” on page 177.


When the computers are set up and configured, we recommend that you run theResource Synchronization policy manually to synchronize the Intel SCS andNotification Server databases.



Synchronizing Intel SCS and Notification Server resourcesIf you want to run out-of-band management tasks (for example, the Real-TimeConsole Infrastructure tasks) on the computers with Intel AMT, you must enableand run the ResourceSynchronization policy. This policy synchronizes the IntelSCS and Notification Server databases. Synchronization is critical if you set upand configured your Intel AMT computers with a random password. This policylets you map the Intel AMT administrative credentials that are stored in the IntelSCS database to the appropriate Notification Server resources.

This policy also creates new resources for the computers that do not have theSymantec Management Agent installed.

After the synchronization is complete, Altiris solutions can find Intel AMTadministrative credentials in the Intel SCS database for each of the computersthat you want to manage.

After the task runs, the computers that are set up and configured with Out ofBand Management Component, appear in the Intel AMT Configured Computersfilter.


To run the Resource Synchronization policy


2 In the left pane, click Remote Management > Out of Band Management >Intel AMT Computers > Resource Synchronization.

3 (Optional) Under Synchronize Intel SCSandNotificationServer resources,create or modify the schedule on which to run the synchronization.

By default, the synchronization is run weekly.

4 Under Last synchronization statistics, click Save changes.


88

To view the Intel AMT Configured Computers filter


2 In the left pane, click Hardware Filters > Out of Band Management > IntelAMT Configured Computers.

The computers that are displayed in this filter are ready to be managedout-of-band with Altiris solutions.


About resending Hello messagesWhen you power-on an Intel AMT computer for the first time, the Intel AMTdevice starts sending configuration requests to the OOB site server computer (bydefault, the Notification Server computer) for 6 hours (24 hours for Intel AMT 3.0and later).

If for some reason the Intel AMT device is not configured during this time, youcan remotely restart the sending of requests in one of the following ways:

■ Enable the Delayed Configuration policy (Intel AMT 3.0 and later only).See “Resending Hello messages with the Delayed Configuration policy”on page 89.

■ Run the Send Intel AMT Hello Message task (Intel AMT 3.0 and later only).See “Resending Hello messages with the Send Intel AMT Hello Message task”on page 90.

■ Visit the Intel AMT computer location, unplug the computer for 20 seconds,and then plug it in again (all Intel AMT versions).

Resending Hello messages with the Delayed Configuration policyThe Delayed Configuration policy lets you re-open the Intel AMT interface forthe computers that are in the delayed configuration state for another 6 hours.

Computers that entered the delayed configuration state appear in the IntelAMTComputers in Delayed Configuration State filter.

Resending Hello messages with the Delayed Configuration policy is an in-bandfunctionality and requires the Windows operating system to be running and theSymantec Management Agent to be installed on the Intel AMT computer. DelayedConfiguration requires that you use DHCP in your environment.

You can also use the Delayed Configuration policy to start the RemoteConfiguration sequence on computers with Intel AMT 2.2 and 2.6.

89Configuring Intel AMT computers for out-of-band managementAbout resending Hello messages


To enable the Delayed Configuration policy

1 Install the Symantec Management Agent on the Intel AMT computers, if itis not already installed.


2 Install the Out of Band Task Agent on the client computer, if it is not alreadyinstalled.

See “Installing the Out of Band Task Plug-in” on page 53.


4 In the left pane, click Remote Management > Out of Band Management >Intel AMT Computers> Delayed Setup and Configuration.

5 In the right pane, configure and enable the DelayedSetupandConfigurationpolicy.

For help, in the Symantec Management Console, on the Help menu, clickContext.

See “Delayed Setup and Configuration page” on page 153.

Resending Hello messages with the Send Intel AMT Hello Message taskThe SendIntelAMTHelloMessage task lets you simulate sending a Hello packetto Intel SCS. Intel SCS responds to this Hello packet and starts configuring thecomputer's Intel AMT device.

Resending Hello messages with the Send Intel AMT Hello Message task is anin-band functionality and requires the Windows operating system to be runningand the Symantec Management Agent to be installed on the Intel AMT computer.


To run the Send Intel AMT Hello Message task

1 Install the Symantec Management Agent on the Intel AMT computers, if itis not already installed.


2 Install the Out of Band Task Agent on the client computer, if it is not alreadyinstalled.


3 In the Symantec Management Console, on the Manage menu, click Jobs andTasks.

Configuring Intel AMT computers for out-of-band managementAbout resending Hello messages

90

4 In the left pane, expand Samples > Remote Management > Intel SCS tasksand jobs > Send Intel AMT Hello Message.

5 In the right pane, select the OOB site server to which you want the targetcomputer to send the Hello packet.

6 Run the task one time or on a schedule.

For more information, view topics about running and scheduling tasks in theSymantec Management Platform Help.

Configuring Intel AMT computers in small businessmode

You can use small business mode in the following situations:

■ You are evaluating Altiris solutions that can manage computers out-of-bandand want to get set up and running quickly.

■ You do not have the necessary network infrastructure (DHCP and DNS) to useenterprise mode.

■ You do not need encrypted communications.

To configure Intel AMT computers in large-scale organizations, especially onesthat include subnets and require security, use enterprise mode.


Small-business mode is straightforward to configure. The process is manuallyperformed through the Intel Management Engine BIOS extension (MEBx) on theIntel AMT computer. Out of Band Management Component is not involved in thisprocess.

See “About Intel AMT configuration modes” on page 19.

After you configure the Intel AMT computer in small business mode, it is readyfor out-of-band management with Altiris solutions. To run out-of-bandmanagement tasks on this computer from the Symantec Management Console, acomputer resource representing the computer must be created in the CMDB . Ifthere is no such resource in the CMDB , simply install the Symantec ManagementAgent on the client computer. Computers with the Symantec Management Agentinstalled appear in the standard Notification Server filters: for example, WindowsComputers.


91Configuring Intel AMT computers for out-of-band managementConfiguring Intel AMT computers in small business mode

To configure Intel AMT devices in small business mode

1 Go to the physical location of the Intel AMT computer, and then connect thecables, a monitor, and a keyboard.

2 Turn on the computer and press Ctrl+P during POST to enter the ManagementEngine BIOS Extension (MEBx).

The Ctrl+P shortcut can vary depending on the OEM-provided BIOS. For moreinformation on accessing the ME BIOS sub-menu, see the hardwaremanufacturer’s documentation.

The default MEBx password for computers in the factory-default state is"admin". When you log on to the MEBx for the first time, you must changethe default password to a strong password.


3 Enable Intel AMT in the Intel AMT computer's MEBx, if it is not alreadyenabled.

You might have to exit the MEBx and restart the computer for the additionalIntel AMT configuration options to appear in the MEBx.

4 If you have Intel AMT already enabled, before making any changes, you mustselect Un-Provision>FullUnprovision in the MEBx to fully unconfigure theIntel AMT device.

5 Set the ProvisionModel to SmallBusiness (listed as Small-MediumBusinesswith some computers).

6 Configure the network settings of the Intel AMT device.

We recommend that the TCP/IP settings be the same as the settings for thenetwork interface card of the computer. If the network card uses DHCP, selectDHCP in the MEBx. For computers that use a static IP address, you mustspecify the following in the MEBx:

■ Host name of the Intel AMT computer

Warning: Intel AMT does not support host names with an underscore ("_")character.

■ IP address of the Intel AMT computer

■ Subnet mask

■ Default gateway address

■ Preferred DNS address

Configuring Intel AMT computers for out-of-band managementConfiguring Intel AMT computers in small business mode

92

■ Domain name

7 Exit the MEBx.

The computer restarts.

Intel SCS is not involved in the small business Intel AMT configuration process.An Intel AMT computer that is configured in small business mode does not senda configuration request to the configuration server and does not appear in thelist of Intel AMT systems that are known to Intel SCS. After you perform manualconfiguration through MEBx, the computer is ready to be managed out of bandwith Altiris solutions.

Next, you must create or modify a connection profile in Protocol Manager. Youuse this profile when you run out-of-band tasks on Intel AMT computers that areconfigured in small business mode.

To configure a connection profile


2 In the left pane, click Monitoring and Alerting > Protocol Management >Connection Profiles > Manage Connection Profiles.

3 In the right pane, click the connection profile that you want to use to connectto Intel AMT computers with Altiris solutions, and then click the Edit symbol.

4 In the Define Group Settings dialog box, expand the AMT section.

5 Turn on the AMT protocol, if it is not turned on yet.

To turn on the protocol, click the colored circle on the right, and then clickOn.

6 Under Runtime credentials, click the Add symbol.

7 In the Addcredential dialog box, in the Credential type drop-down list, clickAMT Credentials.

8 Type a name for the credentials.

For example, type My AMT

9 Type the Intel AMT user name and password.

The user name is "admin". The password is the new secure password youspecified when you first accessed the MEBx.

10 Click OK.

93Configuring Intel AMT computers for out-of-band managementConfiguring Intel AMT computers in small business mode

11 Under Runtime credentials, in the drop-down list, click or browse for thecredentials that you just configured.

In this example, click My AMT.

12 Click OK.

For more information, view topics about using connection profiles andcredential manager in the Symantec Management Platform Help.

Configuring Intel AMT computers for out-of-band managementConfiguring Intel AMT computers in small business mode

94

Configuring TLS


■ About TLS

■ About configuring and enabling TLS

■ Configuring TLS

■ Configuring TLS with mutual authentication

About TLSTransport Layer Security (TLS) provides communications security and privacyover the Internet and enterprise networks. The TLS protocol establishes a securechannel of communication between the Intel AMT device and Notification Server.

See “About configuring and enabling TLS” on page 95.

About configuring and enabling TLS(Optional)

Out of Band Management Component and the Intel AMT devices that are set upand configured in enterprise mode support Transport Layer Security (TLS)encryption for secure communications between each other.

You can configure TLS in the following two modes:

When Altiris solutions connect to the Intel AMT devices that areconfigured in enterprise mode with TLS enabled, they verify theidentity of Intel AMT devices by requesting a certificate.

See “Configuring TLS” on page 96.

TLS

7Chapter

When your Intel AMT computers are configured to use TLS withmutual authentication, the server requests a certificate from theclient, and the client requests a certificate from the server.

See “Configuring TLS with mutual authentication” on page 100.

TLS with mutualauthentication

Configuring TLSWhen you set up and configure an Intel AMT computer with TLS, Intel SCS accessesthe trusted certification authority (CA), enrolls for certificate on behalf of eachIntel AMT device, and then installs the certificate into the Intel AMT device.

Table 7-1 Process for configuring TLS


Specific operating system andinfrastructure requirements must bemet.

See “About environment requirements”on page 32.

Meet the requirements for TLS.Step 1

CA issues certificates to Intel AMTdevices.

See “Installing and configuring CA”on page 36.

Install Microsoft certificationauthority (CA), if it is not alreadyinstalled.

Step 2

You need this certificate if you want touse the SOL/IDE-R functionality of IntelAMT.

See “Exporting the CA Root Certificatefor the Altiris Real-Time SystemManager software” on page 97.

(Optional) Export the CA rootcertificate.

Step 4

Altiris solutions use this connectionprofile to connect to the Intel AMTdevices that are configured in securemode.

See “Configuring the connection profileto use TLS” on page 97.

Configure connection profiles touse the secure mode.

Step 5

After this step, the computers can bemanaged in secure mode only.

See “Configuring Intel AMT computersto use TLS” on page 98.

Configure Intel AMT computersto use TLS.

Step 6

Configuring TLSConfiguring TLS

96

Exporting the CA Root Certificate for the Altiris Real-Time SystemManager software

(Optional)

To use the SOL/IDE-R functionality of Intel AMT with Real-Time System Manager,you must export the CA root certificate to a file, and then configure the connectionprofile to use this file.

This certificate is used to validate the authenticity of the managed Intel AMTcomputer and the Notification Server computer during SOL and IDE-Rcommunication.

You can obtain the CA root certificate in the following ways:

■ Export the CA root certificate from the Local computer certificate store.

■ Download the CA certificate from the CA computer using the certificate servicesWeb site (http://<ca_server_name>/certsrv/).


To export the CA root certificate

1 On the CA computer, click Start > Run.


3 In the Microsoft Management Console, click File > Add/Remove Snap-in.

4 Click Add.

5 Click Certificates, and then click Add.

6 Click Computer account, and then click Next.

7 Click Local computer, click Finish, and then click Close.

8 Click OK.

9 In the Microsoft Management Console tree, locate your CA root certificate inthe Trusted Root Certification Authorities folder, and then open thecertificate.

10 Click the Details tab.

11 Click Copy to File.

12 Use the wizard to export the certificate in the Base-64 encoded X.509 format.

Configuring the connection profile to use TLSYou must configure the connection profile to use secure mode for communicationswith Intel AMT computers.

97Configuring TLSConfiguring TLS

If you want to use the SOL/IDE-R functionality, you must configure the connectionprofile with the trusted root CA certificate that you exported.

See “Exporting the CA Root Certificate for the Altiris Real-Time System Managersoftware” on page 97.

This certificate is used to validate the authenticity of the managed AMT computerand the Notification Server computer during SOL and IDE-R sessions.

For more information on connection profiles, see the Symantec ManagementPlatform Help.


To configure the connection profile to use TLS


2 In the left pane, click Monitoring and Alerting > Protocol Management >Connection Profiles > Manage Connection Profiles

3 Click the connection profile that you use to connect to Intel AMT computerswith Real-Time System Manager, and then click the Edit symbol.


5 Check Secure mode.

6 If you want to use the SOL/IDE-R functionality, in the TrustedCAcertificatelocation box, click Browse and browse to the CA certificate that you exportedearlier.

See “Exporting the CA Root Certificate for the Altiris Real-Time SystemManager software” on page 97.

Configuring Intel AMT computers to use TLSNow you can modify one of the existing configuration profiles to use TLS, andthen reconfigure your Intel AMT computers.

After the Intel AMT computers are reconfigured, they are ready to be managedout of band in secure mode.



Configuring TLSConfiguring TLS

98

To modify the configuration profile to use TLS



3 Open the profile that you want to modify.

4 On the TLS tab, check Use TLS.

5 Click Local Interface: TLSServerAuthentication. Click Network Interface:TLS Server Authentication.

6 Select the Server Certificate from the drop-down list. If the list is empty, dothe following in order:

■ Click the Browse for Certificate Generation Properties symbol.

■ In the SelectCertificateGenerationProperties dialog box, click the Addsymbol to add a new certification authority (CA) to the list.

■ Specify the CA settings in the Add Certificate Generation Propertiesdialog box.The default template for TLS is WebServer.

■ Click OK.

■ On the Select Certificate Generation Properties page, click the CA thatyou just added, and then click OK.

7 Click OK to close the profile.

To reconfigure Intel AMT computers



3 (Optional) Click the computers that you want to reconfigure.

4 On the toolbar, click the Re-configure symbol.

The reconfiguration process is initiated.

After reconfiguration, the communications with Intel AMT computers aresecure.

99Configuring TLSConfiguring TLS

Configuring TLS with mutual authenticationTLS with mutual authentication adds more security to communications with IntelAMT devices. Mutual authentication, also known as two-way authentication, is aprocess whereby two parties, typically a client and a server, authenticate eachother in such a way that both parties are assured of the identity of the other. Inmutual authentication, the server requests a certificate from the client, and theclient requests a certificate from the server.

Table 7-2 Process for configuring TLS with mutual authentication


To use this feature, you must firstcomplete all of the steps that arerequired for TLS.


Meet the requirements for TLSwith mutual authentication.

Step 1

You must issue and install an Intel AMTclient certificate that will be used toauthenticate to the client Intel AMTcomputers.

See “Creating and installing a clientcertificate using an Enterprise CA”on page 100.

Install a client certificate.Step 2

You must modify the Intel AMTconfiguration profile and reconfigureIntel AMT computers.

See “Configuring Intel AMT computersto use TLS mutual authentication”on page 110.

Configure Intel AMT computersto use TLS with mutualauthentication.

Step 3

Creating and installing a client certificate using an Enterprise CAYou must create an Intel AMT client certificate for TLS with mutual authenticationand install the certificate in the certificate store of the Intel SCS user.


Configuring TLSConfiguring TLS with mutual authentication

100

Table 7-3 Process for creating and installing a client certificate using anEnterprise CA


Certificate template defines the formatand content of a certificate.

See “Creating a new template formutual authentication” on page 101.

Create a new template.Step 1

You must publich the certificatetemplate so that a certificationauthority (CA) can issue certificatesbased on it.

See “Issuing the new template formutual authentication” on page 104.

Issue the new template.Step 2

Certificate request lets you get acertificate from a CA.

See “Requesting and installing a newcertificate for mutual authentication”on page 104.

Request and install a newcertificate based on the template.

Step 3

Altiris solutions that manage Intel AMTcomputers require that the mutualauthentication certificate is alsoinstalled in the local computercertificate store.

See “Installing the new mutualauthentication certificate into the localcomputer certificate store ” on page 106.

Install the new certificate into thelocal computer certificate store.

Step 4

This step is required only if you wantto use the SOL/IDE-R functionality ofIntel AMT with the Altiris Real-TimeSystem Manager software.

See “Configuring a connection profilefor the Altiris Real-Time SystemManager software” on page 107.

(Optional) Export the mutualcertificate.

Step 5

Creating a new template for mutual authenticationYou must create a template based on which you can issue the mutualauthentication certificate.

See “Creating and installing a client certificate using an Enterprise CA” on page 100.

101Configuring TLSConfiguring TLS with mutual authentication

To create a new certificate template on Microsoft Windows Server 2008 R2

1 On the computer with the certification authority installed, click Start>Run.



4 Under Availablesanp-ins, double-click CertificateTemplates snap-in to addit to the list.

5 click Ok.

6 In the Microsoft Management Console tree, click Certificate Templates.


8 On the Duplicate Template dialog box, select Windows 2003 Server,Enterprise Edition and then click OK.


For example, type AMT Mutual



12 Click CSPs.



15 On the Security tab, grant the Read, Write, and Enroll permissions to boththe Domain Admins group and Notification Server ’s Application Identityaccount.


17 In the Edit Application Policies Extension dialog box, click Add, and thenadd the Server Authentication policy.


19 Verify that the Object identifier is 1.3.6.1.5.5.7.3.1, and then click Cancel.



102

21 In the New Application Policy dialog box, in the Name box, type a name forthe policy.

For example, type TLS Mutual Authentication

22 Type 2.16.840.1.113741.1.2.1 in the Object identifier box, and then clickOK.

23 Click TLS Mutual Authentication, and then click OK.

24 Click OK.


To create a new certificate template on Microsoft Windows Server 2003

1 On the computer with the certification authority installed, click Start>Run.



4 Click Add.

5 click Certificate Templates, click Add, and then click Close.

6 Click Certificate Templates, and then click OK.

7 In the Microsoft Management Console tree, click on ConsoleRoot>CertificateTemplates.



For example, type AMT Mutual



12 Click CSPs.



15 On the Security tab, grant the Read, Write, and Enroll permissions to boththe Domain Admins group and Notification Server ’s Application Identityaccount.


17 In the Edit Application Policies Extension dialog box, click Add, and thenadd the Server Authentication policy.



19 Verify that the Object identifier is 1.3.6.1.5.5.7.3.1, and then click Cancel.


21 In the New Application Policy dialog box, in the Name box, type a name forthe policy.

For example, type TLS Mutual Authentication

22 Type 2.16.840.1.113741.1.2.1 in the Object identifier box, and then clickOK.

23 Click TLS Mutual Authentication, and then click OK.

24 Click OK.


Issuing the new template for mutual authenticationYou must issue the new template that you created.


To issue the template

1 On the computer with the certification authority (CA) installed, click Start >Control Panel > Administrative Tools > Certification Authority.

2 In the left pane, click your CA, right-click Certificate Templates, and thenclick New > Certificate Template to Issue.

3 In the EnableCertificateTemplates dialog box, click AMTMutual, and thenclick OK.

Requesting and installing a new certificate for mutualauthenticationNow you must request a new certificate from your local online CA, based on thetemplate that you created.

Note: In case of a default Out of Band Management Component installation,perform this procedure on the Notification Server computer. If you installed theOut of Band site server on a computer other than Notification Server, you mustperform this procedure on the Notification Server computer and on each of theOut of Band site server computers.


104

You can create the certificate manually, or you can use the CertificateEnrollmenttask to automatically request and install the certificate.


To request and install the certificate with a task


2 In the left pane, expand Samples > Remote Management > Intel SCS Tasksand Jobs > Certificate Enrollment.

3 Under Certificateenrollmentsettings, click Manuallydefineallparameters.

4 Browse to your CA and the template that you created (AMTMutual).


6 Run this task on the Notification Server computer and on each of the OOBsite server computers in your environment.

The new mutual authentication certificate is created and installed into thecurrent user certificate store.

To request and install the certificate manually

1 Log on to the Notification Server computer (or the Out of Band site servercomputer) using the Notification Server’s Application Identity account.

2 In the Internet Explorer, open the Certificate Services Web page of your CA(http://<ca_server_name>/certsrv/).

3 Click Request a certificate.

4 Click advanced certificate request.

5 Click Create and submit a request to this CA.

6 In the CertificateTemplate drop-down list, click the template that you created(AMT Mutual).

7 In the Name box, type the FQDN (for example, computername.mydomain.com)of the Notification Server computer (or the Out of Band site server, dependingon to which computer you are logged on ).

Warning: Do not type the CNAME alias, such asprovisionserver.mydomain.com. Type the name that is registered in theDNS.

8 (Optional) Fill in the email, company, city, state, and country boxes with yourcompany’s data.


9 Under Key Options, type 1024 in the Key Size box.

10 Check Mark keys as exportable.

11 Under Additional Options, click PKCS10.

12 Click Submit.

13 Click Install this certificate.

The new mutual authentication certificate is created and installed into thecurrent user certificate store.

Installing the new mutual authentication certificate into thelocal computer certificate storeAltiris solutions that manage Intel AMT computers require that the mutualauthentication certificate is also installed in the local computer certificate store.

Note: Perform this procedure on the Notification Server computer.


To install the certificate into the local computer store forMicrosoftWindowsServer2008 R2

1 On the Notification Server computer, click Start > Run.





6 Click Local computer, and then click Finish.


8 Click My user account, and then click Finish.

9 Click OK.

10 In the management console tree, click ConsoleRoot>Certificates - CurrentUser > Personal > Certificates.

11 Copy the mutual authentication certificate that you created (the certificatethat is using the AMT Mutual template) and paste it into the Console Root> Certificates (Local Computer) > Personal certificate store.


106

To install the certificate into the local computer store forMicrosoftWindowsServer2003




4 Click Add.



7 Click Local computer, and then click Finish.



10 Click Close.

11 Click OK.


13 Copy the mutual authentication certificate that you created (the certificatethat is using the AMT Mutual template) and paste it into the Console Root> Certificates (Local Computer) > Personal certificate store.

Configuring a connection profile for the Altiris Real-TimeSystem Manager software(Optional)

The mutual authentication certificate is used to validate the authenticity of amanaged Intel AMT computer and the Notification Server computer during SOLand IDE-R communication.

If you want to use the SOL/IDE-R functionality of Intel AMT with Real-TimeSystem Manager, you must export the mutual authentication certificate to a file.Then you must configure a connection profile to use this certificate. You can usethis connection profile to launch an SOL or IDE-R session on an Intel AMTcomputer that is configured in enterprise mode with TLS Mutual Authentication.

To prepare the mutual certificate for use in the connection profiles, complete thefollowing steps.

Note:Perform these steps on the Notification Server computer. It is not importantwhere you installed the Out of Band site server.



Table 7-4 Process for configuring the connection profile for Real-Time SystemManager


See “To export the certificate”on page 108.

Export the certificate.Step 1

See “To convert the certificate to PEMformat” on page 108.

Convert the certificate to PEMformat.

Step 2

See “To configure a connection profile”on page 109.

Configure connection profiles touse the certificate.

Step 3

To export the certificate




4 Click Add.



7 Click Certificates - Current User, and then click OK.


9 Right-click the mutual authentication certificate and click AllTasks>Export.

10 In the wizard, click Yes, export the private key, type a password to protectthe private keys, and then export the certificate in the .pfx format.

To convert the certificate to PEM format

1 From the Notification Server computer, download and install the openssl.exeutility.

For example, you can download the utility from the following Web site:http://www.slproweb.com/products/Win32OpenSSL.html

For more information on OpenSSL, visit http://www.openssl.org/

2 Click Start > Run.

3 In the Open box, type cmd, and then click OK.


108

http://www.slproweb.com/products/Win32OpenSSL.html

http://www.openssl.org/

4 Navigate to the location of the Openssl utility.

For example, C:\OpenSSL\bin

5 Run the following command: openssl pkcs12 -in <infile.pfx> -out

<outfile.pem>where <infile.pfx> is the path to the mutual authenticationcertificate that you just exported, and <outfile.pem> is a name of the newconverted certificate.

Remember the PEM pass phrase for later use.

To configure a connection profile


2 In the left pane, click Monitoring and Alerting > Protocol Management >Connection Profiles > Manage Connection Profiles.

3 Click the connection profile that you want to use to connect to Intel AMTcomputers with Real-Time System Manager, and then click the Edit symbol.


5 Check Secure mode.

6 In the Trusted CA certificate location box, click Browse and browse to theCA certificate that you exported for TLS.

See “Exporting the CA Root Certificate for the Altiris Real-Time SystemManager software” on page 97.

7 In the NotificationServercertificate location box, click Browse and browseto the mutual authentication certificate file that you just converted (.pemfile).

8 Under the NotificationServercertificatelocation box, click the Add symbol.

9 In the Add Credential dialog box, in the Credential type drop-down, clickAMT NS Cert. File Credential.

10 Type a name for the credentials.

For example, type NS Cert. Pass Phrase

11 Type and confirm the PEM pass phrase.

Use the same pass phrase that you typed when you created the .pem mutualcertificate.

12 Click OK.

13 From the Select existing credentials drop-down list, click or browse to thecredentials you just added. In this example, click NS Cert. Pass Phrase.


14 Under Trusted domain suffixes , click Add and type the domain suffixes ofyour Intel AMT computers that you want to manage.

For example, type west.yourenterprise.com

For more information, view topics about using connection profiles in theSymantec Management Platform Help.

15 Click OK to save the connection profile.

Configuring Intel AMT computers to use TLS mutual authenticationNow you must enable TLS mutual authentication in the configuration profile, andthen reconfigure the Intel AMT computers that use this profile.

After reconfiguration, the Intel AMT computers are ready to be managed out ofband with Altiris products.



To enable TLS mutual authentication in the configuration profile



3 Open the profile that you want to modify.

4 On the TLS tab, click Use TLS.

5 Click Local Interface: TLS Mutual Authentication and Network Interface:TLS Mutual Authentication.

6 Click the Browse for Certificate Generation Properties symbol.

7 In the Select Certificate Generation Properties dialog box, click the Addsymbol.

8 Click the browse button and add your CA information.

9 In the Type drop-down list, click Enterprise.

10 In the Template box, click the browse button and select the AMT Mutual

template.

11 Click OK.

12 Click the CA with the AMT Mutual template and then click OK.


110

13 Under TrustedCertificates, type the FQDN suffixes that the Intel AMT devicesshould trust.

For example, type west.yourenterprise.com

You can separate multiple values with a comma.

14 On the toolbar, click the Add symbol and add your root CA certificate to theTrusted Certificates list.

If needed, in the Select Trusted Root Certificate dialog box use the buttonson the toolbar to add or import the CA certificate.

To reconfigure Intel AMT computers with the new profile



3 (Optional) Click the computers that you want to reconfigure.

4 Click the Re-configure symbol.

The reconfiguration process is initiated.



112

Configuring ASF/DASHcomputers for out-of-bandmanagement


■ Configuring ASF/DASH computers for out-of-band management

■ What to do next

Configuring ASF/DASH computers for out-of-bandmanagement

The Out of Band Task Agent that you install on the target computers lets youconfigure ASF or DASH capable computers for out-of-band management.Configuration of ASF or DASH is an in-band functionality.


Note: If the client computer supports both ASF and Intel AMT, we recommendconfiguring the computer to use Intel AMT.


8Chapter

Table 8-1 Process for configuring ASF/DASH computers for out-of-bandmanagement


For instructions on how to enable ASFor DASH, refer to the computermanufacturer’s documentation.

Enable ASF or DASH in the clientcomputer’s BIOS.

Step 1

If you have computers with BroadcomASF in your environment, you mustinstall the ASF management softwaremanually.

See “Installing the Broadcom ASFmanagement software” on page 115.

Install the ASF managementsoftware on the computers withBroadcom ASF.

Step 2

The Symantec Management Agent letsNotification Server get informationfrom and interact with the clientcomputers.

See “Installing the SymantecManagement Agent” on page 51.

Install the Symantec ManagementAgent on the client computers, ifit is not already installed.

Step 3

For easier configuration and evaluationof Out of Band ManagementComponent, make the SymantecManagement Agent requestconfiguration from Notification Servermore frequently.

See “Configuring the SymantecManagement Agent settings forevaluation use” on page 51.

(Optional) Modify the SymantecManagement Agent settings forevaluation use.

Step 4

The Out of Band Discovery policy letsyou find the computers that are capableof out-of-band management.

See “Discovering out-of-band capablecomputers” on page 52.

Use the Out of Band Discoverypolicy to discover ASF or DASHcapable computers.

Step 5

This agent performs ASF and DASHconfiguration.

See “Installing the Out of Band TaskPlug-in” on page 53.

Install the Out of Band Task Agenton the ASF and DASH capablecomputers.

Step 6

Configuring ASF/DASH computers for out-of-band managementConfiguring ASF/DASH computers for out-of-band management

114

Table 8-1 Process for configuring ASF/DASH computers for out-of-bandmanagement (continued)


If you want, you can collect currentconfiguration inventory from the clientcomputers.

You can view ASF/DASH inventory inthe Resource Manager.

See “Collecting ASF/DASHconfiguration and hardware inventory”on page 115.

(Optional) Collect the ASF/DASHconfiguration inventory.

Step 7

The ASF/DASH configuration tasks letyou configure ASF/DASH computersfor out-of-band management.

See “Configuring ASF/DASH computersfor out-of-band management”on page 117.

Configure the ASF or DASHcapable computers.

Step 8

Installing the Broadcom ASF management software(Broadcom ASF only)

If you want to configure Broadcom ASF-capable computers for out-of-bandmanagement, you must have the ASF management software installed on thesecomputers.

If the ASF management software is not installed on the Broadcom ASF-capablecomputers, you must install the software manually.

You can obtain the Broadcom ASF Management Application from an installationCD that comes with the computer or from the Broadcom Web site:http://www.broadcom.com

For computers with Intel ASF, Out of Band Management Component installs theIntel ASF management software automatically. This software is installed whenyou roll out the Out of Band Task Agent.



Collecting ASF/DASH configuration and hardware inventory(In-band procedure)

115Configuring ASF/DASH computers for out-of-band managementConfiguring ASF/DASH computers for out-of-band management

http://www.broadcom.com

This topic describes how to get the ASF or the DASH settings (inventory) fromclient computers. The ASF/DASH inventory is collected and sent to NotificationServer in the standard Notification Server Inventory format.

Note: The Out of Band Task Plug-in must be installed on the client computersbefore you run the task. The client computer must be turned on to run this task.The operating system must be running.



To collect ASF or DASH inventory


2 In the left pane, expand Samples>RemoteManagement>ASF/DASHTasks> Get ASF/DASH Configuration Inventory.



To view the ASF/DASH inventory for a client

1 Open the Resource Manager for the computer.

To open the Resource Manager, double-click (or right-click and then clickResource Manager) on a specific resource that is found in a filter or in anygrid that displays resources, such as a report.

For more information, view topics about the Resource Manager in theSymantec Management Platform Help.

2 On the View menu, click Inventory, and then click Data Classes > Out ofBand Management.

3 Click an inventory data class:

■ OOB Broadcom ASF Alert Service

■ OOB Broadcom ASF Remote Functions

■ OOB Broadcom ASF Security

■ OOB Broadcom DASH General Settings

■ OOB Intel ASF Adapters

■ OOB Intel ASF Alert Service

Configuring ASF/DASH computers for out-of-band managementConfiguring ASF/DASH computers for out-of-band management

116

■ OOB Intel ASF Alerts

■ OOB Intel ASF Heartbeats

■ OOB Intel ASF Remote Functions

■ OOB Intel ASF Watchdog

Configuring ASF/DASH computers for out-of-band management(In-band procedure)

You can enable and configure ASF or DASH settings remotely on client computers.




To configure ASF or DASH settings


2 In the left pane, expand Samples>RemoteManagement>ASF/DASHTasks> Update ASF Configuration Settings or Samples > Remote Management >ASF/DASH Tasks > Update DASH Configuration Settings.

3 Configure settings.

If you check Modify ... settings the settings that are shown in the group aremodified when the task runs. If you uncheck Modify ... settings, the settingson the target computer are not altered when the task runs.

See “Get ASF/DASH Configuration Inventory task” on page 160.

See “Update DASH Configuration Settings task” on page 164.



What to do nextYour computers are ready to be managed out of band.

117Configuring ASF/DASH computers for out-of-band managementWhat to do next


Configuring ASF/DASH computers for out-of-band managementWhat to do next

118

Deploying OOB site servers


■ About site services

■ About OOB site servers

■ Prerequisites for OOB site server installation

■ Installing an OOB site server

■ Upgrading the Out of Band Site Server

■ Uninstalling an OOB site server

■ Configuring the default OOB site server location

About site servicesThe Symantec Management Platform can host several types of middlewarecomponents, such as package servers, task servers, and boot servers. Middlewarecomponents can be installed on computers other than the Notification Servercomputer. These services act as the first point of contact for the SymantecManagement Agents, thus reducing the load on Notification Server.

The official name for a middleware component is “site service.” Any computerthat hosts a site service is known as a site server. A site server can have one ormore site services installed on it. For example, if you install the package serversite service (the "package service") onto a computer, that computer becomes asite server.

Site servers can assist Notification Server. Site servers can extend the architecture,improve distribution efficiency, and reduce network bandwidth requirements.

Notification Server handles the deployment, configuration, and ongoingmaintenance of site services. Package service, task service, and the boot service

9Chapter

provide the Symantec Management Agents with packages, tasks, and PXEbroadcasts.

Notification Server performs the following functions for site management:

■ Handles the deployment and removal of site services to and from site servers

■ Ensures that the site service is installed only on the computers that satisfythe minimum system requirements

You use site maintenance to create logical groups of endpoints to balance the loadon site servers. For example, you can distribute packages efficiently to yourSymantec Management Agents with multiple package servers. The package servershandle most of the package distribution functions, which frees up NotificationServer to perform other activities.

About OOB site serversAn OOB site server is a site server computer with the OOB service installed. TheOOB service installs Intel SCS on the site server computer.

When you install Out of Band Management Component, you must install the mainOOB site server manually on the Notification Server computer.

See “Installing an OOB site server” on page 45.

You can later deploy more OOB site servers to other subnets or geographiclocations. For example, if Intel AMT computers in a subnet cannot reach the mainOOB site server, you can install another OOB site server into that subnet. Also, ifyou want to reduce the Notification Server computer's workload, you can movethe OOB service from the Notification Server computer to another site server onthe network.

All OOB site servers work with and must be able to access the same SQL database.When you run out-of-band management tasks, Out of Band ManagementComponent and other Altiris solutions use this database to get the connectioncredentials for each of the Intel AMT devices.

See “Prerequisites for OOB site server installation” on page 120.


Prerequisites for OOB site server installationThe computer that you want to use as an OOB site server must meet the followingrequirements:

■ Microsoft Windows 2003 Server SP2 operating system running

Deploying OOB site serversAbout OOB site servers

120

■ 512 MB free disk space

■ The Symantec Management Agent installedSee “Installing the Symantec Management Agent” on page 51.

■ IIS 6 installedSee “About installing Microsoft IIS” on page 35.

■ .NET Framework 2.0 installedSee “About installing .NET Framework on an OOB site server” on page 38.

The OOB site server computer must be able to access the SQL server that isconfigured in mixed authentication mode. The same SQL server must be used forall OOB site servers in your environment.

See “About configuring SQL server” on page 34.

Installing an OOB site serverAn OOB site server is a site server computer with Intel SCS. To install an OOB siteserver, complete the following steps.


Table 9-1 Process for installing an OOB site server


Computers with Microsoft Windows2003 Server SP2 operating system canbecome OOB site servers.

See “Viewing Out of Band Potential SiteServers” on page 122.

Choose a computer for OOB siteserver installation.

Step 1

Configure which SQL server you wantto use and if you want to run aprerequisites check when installing theOOB site server.

See “Configuring the OOB site serverinstallation settings” on page 122.

Configure installation settings.Step 2

Roll out the OOB site server plug-in.

See “Rolling out the OOB site server”on page 122.

Install the OOB site server.Step 3

121Deploying OOB site serversInstalling an OOB site server

Viewing Out of Band Potential Site ServersThe OutofBandPotentialSiteServers filter in the Symantec Management Consoledisplays computers with an operating system capable of running Intel SCS.



To view the Out of Band Potential Site Servers


2 In the left pane, click Software Filters > Out of Band Site Service Filters >Out of Band Potential Site Servers.

Configuring the OOB site server installation settingsBefore you install the OOB site server, configure the settings that you want theserver to use when it is being installed.

All OOB site servers must use the same settings. If you change the settings, allother existing OOB site servers are automatically reinstalled using the new settings.


To configure the OOB site server installation settings

1 In the Symantec Management Console, on the Settings menu, clickNotification Server > Site Server Settings.

2 In the left pane, click Site Management > Settings > OOB Service > OOBService Settings.

3 In the right pane, configure the settings.

For help, press F1 or click Help > Context.

See “OOB Site Service page” on page 165.


Rolling out the OOB site serverYou can install the OOB site server on a supported computer.



After you install an OOB site server in a subnet, you must configure the DNS serverfor that subnet to resolve the ProvisionServer host name to this OOB site servercomputer.

Deploying OOB site serversInstalling an OOB site server

122



To install the OOB site server


2 In the left pane, click Site Management > Site Servers.

3 In the right pane, under Detailed Information, on the toolbar, click the Newsymbol.

4 In the Select Computers dialog box, in the left pane, click the computer thatyou want to become the OOB site server, and then click >.

5 Click OK.

6 In the Add/RemoveServices dialog box, check OOBSiteService, click Next,and then click OK.

7 In the left pane, click Site Management > Site Servers > [Site Server Name]> Services > OOB Service.

This page displays the status of the OOB site server installation. Reload thepage if necessary. You can also run additional tasks that are shown on thepage. The tasks can help you troubleshoot the OOB site server installation.

See “Troubleshooting OOB site server installation” on page 179.

Upgrading the Out of Band Site ServerYou can use the Out of Band Management Component Check Intel SCS upgradepolicy to upgrade the Out of Band site server.


To upgrade the Out of Band Site Server

1 In the Symantec Management Console, on the Home menu, click RemoteManagement > Out of Band Management.

2 In the left pane, under Troubleshoot Intel AMT, click Upgrade OOB SiteServer Agent and Intel SCS.




123Deploying OOB site serversUpgrading the Out of Band Site Server

Uninstalling an OOB site serverYou can uninstall an OOB site server.

If you uninstall the OOB site server that is set as default, you must configure Outof Band Management Component to use another OOB site server.

See “Configuring the default OOB site server location” on page 124.

If you uninstall the only OOB site server and Intel SCS in your environment, Outof Band Management Component becomes unfunctional.

After you uninstall an OOB site server in a subnet, you must re-configure the DNSserver for that subnet to resolve the ProvisionServer host name to the nextavailable OOB site server.


To uninstall an OOB site server


2 In the left pane, click Site Management > Site Servers > [Site Server Name]> Services.

3 In the right pane, under OOB Service, click the Install/remove services .

4 Choose which services should be present on the server and click Next .

The next time the OOB site server computer requests configurationinformation from Notification Server, the OOB site service software is removedfrom the target computer.

If the OOB site service was the only service on the site server, the site serversoftware is removed too.

See “Troubleshooting OOB site server installation” on page 179.

Configuring the default OOB site server locationBy default, Out of Band Management Component is configured to use the IntelSCS that is installed on the Notification Server computer, as part of the defaultOOB site server installation. If you move the OOB site server and Intel SCS toanother computer, you must configure Out of Band Management Component.


Deploying OOB site serversUninstalling an OOB site server

124

To set the default OOB site server


2 In the left pane, click Remote Management > Out of Band Management >Configuration Service Settings > Service Location.

3 Under SiteServers, click an OOB site server, and then click the Setasdefaultlocation of Intel SCS Service symbol.


125Deploying OOB site serversConfiguring the default OOB site server location

Deploying OOB site serversConfiguring the default OOB site server location

126

About Out of BandManagement Componentpages


■ Auxiliary profiles: 802.1x Profiles page

■ Auxiliary profiles: Management Presence Servers page

■ Auxiliary profiles: Remote Access Policies page

■ Auxiliary Profiles: Wireless Profiles page

■ Trusted Root Certificates page

■ Configuration Profiles page

■ DNS configuration page

■ General page

■ Maintenance page

■ Security keys page

■ Service location page

■ Users page

■ Delayed Setup and Configuration page

■ Intel AMT Computers page

■ Profile assignments page

10Chapter

■ Resource Synchronization page

■ Get ASF/DASH Configuration Inventory task

■ Update ASF Configuration Settings task

■ Update DASH Configuration Settings task

■ OOB Site Service page

■ Certificate Enrollment task

■ Firewall Configuration task

■ FQDN Synchronization task

■ Install Intel Setup and Configuration Server task

■ Install OOB Site Service agent task

■ Install Out of Band Management Site Service Agent and Intel Setup andConfiguration Server job

■ Intel Setup and Configuration Server Upgrade job

■ Intel Setup and Configuration Server Upgrade Job: internal task

■ OOB Site Server Inventory task

■ Send Intel AMT Hello Message task

Auxiliary profiles: 802.1x Profiles pageIEEE 802.1x defines an extendable set of layer 2 protocols that are used toauthenticate LAN communications. The profiles that are defined here can applyto any Intel AMT Profile, and to either wired connections or wireless connections.This capability only applies to Intel AMT releases 2.5 or later.

Note: If the Add symbol is disabled, check Active Directory Integration on theGeneral page.

See “General page ” on page 146.

802.1x Profiles: Add 802.1x Profile dialog boxThis page lets you create a new 802.1x profile.

About Out of Band Management Component pagesAuxiliary profiles: 802.1x Profiles page

128

Table 10-1 Options on the Add 802.1x Profile dialog box

DescriptionOption

Type a name for the new 802.1x profile.Profile name

Select from one of the available options.Protocol

The client authentication options require defining a source fora client certificate for authenticating an Intel AMT device to aRadius server. Type a path to a certification authority (CA) andselect a template that is defined for creating the appropriateclient certificate. Defining a template requires an Enterprisecertification authority, which requires presence of ActiveDirectory.


See “About integrating with Microsoft Active Directory”on page 35.

Note:Only three server and client certificates can be associatedwith a single profile. These include the Server certificate that isrequired for TLS and any client certificates that are required for802.1x profiles or for NAC posture signing. In a normalinstallation, a single client certificate would be purchased for allapplications in the facility. If a profile requires more than threecertificates, setup of an Intel AMT device based on this profilefails.

Client certificate

Check to enable roaming.

The user will have an identity of Anonymous.

Roaming identity

Select the root certificate from the certification authority (CA)that was the issuer of the server certificate that is installed onthe Radius server. Intel SCS installs a root certificate from thatCA in the Intel AMT devices that are configured with this profile.

Trusted root CA forcertificate

Type the subject name in the certificate that is installed in theRadius server.

Server certificatesubject

129About Out of Band Management Component pagesAuxiliary profiles: 802.1x Profiles page

Table 10-1 Options on the Add 802.1x Profile dialog box (continued)

DescriptionOption

For Radius server domain verification, choose one of thefollowing:

■ Fully Qualified Domain Name - click if you entered theRadius server's FQDN into theServercertificatesubject box.

■ RadiusServerDomainSuffix - click if you entered the Radiusserver's domain suffix in the Server certificate subject box.

If you do not want to use the Radius server domain nameverification, click DonotverifyRadiusServercertificatesubjectname.

Certificatesubjecttype

Select Certificate Generation Properties dialog boxThis dialog box lets you select the certification authority (CA) that Intel SCS usesto generate certificates.

Add Certificate Generation Properties dialog boxThis dialog box lets you configure certificate generation properties.

Table 10-2 Options on the Add Certificate Generation Properties dialog box

DescriptionOption

Type the FQDN of the computer that handles, stores, and issues digitalcertificates. You can click ... and select one from the list of CertificateAuthorities (CA) known to Notification Server .

Microsoft certification authority (CA) is used to generate individualcertificates for Intel AMT devices.

CA Host Name

Type the name of the CA. The name is listed in the CA AdministrationManager. To open the CA Administration Manager, in Windows, clickStart > Administrative Tools > Certification Authority. The name islisted in the first sub-branch in the left pane.

Name

Windows Server 2003 Certificate Services supports two types ofCA—Enterprise and Standalone. The type of the CA is defined at the timeof the CA installation. Select the type of the CA that you installed.


Type

About Out of Band Management Component pagesAuxiliary profiles: 802.1x Profiles page

130

Table 10-2 Options on the Add Certificate Generation Properties dialog box(continued)

DescriptionOption

When working with an Enterprise CA, type the name of the CertificateTemplate to be used. You can click ... and select one from the list oftemplates that are known to Notification Server .

A template allows customization of the content of the certificates thatthe CA issues. The name must be the LDAP name that is stored in ActiveDirectory. When the template is displayed using the CA managementtools, it is the TemplateName and not the TemplateDisplayName. Thedefault template for TLS is WebServer. For TLS Mutual Authentication,select the template that you created for mutual. Example: AMTMutual.


Template

Select Certificate Template dialog boxThis dialog box lets you select the certificate template that you want Intel SCS touse when generating certificates for the functionality that you want to configure.

Auxiliary profiles: Management Presence Serverspage

Intel AMT 4.0 and later support CIRA (client-initiated remote access). CIRA allowsan Intel AMT computer that is located outside an enterprise to connect tomanagement consoles inside the enterprise. The connection is accomplishedthrough a Management Presence Server (MPS) that is located in the DMZ of theenterprise. The MPS appears as a proxy server to management consoleapplications. The Intel AMT device establishes a Mutual Authentication TLStunnel with the MPS. Multiple consoles can interact with the Intel AMT devicethrough this tunnel.

Click the Add symbol to add an MPS.

Management Presence Servers: Add Management Presence Serverdialog box

A CIRA policy contains the parameters that determine the conditions forestablishing an MPS connection, as well as the connection parameters to eitherone or two MPSs.

131About Out of Band Management Component pagesAuxiliary profiles: Management Presence Servers page

Table 10-3 Options on the Add Management Presence Server dialog box

DescriptionOption

Type the FQDN or the IP address of theManagement Presence Server.

If you type an IP address, you must specifythe common name in the box below.

Server FQDN or IP address

Type the port that the Management PresenceServer listens on for connections from IntelAMT devices.

Server listening port

TLS mutual authentication is used toauthenticate the Intel AMT-MPS tunnel. TheIntel AMT device requires a client certificatethat the MPS will authenticate and a trustedroot certificate from the certificationauthority that generated the MPS servercertificate.

Select client certificate generationproperties. To do this, choose thecertification authority that you want theAMT platform to use to request a certificatethat the MPS can authenticate. Then selectthe template that is defined for creating theappropriate client certificate. This shouldbe a template where the subject name issupplied in the request and the usage isClient Authentication.

For information on creating a template for802.1x client certificates, see the Intel®Active Management Technology Setup andConfiguration Service Installation Guide.

Client certificate

Choose the root certificate of thecertification authority that you want theMPS to use to authenticate itself to the AMTplatform.

Server certificate

Auxiliary profiles: Remote Access Policies pageIntel AMT 4.0 and later support CIRA (client-initiated remote access). CIRA allowsan Intel AMT computer that is located outside an enterprise to connect tomanagement consoles inside the enterprise. The connection is accomplished

About Out of Band Management Component pagesAuxiliary profiles: Remote Access Policies page

132

through a Management Presence Server (MPS) that is located in the DMZ of theenterprise. The MPS appears as a proxy server to management consoleapplications. The Intel AMT device establishes a Mutual Authentication TLStunnel with the MPS. Multiple consoles can interact with the Intel AMT devicethrough this tunnel.

A remote access policy contains the parameters that determine the conditionsfor establishing an MPS connection. It also contains the connection parametersto either one or two MPSs.

Remote Access Policies: Create Remote Policy dialog boxThis dialog box lets you create a remote access policy to use with the CIRA(client-initiated remote access) functionality of Intel AMT.

See “Auxiliary profiles: Remote Access Policies page” on page 132.

Table 10-4 Options on the Remote Access Policies: Create Remote Policydialog box

DescriptionOption

Type a descriptive name for the policyName

Type an interval in seconds. When there isno activity in an established tunnel for thisperiod of time, the Intel AMT device closesthe tunnel. Entering zero (0) means that thetunnel does not time out. The tunnel staysopen until the user closes it or when adifferent policy with higher priority needsto be processed.

Tunnel life time

Select the trigger or triggers associated withthis policy. A particular trigger type can beselected in only one policy.

Trigger

The Intel AMT device establishes a tunnelwith the MPS when the user initiates aconnection request.

User initiate connection

The device establishes a connection whenan event occurs that generates an alert thatis addressed to the network interface.

Alert occurred

The device connects to the MPS based on theSeconds Between Connections interval.

Connect periodically

133About Out of Band Management Component pagesAuxiliary profiles: Remote Access Policies page

Table 10-4 Options on the Remote Access Policies: Create Remote Policydialog box (continued)

DescriptionOption

Select the MPSs that apply to the policy (upto two). When a trigger occurs, the Intel AMTdevice attempts to connect to the server thatis listed in the Preferred server box. If thatconnection does not succeed, the device triesto connect to the server that is listed in theAlternativeserver box, if one was specified.

Management Presence Servers

Auxiliary Profiles: Wireless Profiles pageA wireless profile defines which protocol is used between an Intel AMT deviceand a wireless access point. A wireless profile works when the host on a mobileplatform is in a Sx power state (S3, S4, or S5) and Intel AMT is configured to beactive in the current power state. The profiles conform to IEEE 802.11i.

See “Configuring Intel AMT wireless settings” on page 64.

Wireless Profiles: Add Wireless Profile dialog boxThis dialog box lets you configure the wireless settings that the Intel AMT devicesshould use in sleep (S3, S4, or S5) state when the operating system cannot be usedto configure wireless protocols.

Table 10-5 Options on the Wireless profiles: Add Wireless Profile dialog box

DescriptionOption

Type a name for this profile.Profile name

Type an optional Service Set ID (SSID): a 1 to 32 character string naminga specific wireless LAN.

SSID

Select a Key Management scheme (WPA or RSN) and an EncryptionAlgorithm (TKIP or CCMP). These choices must correspond to thesettings that are used in the specific wireless LAN environment.

Data Encryption

Either provide a pass phrase or select one of the existing 802.1x profilesor create a new one.

See “Auxiliary profiles: 802.1x Profiles page” on page 128.

Authentication

About Out of Band Management Component pagesAuxiliary Profiles: Wireless Profiles page

134

Trusted Root Certificates pageThis page lists the trusted root certificates that you want Intel SCS to use.

Click the Add symbol to add a certificate by selecting a certification authoritythat is found in your environment.

Click the Import symbol to import a certificate from a file.

Trusted Root Certificates: Select a Certificate Authority dialog boxSelect the certification authority (CA) that you want the solution to use whengenerating certificates, and click OK.


Trusted Root Certificates: Import Trusted Root Certificate dialog boxImport the trusted root certification authority (CA) certificate that you want thesolution to use when generating certificates, and click OK.


Configuration Profiles pageConfiguration profiles contain the Intel AMT device configuration parameters.Profiles determine which features are enabled in the device, what authenticationmechanism is used, and which users have access to device features. One or manyprofiles can be defined. For example, use a different profile for different sites.Each profile can be assigned to one or more Intel AMT devices.


Setup and configuration profile: General tabOn this tab, type general information that pertains to this profile.

Table 10-6 Options on the General tab

DescriptionOption

Type a short, descriptive name. This name appears on the IntelAMT devices page.

Profile name

A more complete description of the profile.Profile description

135About Out of Band Management Component pagesTrusted Root Certificates page

Table 10-6 Options on the General tab (continued)

DescriptionOption

The allowable difference between the clock of an Intel AMT deviceand the timestamp of a received message. This setting is part ofthe mechanism that is used to eliminate replay attacks.

Max clock tolerance

The remote connection administrative credentials.

The user name is always "admin".

User name

Select either Random Creation or Manual.

If Manual is selected, type the password and confirm the entry.You must type a strong password.


This password becomes the administrative password in the AdminACL entry for all Intel AMT devices that are configured with thisprofile.

Selecting Random Creation means that each Intel AMT deviceis configured with a random password. The password for eachIntel AMT computer is stored in the Intel SCS database. Unlessyou configure more administrative users on the ACL tab, you canmanage the computers from Notification Server only. In this case,Notification Server pulls the administrative credentials from theIntel SCS database every time you run an out-of-band task.

See “Setup and configuration profile: ACL tab” on page 141.

Note: To use the credentials that are stored in Intel SCS, createa connection profile with Intel AMT runtime credentials. Thenconfigure the task to use this connection profile.

For more information, view topics about using connection profilesin the Symantec Management Platform Help.


Intel AMT remoteconnection password

Type the new MEBx password that you want Intel SCS to set onthe devices that you initialize using the Remote Configurationfeature.

See “Initializing Intel AMT computers using the RemoteConfiguration feature” on page 65.


New MEBx password

About Out of Band Management Component pagesConfiguration Profiles page

136

Setup and configuration profile: Network tabOn this tab, define this profile's network settings.

Table 10-7 Options on the Network tab

DescriptionOption

Check if you want the Intel AMT device to respond to a ping.Enable ping response

Administrators can use this browser-based UI (user interface)for management and maintenance of Intel AMT devices.

Check to allow this feature.

You can access the web UI by typing the following address inthe Internet Explorer's address bar: http://<Intel AMTcomputer name>:16992 or https://<Intel AMT computername>:16993

Web UI

This feature is used to manage an Intel AMT-enabled platformremotely by encapsulating keystrokes and character displaydata in a TCP/IP stream.


Serial over LAN

Use this feature to remotely enable, disable, format, orconfigure individual floppy or IDE CD drives. Also you canreload operating systems and software from remote locations.These actions are independent of and transparent to the host.


IDE redirection

Select an optional 802.1x profile that you want the Intel AMTdevice to use when authenticating on a wired LAN. This profileis active when the device is in S3, S4, or S5 power states. Thisoption applies only to Intel AMT releases 2.5, 3.0, 4.0, and 5.0.

See “Auxiliary profiles: 802.1x Profiles page” on page 128.

Note: You must integrate Intel SCS with Active Directory toconfigure an Intel AMT device with a wired 802.1x profile.


WiredLAN802.1xprofile

Lets you keep the 802.1x session alive after a PXE Boot for thenumber of minutes that you specify (up to 1440 minutes). Thisis the period that is allowed for completion of an 802.1xauthentication. This parameter can be set only when an 802.1xprofile has been selected. If the 802.1x profile is deleted, thisvalue is forced to zero.

Keep 802.1x session aftera PXE boot for

137About Out of Band Management Component pagesConfiguration Profiles page

Table 10-7 Options on the Network tab (continued)

DescriptionOption

Check to enable manageability traffic even if the host cannotcomplete 802.1x authentication to the network.

Enable 802.1x for AMTeven if host is notauthorized for 802.1x

Check to enable Endpoint Access Control.

Choose the certification authority and the template to use forissuing a client certificate for Endpoint Access Control posturesigning.

Enable EAC

If the 802.1x profile's protocol is one of the EAP-FASTprotocols, you can use NAC authentication along with theRADIUS server to authenticate the AMT device. If the 802.1xprofile’s protocol is one of the PEAP definitions, you canspecify NAP or NACNAP hybrid authentication.

Vendor

Check to enable the KVM capability.

Intel AMT Release 6.0 introduces support for the Keyboard,Video and Mouse (KVM) capability. KVM enables remotecontrol of an Intel AMT system using a remote keyboard andmouse and viewing the managed system’s screen output at aremote monitor.

Enable KVM

Check if you want to define that the user of the Intel AMTsystem must consent to KVM connections.

A pop-up window appears on the Intel AMT system when aKVM connection request is processed. The window containsa code number that the user must provide (by telephone) tothe person trying to connect to his computer.

User consent requiredbefore beginning KVMsession

Determines the maximum time (in minutes) allocated for theuser consent process. If the user consent process is notcompleted in this time, a new KVM connection request mustbe sent.

Timeout for user consent

Setup and configuration profile: TLS tabOn this tab, configure if you want the Intel AMT devices to require a certificatewhen authenticating with other applications.


138

Note:You must have a properly configured infrastructure (certification authorityinstalled, proper certificates installed) to configure Intel AMT computers withTLS or TLS Mutual Authentication.


Table 10-8 Options on the TLS tab

DescriptionOption

Check to enable TLS.

When TLS is enabled, the Intel AMT device requires a servercertificate that is used to authenticate itself with other applications.


Use TLS

Select if you want the host communications with the Intel AMT deviceto require TLS or TLS with mutual authentication.

Local Interface

Select if you want network communications with the Intel AMTdevice to use TLS or TLS with mutual authentication.

Network Interface

Click Encrypted to allow setup and configuration only on theplatforms that support encryption.

Click Plain Text to allow setup and configuration only on theplatforms that do not support encryption.

Click Both to allow setup and configuration on both types ofplatforms (encrypted and plain text).

Encryption Mode

Select the certification authority (CA) that you want to use to generateserver certificates for the Intel AMT devices that are associated withthe profile.

See “Add Certificate Generation Properties dialog box” on page 130.

Note:Only three server and client certificates can be associated witha single profile. These include the Server certificate that is requiredfor TLS and any client certificates that are required for 802.1x profilesor for NAC posture signing. In a normal installation, a single clientcertificate would be purchased for all applications in the facility. Ifa profile requires more than three certificates, setup of an Intel AMTdevice that is based on this profile fails.

Server Certificate


Table 10-8 Options on the TLS tab (continued)

DescriptionOption

These are the issuers of the client certificates that the Intel AMTdevice recognizes as authentic. These certificates are stored in thedatabase and then sent to the Intel AMT device during configuration.Intel AMT can accept up to four trusted root certificates, so no morethan four should be added to a profile.

Click the Add symbol and, in the Select Trusted Root Certificatedialog box, select the certification authority (CA) that you configuredto issue certificates for TLS with Mutual.

You can also import the trusted root CA certificate from a file.


TrustedCertificates

(Optional)

The Certificate Revocation List (CRL) is a list of entries that indicatewhich certificates have been revoked. The CRL contains certificationauthority URLs and the serial numbers of revoked certificates. Thisis an optional feature of TLS Mutual Authentication.

Click the Manage CRL symbol to define a CRL.

CRL

The Fully Qualified Domain Name (FQDN) suffixes for mutualauthentication.

The Intel AMT device validates that any client certificates that IntelSCS or Altiris solutions use have one of the listed suffixes in thecertificate subject.

Type the FQDN suffix of the Notification Server computer: forexample, typeyourenterprise.com. If you want to type more thanone suffix, use a comma as a delimiter.

FQDN Suffixes

TLS: Edit CRL dialog boxThe Certificate Revocation List (CRL) is a list of entries that indicate whichcertificates have been revoked. The CRL contains certification authority URLsand the serial numbers of revoked certificates. CRL is an optional feature of TLSMutual Authentication.

This feature requires a certification authority be installed in your environment.


Add and select the CRL that you want to use.


140

Edit CRL: Add CRL Entry dialog boxThe Certificate Revocation List (CRL) is a list of entries which indicate whichcertificates have been revoked. The CRL contains certification authority URLsand the serial numbers of revoked certificates. CRL is an optional feature of TLSMutual Authentication.

Table 10-9 Options on the Add CRL Entry dialog box

DescriptionOption

Click to select the location of the CRL youwant to use.

CRL Uri

Click the Browse symbol to select from thelist of available serial numbers. Click the Addsymbol to add a serial number manually.

Serial Numbers

Add CRL Entry: Select CRL Uri dialog boxThis dialog box lets you select the source of the Certificate Revocation List (CRL).

Edit CRL: Import CRL dialogThis dialog box lets you import the Certificate Revocation List (CRL) from a file.

Setup and configuration profile: ACL tabThe Intel AMT access control list (ACL) manages who has access to whichcapabilities within Intel AMT. An ACL entry has a user ID and a list of realms towhich a user has access. This access is required to use the functionality that isassociated with a realm. You can use two kinds of ACL entries: Kerberos and Digest.The main difference between them is that Kerberos entries have an ActiveDirectory SID to identify a user or group of users. Digest entries have a user nameand password for user identification. When Microsoft Active Directory is used,user identities are imported from Active Directory; otherwise, user identities areadded manually.

Kerberos users are not available if AD integration is disabled.


ACL: Add ACL Entry dialog boxThis dialog box lets you add a user to the Intel AMT access control list (ACL).


Table 10-10 Options on the Add ACL Entry dialog box

DescriptionOption

Select this option only if you have Active Directory integrationenabled.


Select a user or group from the Active Directory.

ActiveDirectoryuser

Digest authentication is a password-based authentication. Typethe user name. Then, type the password and confirm the entry.

Digest User

This parameter defines locations from where the user is allowedto perform an action. A user might be limited to local actions ormight also be able to perform actions from the network.

Click Local Access if you want the user to access the Intel AMTdevice through the local host only.

Click Network Access if you want to let the user execute actionsthrough the network.

Click Any if you want to let the user execute actions both locallyor from the network. We do not recommend selecting this option.

Access Permission

Select the specific functional capabilities such as Redirection orPT Administration that will be available to this ACL entry.

Some of the realms cannot be used with a specific accesspermission. An error is displayed if you select a realm that is notallowed.

Realms

Add ACL Entry: Select User dialog boxSelect the Active Directory user that you want to use for the functionality thatyou are configuring.

Setup and configuration profile: Wireless Profiles tabYou can use the Wireless profiles tab to create and select wireless profiles withwhich to configure Intel AMT-capable notebook computers.

Wireless profiles are used when the Intel AMT device on a notebook computer isactive in S3, S4, or S5 power states. Wireless profiles let the Intel AMT device toconnect to the wireless access point when the operating system is not available.The Intel AMT device authenticates according to the selected wireless profiles inorder of priority. Intel SCS allows up to 15 wireless profiles to be added to a profile.


142

Note: An Intel AMT notebook computer that is configured with a wireless profileoffers full Intel AMT management functionality through the wireless connection,except for setup and configuration. Setup and configuration is possible only whenthe computer is connected to the wired network.

Note: If you want to use wireless profiles with 802.1x authentication to configurenotebook computers with Intel AMT, you must enable Active Directory integration.


Table 10-11 Options on the Wireless profiles tab

DescriptionOption

Click to create a new wireless profile.

See “Auxiliary Profiles: Wireless Profiles page”on page 134.

Create new wireless profile

Add a wireless profile.Add

Adjust the relative priority of the profile. The profile atthe top of the list has the highest priority and is triedfirst by configured wireless Intel AMT devices.

Up/Down

When checked, Intel AMT devices accept managementtraffic over a Virtual Private Network connection whenIntel AMT detects that the platform is operating outsidethe enterprise network.

Enable host VPN routing

Check to allow Wi-Fi connection even without a profile(using the host’s Wi-Fi settings).

Allow wireless connectionwithout profile

Setup and configuration profile: Power Policy tabUse these settings to determine what is the highest power state when the IntelAMT devices that are assigned to this profile will be active or will activate froma sleep state.


Table 10-12 Options on the Power policy tab

DescriptionOption

This parameter defines the highest power state at which Intel AMTwill operate while the device is connected to AC power. Note thatthis includes operation in higher power states. For example, if theplatform is in S3 and this parameter is set to Host is ON (S0), theIntel AMT device will not operate until the platform returns to S0.

Default: Intel AMT is always on (S0-S5).

Intel AMT is ON inthe following hostsleep states

Once the Intel AMT device wakes up and the host system is notturned on, this parameter determines the minimum time (inminutes) that the Intel AMT device remains operable when thereis no activity. The device returns to a sleep state after the idletimeout period. The timeout timer is restarted whenever the deviceis serving requests. If the value of the parameter is zero (the defaultvalue), the device will remain on when there is no activity. Forexample, the AMT is ON parameter is set to Host is ON (S0) or inStandby (S3). When the platform transitions to S3, the Intel AMTdevice remains awake until there is no activity for the number ofminutes set in the Idle Timeout. At that point the device reducespower. Any network access to the Intel AMT device causes it towake up and restart the timeout timer.

If you want to use this parameter, set it to three minutes at aminimum.

Idle timeout

Setup and configuration profile: Domains tabThe Domains tab defines the domains from which an Intel AMT computer caninitiate configuration by Intel SCS.

Click the Add symbol to add a domain.

If you want to allow configuration when the platform has no domain name, checkAllow configuration when platform has no domain name.

Domains tab: Add New Domain Entry dialog boxUse this dialog box to add a domain to the list of domains from which an AMTcomputer can initiate configuration by Intel SCS.

Table 10-13 Options on the Add New Domain Entry dialog box

DescriptionOption

Type the name of the domain.Domain name


144

Table 10-13 Options on the Add New Domain Entry dialog box (continued)

DescriptionOption

Checking this has the following effects:

■ CIRA (Remote access): If the Intel AMT computer is not in ahome domain, the computer will attempt to use CIRA toconnect to the SCS (if CIRA is defined).

■ Wi-Fi: If the Intel AMT computer is in a home domain andno wired connection is available, and the profile does notinclude Wi-Fi parameters, and the host has connected usingWi-Fi, the Intel AMT computer will use the host’s Wi-Fisettings as long as the access point is in one of these domains.

This domain is a homedomain

Check to validate the Intel AMT devices's FQDN when you modifythe configuration properties for an Intel AMT device. Intel SCSchecks that the device’s FQDN matches one of the domains inthe domain list of the profile that is used for setup andconfiguration.

FQDN validation

Check to allow configuration (using this profile) of an Intel AMTcomputer that is located in a sub-domain of the domain that youentered in the Domain Name box. For example, if the domainname is mydomain.com, Intel AMT computers insubdomain.mydomain.com can also be configured.

Allow sub-domain

Setup and configuration profile: Remote Access tabIntel AMT 4.0 and later support client-initiated remote access. This feature allowsa platform containing Intel AMT located outside an enterprise to connect tomanagement consoles inside the enterprise. The connection is accomplishedthrough a Management Presence Server (MPS) located in the DMZ of the enterprise.The MPS appears as a proxy server to management console applications. The IntelAMT device establishes a Mutual Authentication TLS tunnel with the MPS. Multipleconsoles can then interact with the Intel AMT device through the tunnel.

For remote access to work, you must configure the Intel AMT platform when theplatform is inside the enterprise. You must configure the platform with theinformation needed to connect with the MPS. The Remote Access tab is used toenter the necessary parameters. A remote access policy contains the parametersthat determine the conditions for establishing an MPS connection. The policyalso contains the connection parameters to either one or two MPSs.

The MPS connection parameters are defined separately.


DNS configuration pageThe computer with Intel SCS installed (the OOB site server computer) must beregistered in DNS as ProvisionServer. This must be done in each DNS domain.Intel AMT devices send their Hello packets to this host name.

This page lets you test if the DNS is configured correctly.

Note: If this test fails, you cannot use the Remote Configuration feature.


Also, you cannot set up and configure the Intel AMT capable computers that wereinitialized by an OEM or with a USB key. Only computers with Intel AMT deviceinitialized through MEBx can be configured.


Table 10-14 Options on the DNS configuration page

DescriptionOption

Click to see if DNS is configured correctly. Verify that the IP of the ProvisionServermatches the IP of Intel SCS.

Test

General pageThis page lets you modify general settings of the Intel AMT Setup andConfiguration Service (Intel SCS).

This page modifies the settings of the Intel SCS that you selected as default onthe Service Location page.

See “Service location page ” on page 152.

The default settings are adequate for normal operation of Intel SCS. However, ifyou want to use Kerberos users or 802.1x profiles, you must integrate Intel SCSwith Active Directory and check Active Directory Integration on this page.

About Out of Band Management Component pagesDNS configuration page

146

Table 10-15 Options on the General page

DescriptionOption

Each instance of Intel SCS listens for Hello messages fromthe Intel AMT devices on a defined TCP port. Type the TCPport that you want Intel SCS to use for listening.

The default port is 9971.

Listen port

Select the profile that you want to assign to new Intel AMTcomputers by default.

Default profile

If checked, the Intel SCS server adds AMT objects to ActiveDirectory. This enables the use of Kerberos authenticationand the Active Directory users list. Active Directory is alsorequired for 802.1x profiles. Before you check this option,you must integrate Intel SCS with Active Directory.

ActiveDirectoryIntegration

Intel AMT releases 2.2, 2.6, 3.0, 4.0, 5.0 and later supportRemote Configuration.

Check this option to enable Intel SCS to accept RemoteConfiguration requests from Intel AMT devices.

AllowRemoteConfiguration

Displays the FQDN of the OOB site server computer withwhich Out of Band Management Component is configuredto work.

Intel SCS Server

Displays the status of the Remote Configuration certificate.

If you want to use Remote Configuration, you must installa valid certificate.

Remote ConfigurationCertificate status

Check to require a one-time password (OTP) exchangebetween Intel SCS and the Intel AMT device that isrequesting setup and configuration. This feature adds moresecurity.

Use one time password

When the Intel SCS receives a Hello message from an IntelAMT device, setup and configuration will proceedautomatically, unless this option is checked. If you checkthis option, you must authorize setup and configurationthrough the Authorize systems operation on the IntelAMTComputers page.

See “Intel AMT Computers page” on page 154.

RequireconfirmationbeforeIntel AMT configuration

Select an option that matches your root certificationauthority certificate’s CN field.

First Common Name (CN) incertificate subject name

147About Out of Band Management Component pagesGeneral page

Table 10-15 Options on the General page (continued)

DescriptionOption

This parameter determines how frequently Intel SCS checksthe queue in the database for new tasks.

The default is 1000 milliseconds.

Queue polling period

This parameter determines the maximum number of SCSoperations that can be performed concurrently by eachSCS service. The operations are: configuring orunconfiguring an Intel AMT platform, synchronizingclocks, and so on. This value can be adjusted to optimizethe service’s performance, depending on the number ofCPUs and the memory size.

Default: 6 threads.

Worker threads

The system wide actions log can be recorded at severallevels. The more detail that is recorded, the more systemresources and bandwidth must be allocated.

Log level

This parameter determines how long log entries are saved.

The default is 10 days.

Keep log for

This parameter determines how long security status entriesare saved.

Default: 2 months.

Keep security audit log for

Select Active Directory Organizational Unit dialog boxThis page lets you select the Active Directory Organizational Unit for thefunctionality that you are configuring.

Maintenance pageThis page lets you define the actions that Intel SCS performs periodically on allconfigured Intel AMT devices.

On this page you configure the Intel SCS that you selected as default on the ServiceLocation page.

See “Service location page ” on page 152.

The default settings are adequate for normal operation of Intel SCS.

About Out of Band Management Component pagesMaintenance page

148

Table 10-16 Options on the Maintenance page

DescriptionOption

When checked, Intel SCS will apply all the current settingsin the profile that is associated with each Intel AMT deviceaccording to the defined interval.

Default: 11 months.

Re-configure Intel AMTComputers

The administrative user has access to all functions of the IntelAMT device. Only the Intel SCS has access to this ACL entry.

When checked, the Intel AMT administrative password ischanged periodically to either a randomly-generated passwordor to a fixed password. Which option to use is defined in theconfiguration profile, on the General tab.

See “Setup and configuration profile: General tab” on page 135.

Normally, this maintenance function is used only with therandom password option.

Default: 1 month.

Change Intel AMTAdministrator password

This option synchronizes the clock in each Intel AMT deviceto the clock on the Intel SCS platform. This operation iscritical when you want to use Kerberos authentication. Itensures that the clocks do not differ by more than the Maxclock tolerance defined in the configuration profiles.

See “Setup and configuration profile: General tab” on page 135.

Default: 7 days.

Synchronize Intel AMTClock

Security keys pageSetup and configuration of Intel AMT 2.0 (or later) devices is done using theTLS-PSK (Pre-Shared Key) protocol. The protocol requires the security keysinstalled both in the Intel AMT device and in the Intel SCS database. You can usethe SecurityKeys page to manage the preshared keys and associated parameters.Each key has four elements: the key itself (PPS), an identifier that is sent in theclear by the Intel AMT device in the Hello message (called a PID), an initial MEBxpassword, and a replacement MEBx password.

Sets of these parameters can be generated, exported to a USB key, and theninstalled in new Intel AMT devices.


149About Out of Band Management Component pagesSecurity keys page

Alternatively, an OEM may ship initialized platforms with PID-PPS pairs and adefault password already installed. In this case, you must import the key file fromthe OEM into Out of Band Management Component.

See “Initializing OEM-prepared computers manually” on page 77.

The third option is to generate new PID-PPS pairs, print them out, and type theminto the Intel Management Engine (MEBx) manually.


If you use the Remote Configuration feature of Intel AMT 3.0, the keys aregenerated and installed automatically.


Table 10-17 Options on the Security keys page

DescriptionOption

Click to add a new security key.

The PID is the eight character identification string that is sent inthe clear in the Hello message. The string format is XXXX-XXXX.

The PPS is a 32-character key string that is the secret sharedbetween the Intel AMT device and the SCS service. The string formatis XXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XXXX.

Type the factory default Intel Management Engine (MEBx) password.The default value is "admin", unless you specifically asked the OEMto preconfigure Intel AMT computers with a different password.

Type a new password. This becomes the new Intel ManagementEngine (MEBx) password after you initialize the Intel AMT devicewith this PID-PPS pair.

Note: You must type a strong password. Example: P@ssw0rd


Add new

About Out of Band Management Component pagesSecurity keys page

150

Table 10-17 Options on the Security keys page (continued)

DescriptionOption

Type the number of security keys to generate. Type a number equalor greater than the number of Intel AMT computers you want toinitialize with the USB key. Each key will be used only once. It isnot a problem if you export extra keys for use later or even not atall.

Type the factory default Intel Management Engine (MEBx) password.The default value is "admin", unless you specifically asked the OEMto preconfigure Intel AMT computers with a different password.

Type a new password. This becomes the new Intel ManagementEngine (MEBx) password after you initialize the Intel AMT devicewith this PID-PPS pair.

Note: You must type a strong password: for example, P@ssw0rd



Generate securitykeys

Click to mark a set of security keys that you have used to initializean Intel AMT device manually. All marked security keys disappearfrom the SecurityKeys page so the keys cannot be reused. However,the keys and passwords stay in the Intel SCS database and are usedfor initialization of Intel AMT devices.

Marking the keys is necessary if you use the MEBx initializationmethod.


Mark selectedsecurity keys asalready used

Click to print the security keys and use them to initialize Intel AMTcomputers manually through MEBx.


Print security keys

Click to write the current list of keys to a file on a USB Key.

Click Generate. A file is generated in the format that is expectedby the platform BIOS. Click the Download USB key file link. Savethe file to a FAT16-formatted USB key.

Use the USB key to manually initialize the Intel AMT computers.


Exportsecuritykeysto USB key

151About Out of Band Management Component pagesSecurity keys page

Table 10-17 Options on the Security keys page (continued)

DescriptionOption

Click to import a file of keys, which you have received from an OEMtogether with initialized Intel AMT capable computers, into theIntel SCS database. Browse to the file and click Import.

See “Initializing OEM-prepared computers manually” on page 77.

Importsecuritykeys

Service location pageThis page lets you specify the location of the Intel Setup and Configuration Service(Intel SCS). By default, the Intel SCS is installed on the Notification Servercomputer, as part of the main OOB site server.


If you move the OOB site server to another computer, you must set the serviceURL to the URL of the new OOB site server.

Table 10-18 Options on the Service Location page

DescriptionOption

By default, Out of Band Management Component looks for Intel SCSon the Notification Server computer.

Default URL

Displays the URL of the Intel SCS, installed on the OOB site server. Tofill in this field automatically, in the Site Servers section, select a siteserver and click the Set as default location of Intel SCS symbol.

Alternative URL

Lists the OOB Site Servers that are known to Out of Band ManagementComponent.

Site servers

Displays the computers that have Intel SCS installed and their status.System status

Users pageThe Users page defines identities with access to the Intel SCS configuration pagesin Out of Band Management Component. Each user is assigned a role which definesthe permissions that are allotted to the user. When Microsoft Active Directory isintegrated with the Intel SCS and Intel AMT, you can import user identities fromActive Directory. Otherwise, you can add user identities manually.

When you install Out of Band Management Component for the first time, all usersin the Altiris Administrators group automatically become Intel SCS Enterprise

About Out of Band Management Component pagesService location page

152

Administrators with access to all Intel SCS features. If you want another user toaccess the Intel SCS interface, you must add that user to this list manually.


Table 10-19 Options on the Users page

DescriptionOption

Click to add a user.

Type or browse to a user name.

From the Role drop-down list, select a role:

■ EnterpriseAdministrator - This role has access to all Intel SCS configurationand management screens, fields, and parameters.

■ Administrator - This role has the same permissions as the EnterpriseAdministrator but does not have permission to create or edit configurationprofiles. This role does not have access to the users, general configuration,or maintenance functions.

■ Operator - This role has access to the following: can view the Security Keyspage; can view the Intel AMT Systems page; can view the standard log andthe security audit log; can access the complete configuration parametersbranch.

■ LogViewer - This role allows a user to view the standard log and the securityaudit log.

Add

Click to edit the user.Edit

Click to delete the user.

Warning:Never remove the user that is used by the SCS service when it is started.Removing this user causes the service to fail.

Delete

Delayed Setup and Configuration page

Note: This policy applies to Intel AMT releases 2.2, 2.6, 3.0, 4.0 and later.

The Delayed Setup and Configuration policy lets you resume sending setup andconfiguration requests by initialized Intel AMT devices, which has stopped doingso because of timeout. This policy is also used to initiate the Remote Configurationsequence on Intel AMT 2.2 and 2.6 devices.

Delayed Setup and Configuration is an in-band functionality and requires aWindows operating system running and task agents that are installed on the clientcomputer.

153About Out of Band Management Component pagesDelayed Setup and Configuration page

Computers that entered the delayed configuration state appear in the All IntelAMT Computers in Delayed Configuration State filter.

You can also use the SendIntelAMTHelloMessage task to resume configuration.


Table 10-20 Options on the Delayed Setup and Configuration page

DescriptionOption

(Optional) You can type the DNS suffix with which the Out ofBand Task Agent configures the Intel AMT device.

DNS suffix

Check to override the random one-time password (OTP) thatis sent to the Intel AMT device for authentication. Type astrong password.


Override OTP

Check if you want the Out of Band Task Agent to enable IntelAMT in the client computer’s BIOS.

Note: The computers that have ASF or None selected in theMEBx do not appear in the default All Intel AMT Computersin Delayed Configuration State filter. If you want to switchsuch computers to Intel AMT, assign this policy to a customfilter. For example, assign it to All Intel AMT CapableComputers.

Switch to AMT

If you want the Delayed Setup and Configuration process tocontinue even if some errors occurred, check this option.

Ignore intermediateerrors

(Optional)

You can set the scheduling options.

Client scheduling

Intel AMT Computers pageThis page lets you view the list of the Intel AMT devices that have sent Hellomessages to Intel SCS. These devices can be in a configured or unconfigured state.You can update the configuration of one or all of the already configured devices,among other operations.

About Out of Band Management Component pagesIntel AMT Computers page

154

Table 10-21 Options on the Intel AMT Computers page

DescriptionOption

This operation authorizes configuration for the selected devices.

This operation becomes available when you check Intel AMTrequires authorization before configuration on the Generalpage.


If you have computers in delayed configuration state and checkedOne time password required on the General page, then aone-time password is required to authorize computers. Normally,Intel SCS knows the one-time password that it has set on the IntelAMT device at the time the Delayed Configuration policy has run.But you can also check Override OTP and specify a passwordmanually.

See “Delayed Setup and Configuration page” on page 153.

Authorize computers

This operation updates the list of Intel AMT users, according tothe ACL entries in the profile that is associated with each deviceand their access privileges.

See “Setup and configuration profile: ACL tab” on page 141.

Update ACL

This operation resets the random number generator key forselected devices.

Renew RNG key

This operation updates the power policy for all devices accordingto the parameters that are defined in the profiles.

See “Setup and configuration profile: Power Policy tab”on page 143.

Update power policy

This operation synchronizes the clocks between the Intel AMTdevices and Intel SCS.

Synchronize clock

This operation changes the computer's connection state.

When the state is Notconnected, Intel SCS cannot communicatewith the Intel AMT device.

Change connectionstate

155About Out of Band Management Component pagesIntel AMT Computers page

Table 10-21 Options on the Intel AMT Computers page (continued)

DescriptionOption

This operation lets you assign an FQDN and a configurationprofile to the selected Intel AMT device.

Unconfigured device is configured using the supplied FQDN andprofile the next time the Hello message is sent. If the device isalready configured, you can check Re-configureifsettingschangeto apply new settings to the Intel AMT device. You can alsore-configure the computer later using the Re-configure symbolon the toolbar.

See “Assigning a profile to a single computer manually”on page 86.

Assign profile

This operation lets you assign profiles to multiple Intel AMTcomputers.

Check Overrideexistingprofileassignments to assign the profilethat is defined on this page to the Intel AMT computers thatalready have a configuration profile assigned.

This option changes the profile assignment, but does notre-configure the Intel AMT device with the new configurationprofile. If you want to re-configure Intel AMT devices, checkRe-configure Intel AMT if assignments change.

See “Assigning a profile to multiple computers manually”on page 86.

Create assignments

This operation applies all the current settings in the profile thatis associated with each Intel AMT device.

Re-configure

About Out of Band Management Component pagesIntel AMT Computers page

156

Table 10-21 Options on the Intel AMT Computers page (continued)

DescriptionOption

This operation disables each Intel AMT device and leaves itwithout any Setup and Configuration parameters.

Unconfiguration is possible in the following ways:

■ Full: Deletes all data from each Intel AMT device. The IntelAMT devices are not functional. You have to initialize thedevice again.


■ Partial: Deletes all data on every Intel AMT device except forthe PID, PPS, and Administrator password. The devicesimmediately start sending Hello messages. Intel SCS sets upand configures the devices according to the profiles that areassociated with them.

Note: When you unconfigure a notebook computer with IntelAMT, the wireless connection is lost. To configure the computer,connect it to the wired network.

Unconfigure

This operation backs up the current UUID to FQDN and profilemapping. The exported .CSV file can later be imported into theProfile Assignments page.

Export the list of thecomputers

Lists the Intel SCS log entries that are filtered by the system'sUUID.

Open log for thissystem

Displays configuration information for the selected system.Show detailed systeminformation

Deletes the selected devices and the associated log entries fromthe Intel SCS database. For example, you can delete non-existingdevices. Also, you must delete the device if it was unconfiguredmanually through the Intel Management Engine (MEBx).

Delete

Profile assignments pageAn initialized Intel AMT device (with the PID-PPS pair installed) starts sendingHello messages and requesting configuration information from Intel SCS. A partof the Hello message is the Universal Unique Identifier (UUID) of the device. TheIntel AMT device can be configured only when it has a configuration profile thatis assigned to that UUID. You can create the profile assignments manually orautomatically by the Resource Synchronization policy.

157About Out of Band Management Component pagesProfile assignments page


On the ProfileAssignments page you can monitor and modify profile assignments.

Table 10-22 Options on the Profile assignments page

DescriptionOption

Lets you add a new UUID to FQDN mapping. The devicebecomes configured using the supplied FQDN and profilethe next time the Hello message is sent.

See “About assigning a configuration profile”on page 85.

Add

Lets you edit a profile assignment.Edit

Backs up the current profile assignments.Export the computers mapping

Imports profile assignments.Import system mappings

Deletes assignments.Delete

Resource Synchronization pageThis page lets you configure automatic configuration profile assignment to thenew Intel AMT devices that request configuration from Intel SCS. You can alsochange profile assignment for existing configured devices.

This page also lets you configure the schedule on which the configuration profilesare re-assigned, the Intel SCS and Notification Server resources are synchronized,and duplicates are removed.



About Out of Band Management Component pagesResource Synchronization page

158

Table 10-23 Options on the Resource Synchronization page

DescriptionOption

Check to assign the profile that is defined on this pageto the Intel AMT computers that already have aconfiguration profile assigned.

Profiles are re-assigned the next time this policy runs.

This option changes the profile assignment, but doesnot re-configure the Intel AMT device with the newconfiguration profile.

Override existing profileassignments

Check to reconfigure the Intel AMT computers whoseconfiguration profile assignment has changed.

This option re-configures the Intel AMT device withthe new configuration profile.

Re-configure Intel AMTcomputersifassignmentchanges

Click to add a profile assignment. You can create adifferent profile assignment for each domain.

See “Creating Intel AMT configuration profiles”on page 62.

Add

Check if you want to assign an FQDN to an Intel AMTcomputer that does not have the SymantecManagement Agent installed and whose FQDN is notknown to Notification Server.

Use DNS IP resolution to findFQDN when assigning profiles

Check to delete duplicate resources whensynchronizing the Intel SCS and Notification Serverresources.

Remove duplicate Intel AMTresources from NotificationServer database

Add a schedule on which the policy runs.Add schedule

Shows the last run statistics: the number of Intel AMTdevices with profiles assigned, Notification Servercomputer resources created, and duplicate NotificationServer computer resources cleaned.

Last synchronization statistics

Assign profile dialog boxYou can configure the ResourceSynchronization policy to assign different profilesto computers from different domains. This dialog box lets you add adomain-to-profile mapping.

159About Out of Band Management Component pagesResource Synchronization page

Table 10-24 Options in the Assign profile dialog box

DescriptionOption

Type the domain for which you want to create the mapping.

You can also type a domain suffix. In this case, the Resource Synchronizationpolicy assigns the profile you specify here to the computers from subdomains.For example, if you type mydomain.com, the computers fromsubdomain.mydomain.com also get the profile you specify here.

Domain

If you enabled Active Directory integration, select the organizational unit whereyou want to register the AMT objects.


Example: IntelAMT

AD OU

Select the configuration profile you want to assign automatically to all new IntelAMT devices from the domain you specified here.

Profile

Get ASF/DASH Configuration Inventory taskThis task lets you get the ASF or DASH settings (inventory) from client computers.The ASF/DASH inventory is collected and sent to Notification Server in thestandard Notification Server Inventory format.



To get ASF or DASH inventory, run this task one time or on a schedule.

For information on running tasks, see the Symantec Management PlatformHelp.

Update ASF Configuration Settings taskThis task lets you enable ASF and configure ASF settings remotely on clientcomputers.

About Out of Band Management Component pagesGet ASF/DASH Configuration Inventory task

160




Table 10-25 Options on the Update ASF Configuration Settings task page

DescriptionOption

Check to modify the settings in this group when thetask runs.

Modify ASF general settings

Check to enable ASF.Enable ASF

Type the IP of the management console.

Example: Type the Notification Server computer ’s IP.

Management console IP address

Type the SNMP community name. This string acts asa password.

Example: public

SNMP community name

Check to have the network adapter transmit periodicsystem heartbeat or entity presence messages to themanagement console. Heartbeats indicate that themanaged client computer is still operating.

Transmit system heartbeatmessages


Modify security settings

The scope of these keys is a local policy issue that isdetermined by the equipment owner at the time ofinstallation. These keys are shared by multiplemanaged client computers and the managementconsole or pair-wise unique for each managed clientcomputer and the management console.

Generation key

Operator authentication key

Administratorauthenticationkey

If you want to update the random number seed, typethe new seed.

Random number seed


The settings in this group are applied to the computerswith Intel ASF only.

ModifyIntelASFadaptersettings

161About Out of Band Management Component pagesUpdate ASF Configuration Settings task

Table 10-25 Options on the Update ASF Configuration Settings task page(continued)

DescriptionOption


Modify timers settings

Check to watch for operating system hangs and typethe watch interval in seconds. Default: 30 seconds.

Enable OS hang watchdog

If you want the network adapter to ping themanagement console, check this option and type theping interval in seconds. If the ping fails, the agentgoes into safe mode. Default: 30 seconds.

Enable ping to managementconsole


Modify spanning tree settings

Check this option if you want the network adapter toping the management console after the link istemporarily lost and then restored. Type the intervalin seconds and the count of pings. Default: 10 seconds,3 times.

Pingdestinationonlinkreconnect

Check this option if you want to delay sending eventsto the management console after the link is restored:for example, if the network traffic is high. Type thenumber of seconds to wait. Default: 10 seconds.

Delay sending Platform EventTraps on link reconnect


Modify remote control settings

Check to enable a low latency reset of the system.ASF Reset

Check to enable unconditional power-down (occurswithout any blocking from software or system).

ASF Power down

Check to ensure that the sleeping system can beremotely turned on.

ASF Power up

Check to enable a hard reset of the system. This resetis functionally equivalent to an unconditionalpower-down operation, followed by a power-up.

ASF Power cycle


The settings in this group are applied to the computerswith Broadcom ASF only.

Modify Broadcom ASF adaptersettings

About Out of Band Management Component pagesUpdate ASF Configuration Settings task

162


DescriptionOption

Check to configure the network adapter to wake thecomputer upon receiving ARP or RMCP traffic whilethe computer is in low-powered mode.

Wake on ARP or RMCP traffic

Check to enable the receipt and handling of RemoteManagement Control Protocol (RMCP) messages bythe network adapter.

Enable RMPC

Check to disable all management functionality exceptfor sending out a presence ping, which lets themanagement console discover ASF capabilities of theclient computers.

Allow RMCP ping only


Modify events settings

If you want the network adapter to transmit PETmessages, check this option.

Enable platform event trap (PET)messages

Specify the time interval (in seconds) betweenretransmission of a PET message. Default: 20 seconds.

PET retransmission interval


Modify system management bussettings

Type the interval at which the network adaptermonitors legacy SMBus devices, such as the chassisintrusion sensor. Default: 15 seconds.

Legacy poll interval

Type the time delay before the first legacy SMBusdevice poll is made. Default: 15 seconds.

Legacy poll delay


Modify security settings

Check to enable a set of security extensions thatprovide authentication and integrity services forRemote Management Control Protocol (RMCP)messages.

Security management (ASF 2.0)

Check to turn on ASF 1.0 backward compatibilitysupport.

Use ASF 1.0 compatibility

In this box, specify the timeout for authenticationduring session setup. Default: 300 seconds.

Session timeout

163About Out of Band Management Component pagesUpdate ASF Configuration Settings task


DescriptionOption


You can enable Operator, or Administrator rights, orboth.

Modify remote control settings

Check to enable a low latency reset of the system.ASF Reset

Check to enable unconditional power-down (occurswithout any blocking from software or system).

ASF Power down

Check to ensure that the sleeping system can beremotely turned on.

ASF Power up

Check to enable a hard reset of the system. This resetis functionally equivalent to an unconditionalpower-down operation, followed by a power-up.

ASF Power cycle

Check if you want the configuration inventory to besent to Notification Server after this task runs on theclient computer.

Refresh inventory on settingschange

Update DASH Configuration Settings taskThis task lets you enable DASH and configure DASH settings remotely on clientcomputers.




Table 10-26 Options on the Update DASH Configuration Settings task page

DescriptionOption

Check to enable DASH.Enable DASH

About Out of Band Management Component pagesUpdate DASH Configuration Settings task

164

Table 10-26 Options on the Update DASH Configuration Settings task page(continued)

DescriptionOption

Check to modify the settings in this group whenthe task runs.

Modify Web Services-based settings

Set the management session timeout value.

Default: 30 seconds.

HTTP Session Timeout

Check to allow HTTP GET requests.Enable HTTP GET (HTML UserInterface)

Check to allow connection using Digestauthentication only.

Allow HTTP Digest Authenticationonly

Check to allow DASH management through HTTP.Enable HTTP Support

Check to allow DASH management throughHTTPS.

Enable HTTPS Support

Check to replace the security key on the DASHdevice. Browse to the key in the expected format.

Replace security key

Check to replace the certificate on the DASHdevice. Browse to the certificate in the expectedformat.

Replace certificate

Check to modify the settings in this group whenthe task runs.

Modify Administrator accountpassword

Type and confirm the new password forAdministrator account.

Password

Check if you want the configuration inventory tobe sent to Notification Server after this task runson the client computer.

Refreshinventoryonsettingschange

OOB Site Service pageOn this page, you can configure the OOB Site Service installation settings.


If you change any settings on this page, all existing OOB site servers are reinstalledusing the new settings.

165About Out of Band Management Component pagesOOB Site Service page

Table 10-27 Options on the OOB Site Service page

DescriptionOption

Type the SQL server's host name and the database name withwhich you want Intel SCS to work.

Default database name for 7.x release of Out of BandManagement Component is Symantec_CMDB_IntelAMT.

If you upgraded from version 6.x of Out of Band ManagementComponent and want to reuse old database, type the name ofthe database you used in 6.x (IntelAMT).

If the SQL server cannot be reached, make sure that youconfigured the firewall on the SQL server computer to allowincoming traffic.

See “Configuring a firewall to allow Intel SCS and SQL serverconnections” on page 39.

SQL settings

Click Use Windows authentication (default) for Intel SCS toconnect to the SQL server using the Notification Server'sapplication identity account.

If you want to use SQL authentication, click Use SQL Serverauthentication and type the user ID and password.

SQL Access

Check if you want the Intel SCS installation to re-use theexisting database with the Intel AMT data in it.

By default, it is checked. Uncheck only if you want to clearthe database on Intel SCS install.

Warning: All OOB site servers in your environment use thesame database. Clearing this check box when installing anOOB site server removes all data about Intel AMT computersin your environment.

Re-use database if exists

Check if you want the OOB site server uninstallation to removethe Intel SCS database.

By default, it is unchecked. Check only if you want to uninstallthe last OOB site server in your environment and you wantto delete all Intel AMT configuration data.

Warning: All OOB site servers in your environment use thesame database. Removing the database when uninstallingleaves other OOB site servers unoperational.

Remove database onuninstall

Check if you want the OOB site server installation to verify ifthe site server candidate is part of the domain and can contactActive Directory.

AD Integration

About Out of Band Management Component pagesOOB Site Service page

166

Table 10-27 Options on the OOB Site Service page (continued)

DescriptionOption

Check if you want the OOB site server installation to verify ifthe certification authority is accessible and the site servercan support TLS.

Use TLS for securedcommunication

Check if you want the OOB site server installation to verify ifthe site server can support TLS mutual authentication.

Mutual TLSauthentication

Check if you want the OOB site server installation to verify ifthe site server can support 802.1x connections.

802.1x connections

Lets you configure the credentials to use when installing IntelSCS.

By default, Notification Server application identity credentialsare used to install Intel SCS. If you want, you can specifyanother credential.

If Intel SCS is already installed on the computer that you wantto configure, it is reinstalled with the new credentials.

Server SpecificInstallation Settings

Each instance of Intel SCS listens for Hello messages fromIntel AMT devices on a defined TCP port. Type the TCP portthat you want Intel SCS to use.

The default port is 9971.

The settings under General Intel SCS Settings take effect atthe time of the OOB site server installation. After you installedan OOB site server, use the General page to configure thesettings.


Listen Port

Active Directory enables the use of Kerberos authentication,the Active Directory users list, and 802.1x profiles. Before youselect AD integration, you must integrate Intel SCS with ActiveDirectory.


Active Directoryintegration

Intel AMT releases 2.2, 2.6, 3.0, 4.0, and 5.0 support RemoteConfiguration. Check to enable Intel SCS to accept RemoteConfiguration requests from Intel AMT devices.

See “Initializing Intel AMT computers using the RemoteConfiguration feature” on page 65.

Allow RemoteConfiguration

167About Out of Band Management Component pagesOOB Site Service page

Table 10-27 Options on the OOB Site Service page (continued)

DescriptionOption

Check to require a one-time password (OTP) exchange betweenIntel SCS and the Intel AMT device that is requesting setupand configuration. This feature adds more security.

Use one time password

If you check this option, you must authorize setup andconfiguration through the Authorize systems operation onthe Intel AMT Computers page.


Require confirmationbefore Intel AMTconfiguration

Select an option that matches your root certification authoritycertificate’s CN field.

First Common Name (CN)incertificatesubjectname

The system-wide actions log can be recorded at several levels.The more detail recorded, the more system resources andbandwidth must be allocated.

Log Level

Certificate Enrollment taskThis task lets you enroll the TLS Mutual Authentication certificates.

Browse to the certification authority that you are using and then browse to thetemplate (AMTMutual) that you prepared for TLS Mutual Authentication. Runthis task on the Notification Server computer and on the OOB site servercomputers.


For more information on running tasks, see the Symantec Management PlatformHelp.

Firewall Configuration taskThis task lets you configure the firewall on the OOB site server computer to allowincoming traffic to the Intel SCS or SQL Server port.


About Out of Band Management Component pagesCertificate Enrollment task

168

FQDN Synchronization taskIf the FQDN of the Intel AMT computer has changed, Intel SCS loses contact withthe Intel AMT device. The contact is lost because an outdated FQDN is stored inthe Intel SCS database.

This task lets you synchronize the FQDN of Intel AMT devices between the IntelSCS database and CMDB. CMDB contains the up-to-date FQDN that the SymantecManagement Agent reports.


Install Intel Setup and Configuration Server taskThis task is an internal task that is used by the OOB site server installation jobs.This task installs the Intel SCS software to the OOB site server computer.

You can also run this task manually: for example, if you want to re-run theinstallation that has failed.


Install OOB Site Service agent taskThis task is an internal task that is used by the OOB site server installation jobs.This task installs the OOB site server agent to the OOB site server computer.

You can also run this task manually: for example, if you want to re-run theinstallation that has failed.


Install Out of Band Management Site Service Agentand Intel Setup and Configuration Server job

This task is an internal job that rolls out an OOB site server.

We recommend that you do not modify or run this job. To roll out the OOB siteserver, use the Site Server page in the Symantec Management Console.


169About Out of Band Management Component pagesFQDN Synchronization task

Intel Setup and Configuration Server Upgrade jobThis job is an internal job that upgrades an OOB site server.

We recommend that you do not modify or run this job. To upgrade OOB site servers,use the Site Server page in the Symantec Management Console.


Intel Setup and Configuration Server Upgrade Job:internal task

This task is an internal task that is used by the Intel Setup and ConfigurationServer Upgrade job.

We recommend that you do not modify or run this task.

OOB Site Server Inventory taskThis task is an internal task that is used by the OOB site server installation job.This task checks the target computer for the OOB site server prerequisites.


You can also run this task manually. You can view collected inventory in the targetcomputer's Resource Manager, in the View>Inventory>OutofBandManagement> OO Site Server State data class.

Send Intel AMT Hello Message taskThis task lets you resume sending setup and configuration requests from initializedIntel AMT devices. Intel AMT devices stop sending these requests if Intel SCS isnot available for 6-24 hours.

This task works with all Intel AMT versions.

This task requires that a Windows operating system is running and the SymantecManagement Agent is installed on the target computer.


About Out of Band Management Component pagesIntel Setup and Configuration Server Upgrade job

170

Troubleshooting Out ofBand ManagementComponent

This appendix includes the following topics:

■ Viewing Intel SCS logs

■ About Intel SCS error messages

■ About Intel AMT setup and configuration issues

■ About Intel SCS console integration

■ About Intel AMT filters update

■ Troubleshooting OOB site server installation

Viewing Intel SCS logsOut of Band Management Component installs Intel SCS. Intel SCS handles theinteraction with Intel AMT devices and creates logs to record these interactions.The logs are located in the Intel SCS database (Default:Symantec_CMDB_IntelAMT). If you have problems configuring, connecting to,managing, or otherwise interacting with the Intel AMT devices, you can checkthe logs through the Symantec Management Console.

If you want to view more detailed information in the logs, on the General page,change the log level.

AAppendix

To change the log level



3 Under Log Options, in the Log level drop-down list, click the log level thatyou want.

For example, click Detailed verbose to see the most detailed information inthe logs.

Troubleshooting Out of Band Management ComponentViewing Intel SCS logs

172

To view Intel SCS logs


2 In the left pane, click Remote Management > Out of Band Management >Logs.

3 View the logs.

The log choices are:

These records provide general maintenance, success, and errormessages that are related to the functions of Intel SCS. These logsshow general configuration, communication, and Active Directoryintegration messages.

This log displays asynchronous actions, such as global operationsor operations per Intel AMT device, that are entered into the queue.Their status in the queue is also displayed. The Name field showsthe attempted action. The Status field shows success or failure orwhether an action is queued, delayed, or in progress.

Action Status

This log displays the internal actions that Out of Band ManagementComponent performed: for example, the results of a resourcesynchronization.

Application Log

These records provide the information that is related to NotificationServer interactions with Intel AMT. These show information anderrors from the Intel SCS service (AMTConfig), includinginteraction with the Intel SCS database. These logs show the statuson tasks such as RNG keys, configuration steps, Hello packet errorsand messages, and service status.

Logs

This log displays potential breaches in security, such asunauthorized attempts to log on and unauthorized attempts toperform the re-configuration function on all Intel AMT devices.

Security Audit

See “About Intel SCS error messages” on page 173.

About Intel SCS error messagesIntel SCS logs its status and error messages. Error messages let you troubleshootsetup and configuration issues.

You can view Intel SCS logs in the Symantec Management Console.


173Troubleshooting Out of Band Management ComponentAbout Intel SCS error messages

Table A-1 Intel SCS error messages

DescriptionError

Trying to configure an Intel AMT device that is notin an unconfigured state within the Intel SCSdatabase.

For example, you configure Intel AMT, and then goto the MEBx and choose to un-provision(un-configure) the Intel AMT device. Intel AMT startssending Hello messages, but the Intel SCS databaseshows that the Intel AMT device was alreadyconfigured, so Intel SCS rejects the Hello request.

This error indicates that the Intel SCS database hasthe target system that is identified as configured. Ifthe target system was manually unconfiguredthrough the local MEBx, then manually delete theentry from the Intel SCS console.


From a configuration security perspective, this errormay also indicate an attempt to replay a setup andconfiguration sequence. Intel SCS rejects additionalrequests if the system is already listed as Configured.

Error 102 - Intel AMT device isalready configured

This error can be caused in the following situations:

■ Trying to delay a request that is already set to bedelayed

■ Trying to push a request that is already in thequeue

■ Trying to push a request to the poller that isalready in the poller

This error is a status or an awareness indicator.Configuration and maintenance requests are queuedwithin the Intel SCS database and processed by IntelSCS servers. In larger implementations, multipleIntel SCS servers can be configured to processrequests within a single Intel SCS database queue.The queue includes immediate and delayed requests.Thus, if a request is already delayed, this error isgenerated. Similarly, if the request is being processedor handled by the poller, a competing requestgenerates this message.

Error 103 - Request is already in thequeue

Troubleshooting Out of Band Management ComponentAbout Intel SCS error messages

174

Table A-1 Intel SCS error messages (continued)

DescriptionError

This error is typical if an action is attempted on adevice that is already undergoing a procedure (suchas configuration). Typically, you can retry the actionas soon as the previous request is completed.

For example, if a partial unconfiguration requesthas not completed and a reconfiguration request issent, this generates the error. Reasons for thepreviously queued request not completing caninclude connectivity, difference of configurationstate, and so forth. If the error is persistent for atarget Intel AMT system and connectivity to thetarget system is available, try executing amanagement function if the system is in a configuredstate (for example, remote inventory, remote poweron/off, etc.). If unsuccessful, the target system maybe in an unsupported state. A manual process ofpartial unconfiguration may be required. Removingthe assigned profile at the console should occur also.

Error 137 - Another processcurrently working on AMT

Intel SCS has the ability to integrate with MicrosoftActive Directory for Kerberos based authentication.Check to ensure that schema extensions have beenapplied and proper authentication to the Kerberosserver (for example, Microsoft Active Directory) isin place.

See “Integrating Intel SCS with Active Directory”on page 55.

Error 139 - Failed to update KerberosPassword with Kerberos Integrationis disabled on server

The script that is used for extracting the UUID mapinformation has failed to run properly.

This error is a -1 return that is caused between aconfiguration script and the SCS instance.Incomplete configuration profile, missingconfiguration data, or other console configurationsare likely causes of this error.

Error 407 - Batch exit code 0xfffff

175Troubleshooting Out of Band Management ComponentAbout Intel SCS error messages


DescriptionError

Clock synchronization is important in Kerberosenvironments, because the authentication processhas a timestamp dependency. This error is benignin non-Kerberos authentication environments. Itrefers to a SOAP call failure; further environmentand infrastructure investigation may be needed forfuture environmental considerations.

Error 602 - Exception in clock syncworker

This error can occur in the following situations:

■ Invalid status of delayed table

■ Duplicate entry for the same request

■ Empty value for PID parameter

■ Invalid length PID parameter

■ Empty value for PPS parameter

■ Invalid length for PPS parameter

Error 907 - Request execution failed

For configuration to occur, the UUID and the FQDNof the target Intel AMT system are mapped together.

The configuration script may attempt to use WMI,reverse DNS, previously stored asset data or clientagents to obtain this data.

This error occurs when the configuration scriptcannot obtain this data.

To resolve this issue, you can manually assign aconfiguration profile and type the FQDN of the IntelAMT device.

Error Configuring Intel AMT device:Error executing properties script,process exit code indicating a failure:WIN32 Error [-8]: "WIN32 Error [-8]:"Unknown"

Cannot execute SQL code.

As a general rule, these errors resolve themselves.The major cause of many of these errors is slowprogress while computers are in a configurationstate. Check the Intel AMT Systems node in theSymantec Management Console for the status ofAMT devices.

CS_RET_SQL_EXECUTION_FAILED

Troubleshooting Out of Band Management ComponentAbout Intel SCS error messages

176


DescriptionError

The recorded IP address from the Hello packetsequence is not responding to requests. If the targetsystem sends a new Hello packet with an updated IPaddress, Intel SCS updates the queue entry.

This error commonly occurs when the system hasbeen connected, an IP address and DNS resolutionhave occurred, a Hello packet was sent, and then thesystem was disconnected from the network beforethe Intel SCS response. A common scenario ispre-staging (initializing) a system before sending tothe intended location.

Cannot contact back AMT withIP:xxx.xxx.xxx.xxx Exception

A Remote Configuration capable computer isrequesting configuration, but the matching RemoteConfiguration certificate is not found.

The Certificates - Current User > Personal >Certificates store on the OOB site server computer(by default, the Notification Server computer) mustcontain the Remote Configuration certificate. TheThumbprint field of the certification authoritycertificate that issued this Remote Configurationcertificate must match one of the hashes that areprogrammed into the Intel AMT device.

Configure Out of Band Management Component touse the Remote Configuration feature or use themanual initialization method.

See “Initializing Intel AMT computers using theRemote Configuration feature” on page 65.

See “Initializing Intel AMT computers manually ”on page 76.

Proper certificate that matches thepre loaded certificate was not foundin the user certificate store. PKIconfiguration failed.

About Intel AMT setup and configuration issuesThe process of Hello packets being sent and accepted and communicationsestablished between the configuration server and an Intel AMT device is knownas pairing. If the pairing cannot be established, there are three different placesto track if a system has been fully configured (key pairs received and profileacquired).

177Troubleshooting Out of Band Management ComponentAbout Intel AMT setup and configuration issues

■ On the Intel AMT Computers page. When there is no data in the list, thismeans the Hello packet did not reach Intel SCS.

■ In the Intel SCS logs. If Intel SCS sees the Hello packet, but cannot configurethe device, the issues are logged here.

■ On the AMT device itself. There will be menu items that would not be there ifthe device considers itself configured. These would include ProvisionServer,PID-PPS, and Provision Model.


About Intel SCS console integrationThe configuration pages (accessed through the left pane of the SymantecManagement Console) of Out of Band Management Component are tied to theAMTSCS Web service. This Web service communicates directly with the Intel SCSdatabase to gather the data that is required to populate the pages. If theseconfiguration pages do not work or an error is returned when you attempt toaccess them, either the AMTSCS Web service or the Intel SCS database areinaccessible.

Possible reasons of Intel SCS pages not being displayed are as follows:

■ The OOB site server is not installed.See “About OOB site servers” on page 120.See “Troubleshooting OOB site server installation” on page 179.

■ The OOB site server is installed, but Out of Band Management Component isnot configured to use the correct site server.See “Configuring the default OOB site server location” on page 124.

The AMTSCS Web service is found in the IIS Manager of the computer with OOBsite server installed, under the Default Web site.

About Intel AMT filters updateThe time between the AMT device being seen by Intel SCS and the SymantecManagement Console integration is determined in the following area:

■ The first is filter updates. OutofBandDiscovery policy populates the databasewith computer data. This data appears in the filters when the standardNotification Server filter updates occur.

■ The second area is the Resource Synchronization policy that adds, updates,or removes AMT devices from filters. We recommend that you run this policybefore you use a filter so that the membership is properly updated.

Troubleshooting Out of Band Management ComponentAbout Intel SCS console integration

178


Troubleshooting OOB site server installationBy assigning a computer as a new OOB site server, you roll out the OOB Site ServiceAgent to that computer. The OOB Site Service Agent checks if all of the Intel SCSprerequisites are met and reports this information to Notification Server. OOBsite server computers where Intel SCS is ready to be installed appear in thefollowing filter: Intel SCS Capable.

If the computers that you expected do not appear in this filter, make sure that thecomputers have the required software installed.


The OOB site server installation speed depends on the frequency of filter updatesand the target computer's configuration update schedule. Configure the All SiteServers targeted Symantec Management Agent settings policy to speed up theprocess.


You can also make target computers update configuration immediately using oneof the following methods:

■ From the Symantec Management Console, run the UpdateClientConfigurationtask (Manage > Jobs and Tasks > Samples > Notification Server > UpdateClient Configuration).

■ Log on to the target computer and update configuration manually from theSymantec Management Agent's GUI.

To view the list of computers capable of running Intel SCS


2 In the left pane, click Software Filters > Out of Band Site Service Filters >Intel SCS Capable.

179Troubleshooting Out of Band Management ComponentTroubleshooting OOB site server installation

Troubleshooting Out of Band Management ComponentTroubleshooting OOB site server installation

180

Reference topics

This appendix includes the following topics:

■ About passwords used with Intel AMT

■ About populating filters

■ How Resource Synchronization policy works

■ Remote Configuration certificate requirements

■ Remote Configuration certificate – differences between releases

About passwords used with Intel AMTTo reduce vulnerability of passwords to a dictionary attack, only strong passwordsare accepted by Intel AMT devices.

The strong password must meet the following criteria:

■ Be at least eight characters long. Characters allowed are 7-bit ASCII charactersin the values of 32-126 inclusive. The characters " ' , and : are not allowed.

■ Have at least one digit (Example: 0, 1, 2, ... 9).

■ Have at least one 7-bit ASCII non-alphanumeric character (Example: !, @, $).

■ Contain both upper and lower case Latin characters (Example: A, a, B, b).

Example: P@ssw0rd

Also, you are required to use strong passwords in the Symantec ManagementConsole when you configure Out of Band Management Component.

BAppendix

About populating filtersIn the Symantec Management Console, you can find a few filters (previously knownas collections) that display Intel AMT and ASF computers. However, all thesefilters are populated in a different way.

Table B-1 Out of Band Management Component Intel AMT filters

DescriptionFilter

This filter is populated by the Out of Band Task Agent that isinstalled on the client computer. The agent detects Intel AMTRemote Configuration capabilities of the target computers evenif Intel AMT is not configured or not enabled in BIOS. The agentsends this information to the Notification Sever using theSymantec Management Agent's basic inventory interval.


Intel AMT ComputersCapable of RemoteConfiguration

This filter contains unconfigured computers that entered thedelayed configuration state.

This filter is populated by the Out of Band Task Agent that isinstalled on the client computer. The agent sends thisinformation to the Notification Sever using the SymantecManagement Agent's basic inventory interval.



IntelAMTComputers inDelayed ConfigurationState

This filter is populated when the following occurs:

■ The resource synchronization has occurred thatsynchronizes all Intel AMT computers known to Intel SCSand currently in the Configured state with the CMDB .

See “Synchronizing Intel SCS and Notification Serverresources” on page 88.

■ You run the Get Out-of-Band Inventory task.

The task is a part of Real-Time Console Infrastructure andcan be found at Manage>JobsandTasks>SystemJobsandTasks > Real-Time Console Infrastructure > GetOut-of-Band Inventory.

You can run out-of-band management tasks on the computersthat are shown in this filter.

Intel AMT ConfiguredComputers

Reference topicsAbout populating filters

182

Table B-1 Out of Band Management Component Intel AMT filters (continued)

DescriptionFilter

This filter contains computers that have the same FullyQualified Domain Name (FQDN) in both Inv_OOB_AMT_Device(which is populated when a system is Fully Configured and asynchronization has occurred) and Inv_AeX_AC_Location(populated by the Symantec Management Agent's basicinventory). Basic inventory is sent from computers that arerunning the Symantec Management Agent and are a managedresource in Notification Server .

To remove these duplicated resources, run the ResourceSynchronization policy with the following option checked:Remove duplicate Intel AMT resources from NotificationServer database.

See “Synchronizing Intel SCS and Notification Server resources”on page 88.

Intel AMT/NotificationServer DuplicatedComputers

This filter is populated when a resource synchronization hasoccurred.

See “Synchronizing Intel SCS and Notification Server resources”on page 88.

It contains systems that are known to Intel SCS but are notconfigured for any reason. For example, a setup andconfiguration profile has not been assigned or Out of BandManagement Component cannot assign an FQDN to this IntelAMT device.

Intel AMTNon-configuredComputers

This filter shows Intel AMT capable computers with Intel AMTfunctionality enabled in BIOS.

This filter is populated using the Out of Band Discovery Taskthrough the Symantec Management Agent.

This task copies down an .exe that executes and checks thetarget computer for AMT functionality. This task detects IntelAMT capabilities of the target computers even if Intel AMT isnot configured or not enabled in BIOS.

See “Discovering out-of-band capable computers” on page 52.

Computers with IntelAMT Enabled

183Reference topicsAbout populating filters

Table B-1 Out of Band Management Component Intel AMT filters (continued)

DescriptionFilter

This filter is populated using the Out of Band Discovery Taskthrough the Symantec Management Agent. This task copiesdown an .exe that executes and checks the target computer forAMT functionality. This task detects Intel AMT capabilities ofthe target computers even if Intel AMT is not configured or notenabled in BIOS.


Intel AMT CapableComputers

Table B-2 Out of Band Management Component ASF/DASH filters

DescriptionFilter

This filter is populated using the Out of Band Discovery Taskthrough the Symantec Management Agent. This task copiesdown an .exe that executes and checks the target computer forASF functionality. This task detects ASF capabilities of thetarget computers even if ASF is not configured or not enabledin BIOS.


ASF capable computers

This filter is populated using the Out of Band Discovery Taskthrough the Symantec Management Agent. This task copiesdown an .exe that executes and checks the target computer forDASH functionality. This task detects DASH capabilities of thetarget computers even if DASH is not configured or not enabledin BIOS.


DASH capablecomputers



Broadcom ASF capablecomputers

Reference topicsAbout populating filters

184

Table B-2 Out of Band Management Component ASF/DASH filters (continued)

DescriptionFilter

This filter is populated using the Out of Band Discovery Taskthrough the Symantec Management Agent. This task copiesdown an .exe that executes and checks the target computer forDASH functionality. This task detects DASH capabilities of thetarget computers even if DASH is not configured or not enabledin BIOS.


Broadcom DASHcapable computers

This filter shows ASF capable computers with ASF functionalityenabled in BIOS.



Computers with ASFEnabled



Intel ASF capablecomputers

This filter shows DASH capable computers with DASH firmwareenabled.

This filter is populated using the Out of Band Discovery Taskthrough the Symantec Management Agent. This task copiesdown an .exe that executes and checks the target computer forDASH functionality. This task detects DASH capabilities of thetarget computers even if DASH is not configured.


ComputerswithenabledBroadcom ManagementFirmware

How Resource Synchronization policy worksOn a high-level overview, the Resource Synchronization policy conducts thefollowing four items:

185Reference topicsHow Resource Synchronization policy works

■ Cleans up duplicate resources if the appropriate check box is checked on theResource Synchronization page.When the Symantec Management Agent, installed on an Intel AMT enabledcomputer, sends basic inventory, Notification Server may create a new resourcein addition to the existing resource representing the Intel AMT device attachedto the same computer. When the Resource Synchronization policy runs, itremoves duplicate Intel AMT device resources and associates the Intel AMTdata with the appropriate computer resource.

■ Synchronizes resource data from the Intel SCS (contained in the databasenamed Symantec_CMDB_IntelAMT) into the appropriate tables of theNotification Server database (Symantec_CMDB).Synchronizing is useful if you want to use Altiris solutions to manage IntelAMT computers that do not have the Symantec Management Agent installed.This policy creates a Notification Server resource for each Intel AMT devicefound in the Intel SCS database. Then, you can run out-of-band tasks on theseresources.

■ Assigns the configuration profile that is specified on the ResourceConfiguration page to Intel AMT devices that have not had assignments (andare thus unconfigured).

■ Cleans up exported USB keys files older than 7 days.

Remote Configuration certificate requirementsUsing Microsoft certification authority, which you must have installed to use theremote configuration feature, and the certificate, you configure Intel SCS to beable to establish a secure connection between Intel SCS and the Intel AMT device.

The following are the certificate requirements for remote configuration use:

■ The OID in the Extended Key Usage box must be a Server AuthenticationCertificate with an Intel setup extension:1.3.6.1.5.5.7.3.1,2.16.840.1.113741.1.2.3

or the OU value in the Subject box must beIntel(R) Client Setup Certificate

■ The Subject CN must be either the FQDN of the platform running the service(Example: provisionserver.west.yourenterprise.com), or the domain suffix ofthe platform: for example, *.west.yourenterprise.com or *.yourenterprise.com.

■ The keys should be exportable to support IT key backup policies.

■ The request type should be PKCS10.

Reference topicsRemote Configuration certificate requirements

186


Remote Configuration certificate – differencesbetween releases

Intel AMT validates the SCS certificate by comparing a domain suffix or FQDNagainst the CN in the certificate. Different Intel AMT releases perform thiscomparison differently. This can have an impact on the certificate that anorganization acquires. An Intel SCS installation that sets up platforms with a mixof Intel AMT releases needs to acquire a certificate that is appropriate for all theversions that will be configured.

See “Intel AMT Release 2.2” on page 187.



Intel AMT Release 2.2Intel AMT retrieves its domain suffix using DHCP Option 15. The CN in the SCScertificate must match the full domain suffix. The result is that a separatecertificate is required for each domain. For example, the CN in the certificate iscorp.east.yourenterprise.com and DHCP returns a domain suffix ofeast.yourenterprise.com. The CN contains the full suffix so there is a match.A CN ofyourenterprise.comwould not matcheast.yourenterprise.com. Becausean Intel SCS installation can only work with one Remote Configuration certificateat a time, a separate certificate and Intel SCS instance is required for each domainwhere Intel AMT-based platforms are located.

Intel AMT Release 3.0If an Intel AMT 3.0 platform depends exclusively on the domain suffix returnedby DHCP, it behaves the same as Release 2.2.

The Intel AMT 3.0 FQDN option and domain extension option add the followingrequirements:

■ If IT enters the FQDN of the SCS through the MEBx menu or with a formattedUSB key or the manufacturer enters the value before delivery, the CN in thecertificate must either exactly match all fields of the FQDN or it must be awildcard entry with a match in all but the first field of the FQDN. For example,

187Reference topicsRemote Configuration certificate – differences between releases

if the FQDN iseast.corp.yourenterprise.com, the CN in the certificate mustalso be east.corp.yourenterprise.com or *.corp.yourenterprise.com.

■ If a DSN suffix is entered, then all fields in the suffix must be included in theCN. For example, if the entered suffix is corp.yourenterprise.com, then theCN could be corp.yourenterprise.com or east.corp.yourenterprise.comormain.east.corp.yourenterprise.com (but noteast.yourenterprise.com).

Using one of the above options requires a “single touch,” which should be balancedagainst the need for an SCS installation and unique certificate for each domain.

Intel AMT Release 2.6Release 2.6 supports the 2.2 functionality, with the following additions:

■ Wildcard CN: If the CN in the certificate is preceded by “*.”, then the domainsuffix received from DHCP need only match the CN where they haveoverlapping fields. For example, if the CN is *.a.b.org, then yyy.a.b.org,a.b.org, and b.org would all match (but c.b.org would not).

■ If the CN ends with “.com” or “.net”, then the domain suffix received fromDHCP needs to match only the last two fields in the CN. For example, if the CNiseast.corp.yourenterprise.com, thenwest.mkting.yourenterprise.com

would match.

■ Release 2.6 supports certificates that use the SubjectAltName (SAN) “DNSName” extension. The certificates have multiple DNS names, and each one iscompared consecutively with the domain suffix that is received from DHCP.When one of the names matches, Intel AMT accepts the certificate. A certificatewith multiple DNS names would be useful when the root domain is not .comor .net.

When one of these methods is used, a single Intel SCS can support Intel AMTdevices with Release 2.6 in multiple domains with a single remote configurationcertificate.

Reference topicsRemote Configuration certificate – differences between releases

188

ACL (Access Control

List)

A list of permissions that is attached to an object. The list specifies who or whatis allowed to access the object and what operations are allowed to be performedon the object. In a typical ACL, each entry in the list specifies a subject and anoperation. In Intel AMT, ACL is a list of users and their access privileges.

AD (Active Directory) An advanced, hierarchical directory service from Microsoft. It is a centralized andstandardized system that automates network management of user data, security,and distributed resources, and enables interoperation with other directories.Active Directory is designed especially for distributed networking environments.

agent presence A security toolset that is built into Intel AMT. This toolset enables managementapplications to configure Intel AMT devices to monitor for the presence of softwareagents, such as antivirus and firewall applications that run on the Intel AMTsystem platform. The management application configures the Intel AMT devicewith timers set to detect when the software agent initializes and periodicallytransmits presence signals. Using this toolset, IT technicians can identifycomputers with disabled or uninstalled software agents and take appropriateactions.

ASF (Alert Standard

Format)

An industry standard-based technology that lets IT administrators managecomputers regardless of the operating system state. ASF provides alerts and powermanagement functionality as long as the computer is plugged in with an Ethernetconnection. ASF functions through hardware on the network card or system board,a software agent on the client computer, and management software on the server.

Circuit Breaker A security toolset of Intel AMT. This toolset represents a set of hardware-basednetwork packet filters. IT technicians can apply these filters to computers thatsend suspicious network packets to seal infected computers from the rest of thenetwork.

CMDB (Configuration

ManagementDatabase)

The central database that stores all information about the Symantec ManagementPlatform and its managed computers.

DASH (Desktop and

Mobile Architecture for

System Hardware)

A Web services-based management technology that lets IT professionals remotelymanage desktop and mobile computers. Administrators can securely turn on oroff the power, query system inventory, and push firmware updates regardless ofthe state of the remote computer.

discovery The process of searching for computers or other resources on your network thatmeet specific requirements.

Glossary

DNS (Domain Name

System)

A system that converts host names and domain names into IP addresses on theInternet or on the local networks that use the TCP/IP protocol. For example, whena Web site address is given to DNS, DNS servers return the IP address of the serverthat is associated with that name.

event Any action that Notification Server can monitor.

filter A query that identifies a dynamic group of resources that share common criteria.

FQDN (fully qualified

domain name)

The complete domain name for a specific computer, or host, on the Internet. TheFQDN consists of two parts: the host name and the domain name. An example ismycomputer.mydomain.com.

IDE-R (IDE-Redirection) An Intel AMT built-in hardware capability. It lets IT administrators start acomputer from an image that is stored on the network or on the remotely mountedCD-ROM or hard drive.

in-band management A type of remote computer management. It requires the target computer'soperating system to be initialized and to function properly.

Intel AMT (Intel Active

Management

Technology)

A solution that is based in hardware and firmware and is connected to the system'sauxiliary power plane. Despite the power state or the operating system state ofthe client computer, Intel AMT provides IT administrators with access to alerts,hardware inventory, power management, circuit breaker, and agent presencefunctionality. Intel AMT functionality requires the computer to be plugged intothe power source and connected to the network. Intel AMT functionality does notrequire a software agent to be installed on the client computer.

Intel SCS (Intel Setup

and Configuration

Service)

A software that provides the tools to set up and configure Intel AMT-capablecomputers for out-of-band management. Out of Band Management Componentintegrates Intel SCS into the Notification Server infrastructure and provides theinterface for Intel SCS in the Symantec Management Console.

Kerberos A system that provides authenticated access for users and services on a network.

key A piece of information that controls the operation of a cryptography algorithm.In encryption, a key specifies the particular transformation of plain text intociphertext or vice versa during decryption. Keys are also used in othercryptographic algorithms, such as digital signature schemes and keyed-hashfunctions (also known as MACs), often used for authentication.

MEBx (Intel

Management Engine

BIOS extension)

A BIOS extension that is used to manually configure the Intel AMT device that isinstalled on a computer.

mutual authentication A process where two parties, typically a client and a server, authenticate eachother. This authentication lets both parties know of each other's identity. Inmutual authentication, the server also requests a certificate from the client. Alsocalled two-way authentication.

Glossary190

Notification Server The Symantec Management Platform service that communicates with the AltirisAgent and the CMDB to provide management, security, and administrativefunctionality. It processes events, facilitates communications with managedcomputers, and coordinates the work of the other Symantec Management Platformservices.

out-of-band

management

A type of remote computer management. It lets IT administrators connect to acomputer's management controller when the computer is turned off, in sleep orhibernate modes, or otherwise unresponsive through the operating system.Out-of-band management can be performed on the computers that have IntelAMT, DASH, or ASF-capable network adapters.

permissions The rights that a user or group has to access different items within the SymantecManagement Console. Permissions are granted to users through their securityrole.

PET (Platform Event

Trap)

An event that is originated directly from platform firmware (BIOS) or platformhardware (ASIC, chipset , or microcontroller) independently of the state of theoperating system or system management hardware. PET events provide advancewarning of possible system failures.

policy A set of rules that control the execution of automated actions. Policies can bescheduled or based on incoming data that triggers an immediate action. Policiesdetermine when an action should start and who or what should be notified of theresults.

power state The overall power consumption of the system. Six power states exist that rangefrom S0 (the system is powered on and fully operational) to S5 (the system ispowered off). States S1, S2, S3, and S4 are referred to as sleeping states.

PSK (Pre-Shared Key) A shared secret that was previously shared between the two parties using somesecure channel before it needs to be used.

PXE Boot (Pre-Boot

ExecutionEnvironment)

An environment to start computers using a network interface independently ofavailable data storage devices (like hard disks) or installed operating systems. Anadministrator can load operating systems and other software onto the devicefrom a server over the network.

resource Any item that Notification Server can track or manage, such as a user, site, installedapplication, computer, switch, router, or handheld device.

Resource Manager A feature that displays information about a resource, such as its properties andcurrent state. It also lets you troubleshoot and perform actions on managedresources.

site server A managed computer on which a service plug-in is installed. Notification Servercan reduce its workload and minimize network traffic by distributing specificprocesses to site servers.

191Glossary

SOL (Serial-over-LAN) A feature of Intel AMT that redirects console output to a remote terminal. It letsIT administrators remotely change BIOS settings, repair a computer that cannotstart, and so on.

SOL/IDE-R (Serial-over-

LAN/IDE-Redirection)

The proprietary protocols that are defined for Intel AMT that redirect keyboard,text, floppy disk, and CD transfers from a local host to a remote workstation.

Symantec Management

Agent

The software that is installed on the computers that you want to manage. Itfacilitates interactions between Notification Server and a managed computer.The agent receives requests for information from Notification Server, sends datato Notification Server, and downloads files. The agent also lets you install andmanage solution plug-ins that add functionality to the agent.

Symantec Management

Console

The Web-based user interface for managing the Symantec Management Platformand any other installed solutions.

Symantec Management

Platform

The platform that provides a set of services for IT-related solutions. These servicesinclude security, scheduling, client communications and management, taskexecution, file deployment, reporting, centralized management, and CMDBservices.

task An action that is performed on a computer. Server tasks are run on NotificationServer. Client tasks are run on managed computers.

TLS (Transport Layer

Security)

A protocol that is intended to secure and authenticate communications across apublic network through data encryption.

Glossary192

AAbout

installing Microsoft IIS 35About configuring

DNS 33Active Directory

about 55integrating Intel SCS with 35, 55

Altiris Agentconfiguration request interval 51configuring 51

AMT. See Intel AMTASF

about 24configuring computers 113tasks 27

ASF/DASH computers for out-of-band managementConfiguring 117

ASF/DASH configuration and hardware inventoryCollecting 115

C.cer file 74certificate

for TLS 97for TLS mutual authentication 100issuing automatically 38

certification authorityissue certificates automatically 38

CollectingASF/DASH configuration and hardware

inventory 115computer

client hardware prerequisites 44client software prerequisites 44configuring for out-of-band management 61discovering out-of-band capable 52in-band management 14out-of-band management 14populating with PID-PPS pairs 58server prerequisites 43

computer (continued)viewing out-of-band capable 53

computerspreparing for management 49

configuration modeIntel AMT enterprise mode 19Intel AMT small business mode 19

configuration profileassigning 85creating 62mapping to Intel AMT computers 64

ConfiguringASF/DASH computers for out-of-band

management 117configuring

Altiris Agent 51computers for out-of-band management 61Intel AMT enterprise mode 57Intel AMT small business mode 91wireless capabilities of Intel AMT 64

Configuring CAinstalling 36

connection profileconfiguring for TLS 97configuring for TLS with mutual

authentication 107context-sensitive help 28copying certificate

TLS with mutual authentication 106Creating

a new template for mutual authentication 101credentials

Intel AMT 22

DDASH

about 25configuring computers 113tasks 27

Delayed Configuration 89

Index

DHCPabout configuring 34

DNSAbout configuring 33

documentation 28Dynamic Host Configuration Protocol. See DHCP

Eenterprise mode

about 19configuring 57

evaluationinstalling product in a lab 40

Ffirewall

configuring 39

HHello message

resending 89help

context-sensitive 28

Iin-band management 14initializing

about 58Intel AMT computers 65manually 76

by OEM 77through MEBx 80with USB key 77

remotely 65resending Hello messages 89

Installingand configuring CA 36

installingin a lab environment 40OOB site server 45Out of Band Management Component 45Out of Band Task Plug-in 53symantec management agent 51

installing Microsoft IISAbout 35

integratingIntel SCS with Active Directory 55

Intel AMTabout 17about initialization 58about setup and configuration 59configuration modes 19configuration prerequisites 61credentials 22enterprise mode 19how configuration works 57ports used by 40security 21small business mode 19tasks 26version features 18

Intel AMT computerinitializing

manually 76remotely 65

managing without Symantec ManagementAgent 41

populating with PID-PPS pairs 58setting up and configuring 82

Intel SCSabout 18viewing logs 171

Intel SCS and Notification Server resource 88

Llab environment

installing in 40logs 171

MManagement Presence Servers 63MEBx

accessing 82, 92MEBx initialization 80Microsoft Active Directory. See Active Directory

N.NET Framework

about installing 38new certificate for mutual authentication

Requesting and installing 104new template for mutual authentication

Creating 101Notification Server

site. See services

Index194

Notification Server (continued)site services 119

OOEM initialization 77OOB service

about 120OOB Site Server

upgrading 123OOB site server

about 120about planning hierarchy 38installing 45, 121reducing workload with 38requirements 120setting as active 124uninstalling 124

OpenSSL utility 108Out of Band Management Component

about 13ASF tasks 27client hardware prerequisites 44client software prerequisites 44DASH tasks 27evaluating 40how it works 16installing 45Intel AMT tasks 26server prerequisites 43uninstalling 46upgrading 46what you can do with 26

Out of Band Potential Site ServersViewing 122

Out of Band Task Plug-ininstalling 53uninstalling 47

out-of-band computersdiscovering capable 52viewing list of 53

out-of-band management 14configuring computers for 61product comparison 25products that support 15tasks 15

Ppassword criteria 181

passwords. See credentials.pem file 109.pfx file 108ports

used by Intel AMT 40pre-provisioning. See initializingprerequisites

client computer 44client computer hardware 44environment 32Intel AMT configuration 61minimum 43server computer 43

product comparison 25provision profile. See configuration profileprovisioning. See setup and configuration

RRelease Notes 28Remote Configuration 65

certificateproviders 67purchasing 74requirements 186

certificate requestpreparing 72

certificate templateissuing 72preparing 70

enabling support 75requirements 69starting 75version differences 187

Requesting and installinga new certificate for mutual authentication 104

Reseending Hello messageswith the Delayed Configuration policy 89

SSCS. See Intel SCSsecurity

Intel AMT 21Send Intel AMT Hello Message task 90service

out of band 120setup and configuration

about 59performing 82

195Index

setup and configuration (continued)troubleshooting 173

SIM 45–46uninstalling with 47

sitesite services 119

site serverabout planning hierarchy 38out of band 120reducing workload 38

small business modeabout 19configuring 91

SQL serverabout configuring 34installation guidelines 34

Symantec Installation Manager. See SIMSymantec Management Agent

managing Intel AMT computers without 41symantec management agent

installing 51Symantec Management Console

about 16opening 16

SynchronizingIntel SCS and Notification Server resource 88

Ttasks

ASF 27DASH 27Intel AMT 26

TLSabout 95configuring 96configuring connection profile 97configuring Intel AMT computers 98exporting certificate 97

TLS with mutual authenticationabout 95configuring 100configuring connection profile 107configuring Intel AMT computers 110copying certificate 106exporting certificate 108installing certificate 104

troubleshooting 171

Uuninstalling

Out of Band Management Component 46Out of Band Task Plug-in 47with Symantec Installation Manager 47

upgradingOOB Site Server 123Out of Band Management Component 46

USB-key initialization 77

VViewing

Out of Band Potential Site Servers 122

Wwireless profile

about 24configuring Intel AMT settings 64creating 64

ZZero-Touch Configuration. SeeRemote Configuration

Index196

altiris out of band managementcomponent7.1 sp1 from...

Documents