managing computers with intel amt greg rusu +41 41 748 22 13 [email protected]
TRANSCRIPT
2
(c) 2008 Brainware Solutions AG
Agenda
Overview Network Requirements Certificates Intel SCS Server Columbus 6.10 Configuration Usage samples Columbus AMT License Key Requirements
3
(c) 2008 Brainware Solutions AG
Overview
AMT = “Active Management Technology” Mechanism for securely managing PCs Intel-proprietary, labeled as “vPro” Two flavors: Enterprise & Small Business
Evolving technology 4 versions of vPro firmware released in 2007
2 versions on Desktops, 2 on Notebooks 3 versions of back-end server released in 2007
Requires sophisticated environment DHCP required and DNS must allow dynamic updates IIS, ASP.Net 2.0, and MS SQL Server run the back-end Certificate Authority required for secure net traffic Firewalls/routers must allow specific ports
Competing technologies on the horizon DASH is emerging as industry standard Similar in approach to AMT Intel AMT will evolve to support
4
(c) 2008 Brainware Solutions AG
Overview – „vPro“ Systems•The Intel AMT device functions only when “Provisioned”
•Provisioning is the authentication and authorization process by which the AMT client and SCS server are bound together
•The UUID and a Private Key shared by the AMT client and the SCS server are confirmed during the “provisioning” process
5
(c) 2008 Brainware Solutions AG
Overview – Enterprise & SMB
Functionality EnterpriseSmall Business
(SMB)Encrypted traffic with AMT client Frequent user or PC changes Static IP or Window Workgroups (i.e. NetBIOS) Active Directory
6
(c) 2008 Brainware Solutions AG
Overview – Enterprise & SMB (cont.)
Windows 2003 Server SP2
.Net 2.0 SP1
IIS
DHCP
DNS
AD
SQL Server 2005 or Express
Certificate Authority
Intel SCS
Columbus 6.10
Multi-core Xeon, 4GB RAM,
Typical Enterprise Server
Windows 2003 Server SP2
DHCP
DNS
Columbus 6.10
Dual-Core, 2GB RAM,
Typical Small Business Server
7
(c) 2008 Brainware Solutions AG
Network Requirements – Minimum
1
2
3
4
5
Option 81 (Dynamic update of DNS name and PTR records)
“provisionserver” added to Forward and Reverse zones
Schema is extended for Intel AMT objects
Must see DNS.Ports 9971, 16992-16994.
Must see DNS.Port 443, 9971, 16992-16994.
8
(c) 2008 Brainware Solutions AG
Certificates
Required TLS PSK
Preshared key used for the AMT Client to communicate with the SCS during setup.
Source: Intel SCS creates this.
Server Certificate Certificate used to allow HTTPS communication with the Intel
SCS. Source: Microsoft Certificate Authority (CA).
Optional TLS Certificate
Allows secure communication between the AMT client and the SCS.
Source: Microsoft CA, Verisign, etc.
802.1x Certificate Allows the AMT client to connect to a 802.1x secured network. Source: Microsoft CA, Verisign, etc.
Mutual Authentication Root Certificate Allows the AMT client to authenticate the SCS Source: Microsoft CA, Verisign, etc.
9
(c) 2008 Brainware Solutions AG
Intel SCS Server
Optional component
Certificate needed for this HTTPS communication
MS SQL Server 2005 or Express
10
(c) 2008 Brainware Solutions AG
Columbus 6.10 Configuration
Columbus AMT License key Intel AMT requires advanced environment and specialized
training Special terms apply for obtaining a Columbus AMT License
key
Installation Select Intel vPro Support under Infrastructure Server and
Management Console
Configuration Infrastructure > Index Agent > AMT Configure AMT Configure SCS server
Management “AMT Management” of selected clients
11
(c) 2008 Brainware Solutions AG
Usage Examples
System DiscoveryDiscover systems even if powered off
BIOS/Firmware UpdateReflash BIOS and set firmware remotely
DiagnosticsRun remote diagnostics against defective systems
QuarantineIsolate suspect systems from the network
12
(c) 2008 Brainware Solutions AG
Pitfalls
FQDN Mismatch SCS and AMT clients find one another through DNS Multi-homed clients may not register the same FQDN SCS cannot find the AMT client Workaround – well-planned and controlled hostname assignments
SCS server capacity SCS is improving but not fully matured 1800 AMT clients will peg a quad-core 3GHz server for over two
hours during setup Encrypted communications, SOAP and database transactions are not
optimized Workaround – host SCS on multiple front-end servers with strong
back-end database server (“Strong” = 4GB RAM, 3 GHz multi-core CPUs)
One Database SCS uses one single MS SQL Server to store all AMT client
information Provisioned AMT clients will not “talk” to another SCS server that is
not pulling from the same MS SQL Server and has the same certificates.
Workaround – cluster front-end SCS servers and replicate your one SQL Server instance across multiple physical servers
13
(c) 2008 Brainware Solutions AG
Columbus AMT License Key Requirements
Columbus Intel AMT vPro functionality is licensed under the following terms:
1.Columbus Enterprise or Complete licensing
2.License keys can only be issued to companies along with a booking of two days paid consulting services
3.Helpdesk does not service Intel AMT questions, and all related questions are subject to paid consulting hours
14
(c) 2008 Brainware Solutions AG
Questions & Discussion