140 likes | 346 Vues
Managing Computers With Intel AMT. Greg Rusu +41 41 748 22 13 rug@brainware.ch. Agenda. Overview Network Requirements Certificates Intel SCS Server Columbus 6.10 Configuration Usage samples Columbus AMT License Key Requirements. Overview.
E N D
Managing ComputersWith Intel AMT Greg Rusu +41 41 748 22 13 rug@brainware.ch
Agenda • Overview • Network Requirements • Certificates • Intel SCS Server • Columbus 6.10 Configuration • Usage samples • Columbus AMT License Key Requirements (c) 2008 Brainware Solutions AG
Overview • AMT = “Active Management Technology” • Mechanism for securely managing PCs • Intel-proprietary, labeled as “vPro” • Two flavors: Enterprise & Small Business • Evolving technology • 4 versions of vPro firmware released in 2007 • 2 versions on Desktops, 2 on Notebooks • 3 versions of back-end server released in 2007 • Requires sophisticated environment • DHCP required and DNS must allow dynamic updates • IIS, ASP.Net 2.0, and MS SQL Server run the back-end • Certificate Authority required for secure net traffic • Firewalls/routers must allow specific ports • Competing technologies on the horizon • DASH is emerging as industry standard • Similar in approach to AMT • Intel AMT will evolve to support (c) 2008 Brainware Solutions AG
Overview – „vPro“ Systems • The Intel AMT device functions only when “Provisioned” • Provisioning is the authentication and authorization process by which the AMT client and SCS server are bound together • The UUID and a Private Key shared by the AMT client and the SCS server are confirmed during the “provisioning” process (c) 2008 Brainware Solutions AG
Overview – Enterprise & SMB (c) 2008 Brainware Solutions AG
Overview – Enterprise & SMB (cont.) Columbus 6.10 Intel SCS Certificate Authority SQL Server 2005 or Express IIS .Net 2.0 SP1 Columbus 6.10 AD DNS DNS DHCP DHCP Windows 2003 Server SP2 Windows 2003 Server SP2 Multi-core Xeon, 4GB RAM, Dual-Core, 2GB RAM, Typical Enterprise Server Typical Small Business Server (c) 2008 Brainware Solutions AG
Network Requirements – Minimum Must see DNS. Ports 9971, 16992-16994. 4 3 Must see DNS. Port 443, 9971, 16992-16994. 5 1 Schema is extended for Intel AMT objects Option 81 (Dynamic update of DNS name and PTR records) 2 “provisionserver” added to Forward and Reverse zones (c) 2008 Brainware Solutions AG
Certificates • Required • TLS PSK • Preshared key used for the AMT Client to communicate with the SCS during setup. • Source: Intel SCS creates this. • Server Certificate • Certificate used to allow HTTPS communication with the Intel SCS. • Source: Microsoft Certificate Authority (CA). • Optional • TLS Certificate • Allows secure communication between the AMT client and the SCS. • Source: Microsoft CA, Verisign, etc. • 802.1x Certificate • Allows the AMT client to connect to a 802.1x secured network. • Source: Microsoft CA, Verisign, etc. • Mutual Authentication Root Certificate • Allows the AMT client to authenticate the SCS • Source: Microsoft CA, Verisign, etc. (c) 2008 Brainware Solutions AG
Intel SCS Server Certificate needed for this HTTPS communication MS SQL Server 2005 or Express Optional component (c) 2008 Brainware Solutions AG
Columbus 6.10 Configuration • Columbus AMT License key • Intel AMT requires advanced environment and specialized training • Special terms apply for obtaining a Columbus AMT License key • Installation • Select Intel vPro Support under Infrastructure Server and Management Console • Configuration • Infrastructure > Index Agent > AMT • Configure AMT • Configure SCS server • Management • “AMT Management” of selected clients (c) 2008 Brainware Solutions AG
Usage Examples • System Discovery Discover systems even if powered off • BIOS/Firmware Update Reflash BIOS and set firmware remotely • Diagnostics Run remote diagnostics against defective systems • Quarantine Isolate suspect systems from the network (c) 2008 Brainware Solutions AG
Pitfalls • FQDN Mismatch • SCS and AMT clients find one another through DNS • Multi-homed clients may not register the same FQDN • SCS cannot find the AMT client • Workaround – well-planned and controlled hostname assignments • SCS server capacity • SCS is improving but not fully matured • 1800 AMT clients will peg a quad-core 3GHz server for over two hours during setup • Encrypted communications, SOAP and database transactions are not optimized • Workaround – host SCS on multiple front-end servers with strong back-end database server (“Strong” = 4GB RAM, 3 GHz multi-core CPUs) • One Database • SCS uses one single MS SQL Server to store all AMT client information • Provisioned AMT clients will not “talk” to another SCS server that is not pulling from the same MS SQL Server and has the same certificates. • Workaround – cluster front-end SCS servers and replicate your one SQL Server instance across multiple physical servers (c) 2008 Brainware Solutions AG
Columbus AMT License Key Requirements • Columbus Intel AMT vPro functionality is licensed under the following terms: • Columbus Enterprise or Complete licensing • License keys can only be issued to companies along with a booking of two days paid consulting services • Helpdesk does not service Intel AMT questions, and all related questions are subject to paid consulting hours (c) 2008 Brainware Solutions AG
Questions & Discussion (c) 2008 Brainware Solutions AG