Symantec ALTIRIS OUT OF BAND MANAGEMENT COMPONENT 7.0 SP3 - IMPLEMENTATION GUIDE V1.0, ALTIRIS OUT OF BAND MANAGEMENT COMPONENT 7.0 SP3 MR1 Implementation Manual
Page 1
Altiris™ Out of Band
Management Component
from Symantec
Implementation Guide
Version 7.0 SP3 MR1
Page 2
Altiris™ Out of Band Management Component from
Symantec Implementation Guide
The softwaredescribed inthis bookis furnishedunder alicense agreementand maybe used
only in accordance with the terms of the agreement.
Documentation version 7.0 SP3 MR1
Legal Notice
Copyright © 2010 Symantec Corporation. All rights reserved.
Symantec, the Symantec Logo, Altiris, and any Altiris or Symantec trademarks used in the
product are trademarks or registered trademarks of Symantec Corporation or its affiliates
in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use,
copying, distribution, and decompilation/reverse engineering. No part of this document
may be reproduced in any form by any means without prior written authorization of
Symantec Corporation and its licensors, if any.
THE DOCUMENTATIONISPROVIDED "ASIS" AND ALLEXPRESS OR IMPLIEDCONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,
ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO
BE LEGALLYINVALID.SYMANTEC CORPORATIONSHALLNOT BELIABLEFOR INCIDENTAL
OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,
PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED
IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The LicensedSoftware andDocumentation aredeemed to be commercial computer software
as definedin FAR 12.212 and subject to restricted rights as defined in FAR Section52.227-19
"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in
Commercial Computer Software or Commercial Computer Software Documentation", as
applicable, and any successor regulations. Any use, modification, reproduction release,
performance, displayor disclosure of the Licensed Software and Documentation by the U.S.
Government shall be solely in accordance with the terms of this Agreement.
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043
http://www.symantec.com
Page 3
Technical Support
Symantec Technical Support maintains support centers globally. Technical
Support’s primary role is to respond to specific queries about product features
and functionality.The Technical Support group also creates content forour online
Knowledge Base. The Technical Support group works collaboratively with the
other functional areas within Symantec to answer your questions in a timely
fashion. Forexample, theTechnical Supportgroup works with Product Engineering
and SymantecSecurity Response to provide alerting services andvirus definition
updates.
Symantec’s support offerings include the following:
■ A range of support options that give you the flexibility to select the right
amount of service for any size organization
■ Telephone and/or Web-based support that provides rapid response and
up-to-the-minute information
■ Upgrade assurance that delivers software upgrades
■ Global support purchased on a regional business hours or 24 hours a day, 7
days a week basis
■ Premium service offerings that include Account Management Services
For information about Symantec’s support offerings, you can visit our Web site
at the following URL:
www.symantec.com/business/support/
All support services will be delivered in accordance with your support agreement
and the then-current enterprise technical support policy.
Contacting Technical Support
Customers with a current support agreement may access Technical Support
information at the following URL:
www.symantec.com/business/support/
Before contacting Technical Support, make sure you have satisfied the system
requirements that are listed in your product documentation. Also, you should be
at the computer on which the problem occurred, in caseit isnecessary to replicate
the problem.
When you contact Technical Support, please have the following information
available:
■ Product release level
Page 4
■ Hardware information
■ Available memory, disk space, and NIC information
■ Operating system
■ Version and patch level
■ Network topology
■ Router, gateway, and IP address information
■ Problem description:
■ Error messages and log files
■ Troubleshooting that was performed before contacting Symantec
■ Recent software configuration changes and network changes
Licensing and registration
If yourSymantec product requires registration or a license key, accessour technical
support Web page at the following URL:
www.symantec.com/business/support/
Customer service
Customer service information is available at the following URL:
www.symantec.com/business/support/
Customer Service is available to assist with non-technical questions, such as the
following types of issues:
■ Questions regarding product licensing or serialization
■ Product registration updates, such as address or name changes
■ General product information (features, language availability, local dealers)
■ Latest information about product updates and upgrades
■ Information about upgrade assurance and support contracts
■ Information about the Symantec Buying Programs
■ Advice about Symantec's technical support options
■ Nontechnical presales questions
■ Issues that are related to CD-ROMs or manuals
Page 5
Support agreement resources
If you want to contact Symantec regarding an existing support agreement, please
contact the support agreement administration team for your region as follows:
customercare_apac@symantec.comAsia-Pacific and Japan
semea@symantec.comEurope, Middle-East, and Africa
supportsolutions@symantec.comNorth America and Latin America
Page 6
Page 7
Technical Support .......... ..... ..... ..... ..... .... ..... ..... ..... ..... ......... ..... ..... ..... ..... ......... ... 3
Chapter 1 Introducing Out of Band Management
Component . ..... ......... ..... ..... ..... ..... ......... ..... ..... ..... ..... .... . 13
About Out of Band Management Component ... .... ..... ..... ..... ..... ......... . 13
About out-of-band management ....... ..... ..... ..... ..... ......... ..... ..... . 14
About supported out-of-band management technologies ... ..... ....... 14
Altiris products that can manage computers out of band ..... ..... ..... 15
What’s new in Out of Band Management Component . ..... ..... ......... ..... . 15
How Out of Band Management Component works . ..... ......... ..... ..... ..... 15
About the Symantec Management Console .... ..... ......... ..... ..... ..... . 16
About Intel AMT . ..... ..... ......... ..... ..... ..... ..... ......... ..... ..... ..... .... 16
About Intel AMT Setup and Configuration Service . ......... ..... ..... ... 17
About Intel AMT versions and features . ..... ..... ..... ......... ..... ..... ... 17
About Intel AMT configuration modes ....... ..... ..... ..... ..... ......... ... 18
About Intel AMT security ... ..... ..... ..... .... ..... ..... ..... ..... ......... ..... 20
About Intel AMT related credentials ... ......... ..... ..... ..... ..... ......... . 22
About Intel AMT wireless support . ..... ..... ......... ..... ..... ..... ..... ..... 24
About ASF ......... ..... ..... ..... ..... ......... ..... ..... ..... ..... .... ..... ..... .... 24
About DASH ......... ..... ..... ..... ..... .... ..... ..... ..... ..... ......... ..... ..... .. 25
Comparison of Intel AMT, ASF, and DASH ... ..... ..... ..... ......... ..... .. 25
What you can do with Out of Band Management Component .... ..... ....... 26
About Intel AMT tasks . ..... ..... ......... ..... ..... ..... ..... .... ..... ..... ..... . 26
About ASF tasks .... ..... ..... ..... .... ..... ..... ..... ..... ......... ..... ..... ..... .. 27
About DASH tasks .... ..... ......... ..... ..... ..... ..... ......... ..... ..... ..... .... 27
Where to get more information .... ......... ..... ..... ..... ......... ..... ..... ..... ... 27
Chapter 2 Planning for Out of Band Management Component
installation . ..... ..... ......... ..... ..... ..... ..... .... ..... ..... ..... ..... ...... 31
About environment requirements .... ..... ......... ..... ..... ..... ..... ......... .... 32
About configuring DNS .... ..... ..... ..... ..... .... ..... ..... ..... ..... ......... ..... ... 33
About configuring DHCP ......... ..... ..... ..... ..... ......... ..... ..... ..... ..... .... . 34
About configuring SQL server ..... ......... ..... ..... ..... ..... ......... ..... ..... ... 34
About integrating with Microsoft Active Directory . ..... ..... ..... ..... ........ 35
About installing Microsoft IIS .... ..... .... ..... ..... ..... ..... ......... ..... ..... ..... 36
Contents
Page 8
Installing and configuring CA . ..... ..... ..... ......... ..... ..... ..... ..... ......... ... 36
About installing .NET Framework on an OOB site server .... ......... ..... .... 38
About planning OOB site servers hierarchy .... ......... ..... ..... ..... ..... ...... 38
Configuring a firewall to allow Intel SCS and SQL server
connections ... ......... ..... ..... ..... ..... ......... ..... ..... ..... ..... .... ..... .... 39
About ports used by Intel AMT . ..... ..... ..... .... ..... ..... ..... ..... ......... ..... . 40
About installing Out of Band Management Component in a lab
environment ..... ..... ......... ..... ..... ..... ..... .... ..... ..... ..... ..... ......... . 40
About managing Intel AMT computers without the Altiris Agent
installed .... ......... ..... ..... ..... ..... .... ..... ..... ..... ..... ......... ..... ..... ... 41
Chapter 3 Installing Out of Band Management
Component . ..... ......... ..... ..... ..... ..... ......... ..... ..... ..... ..... .... . 43
System requirements . ..... ..... ..... ..... ......... ..... ..... ..... ..... ......... ..... .... 43
About Out of Band Management Component requirements . ..... ..... . 43
About client computer software and hardware
requirements ... ..... ..... ..... ......... ..... ..... ..... ..... ......... ..... ..... 44
Installing the Out of Band Management Component product . ..... ..... ..... 45
Upgrading the Out of Band Management Component product ... ..... ..... . 45
Uninstalling Out of Band Management Component . ..... .... ..... ..... ..... ... 45
Uninstalling the Out of Band Task Agent ......... ..... ..... ..... ..... ....... 46
Uninstalling Out of Band Management Component from
Notification Server ... ..... ..... ..... ..... ......... ..... ..... ..... ..... ....... 47
Chapter 4 Preparing target computers for management ... ..... ..... . 49
Preparing target computers for management .... ......... ..... ..... ..... ..... ... 49
Discovering computers ....... ..... ..... ..... ..... ......... ..... ..... ..... ..... ... 51
Installing the Altiris Agent .... .... ..... ..... ..... ..... ......... ..... ..... ..... .. 51
Configuring the Altiris Agent settings for evaluation use . ......... ..... 52
Discovering out-of-band capable computers . ..... ..... ..... ..... ......... .. 52
Installing the Out of Band Task Agent ........ ..... ..... ..... ..... ......... ... 53
Chapter 5 Configuring Out of Band Management
Component . ..... ......... ..... ..... ..... ..... ......... ..... ..... ..... ..... .... . 55
Integrating Intel SCS with Active Directory ... ..... ..... ..... ..... ......... ..... .. 55
Contents8
Page 9
Chapter 6 Configuring Intel AMT computers for out-of-band
management ... ..... ..... ..... .... ..... ..... ..... ..... ......... ..... ..... ..... 57
About configuring Intel AMT computers for out-of-band
management .... ..... ..... ......... ..... ..... ..... ..... ......... ..... ..... ..... ..... . 57
About Intel AMT initialization ... ..... ......... ..... ..... ..... ..... ......... .... 58
About Intel AMT setup and configuration ..... .... ..... ..... ..... ..... ...... 59
Prerequisites for Intel AMT configuration ... ..... ......... ..... ..... ..... ..... ... 61
Configuring Intel AMT computers for out-of-band management . ..... ..... 61
Creating Intel AMT configuration profiles . ..... ..... ......... ..... ..... .... 62
Configuring the automatic Intel AMT configuration profile
assignment .... ..... ..... ..... ..... ......... ..... ..... ..... ..... ......... ..... .. 64
Initializing IntelAMT computersusing the Remote Configuration
feature ... ..... ..... ..... ..... .... ..... ..... ..... ..... ......... ..... ..... ..... .... 65
Initializing Intel AMT computers manually ..... ..... ..... ..... ..... ....... 76
Setting up and configuring initialized Intel AMT computers ..... ..... 82
About resending Hello messages ..... ..... ......... ..... ..... ..... ..... ......... ..... 89
Resending Hello messages with the Delayed Configuration
policy .... ..... ......... ..... ..... ..... ..... ......... ..... ..... ..... ..... .... ..... . 89
Resending Hello messages with the Send Intel AMT Hello
Message task ........ ..... ..... ..... ..... .... ..... ..... ..... ..... ......... ..... . 90
Configuring Intel AMT computers in small business mode ..... ......... ..... 91
Chapter 7 Configuring TLS ... ..... ..... ..... ..... ......... ..... ..... ..... ..... .... ..... ..... . 95
About TLS ... .... ..... ..... ..... ..... ......... ..... ..... ..... ..... ......... ..... ..... ..... .. 95
About configuring and enabling TLS . ..... ..... ..... ......... ..... ..... ..... ..... ... 95
Configuring TLS . ..... ..... ......... ..... ..... ..... ..... .... ..... ..... ..... ..... ......... . 96
Exporting the CA Root Certificate for the Altiris Real-Time
System Manager software ..... ..... ..... ......... ..... ..... ..... ..... .... .. 97
Configuring the connection profile to use TLS ........ ..... ..... ..... ..... . 97
Configuring Intel AMT computers to use TLS ........ ..... ..... ..... ..... .. 98
Configuring TLS with mutual authentication .... ..... ..... ......... ..... ..... .. 100
Creating and installing a client certificate using an Enterprise
CA ..... ..... ..... ......... ..... ..... ..... ..... .... ..... ..... ..... ..... ......... .. 100
Configuring Intel AMT computers to use TLS mutual
authentication .... ..... ..... ..... ..... .... ..... ..... ..... ..... ......... ..... . 108
Chapter 8 Configuring ASF/DASH computers for out-of-band
management ..... ..... ..... ..... ..... ......... ..... ..... ..... ..... .... ..... .. 111
Configuring ASF/DASH computers for out-of-band
management ... ..... ..... ......... ..... ..... ..... ..... .... ..... ..... ..... ..... ..... 111
Installing the Broadcom ASF management software .... ..... ..... ..... 113
9Contents
Page 10
Collecting ASF/DASH configuration and hardware
inventory . ..... ..... ......... ..... ..... ..... ..... .... ..... ..... ..... ..... ...... 113
Configuring ASF/DASH computers for out-of-band
management ... ..... ..... ......... ..... ..... ..... ..... .... ..... ..... ..... .... 115
What to do next .... ..... ..... ......... ..... ..... ..... ..... ......... ..... ..... ..... ..... . 115
Chapter 9 Deploying OOB site servers ..... ..... ..... ......... ..... ..... ..... ..... . 117
About site services . .... ..... ..... ..... ..... ......... ..... ..... ..... ..... ......... ..... .. 117
About OOB site servers ..... ..... ..... .... ..... ..... ..... ..... ......... ..... ..... ..... . 118
Prerequisites for OOB site server installation ... ..... ..... ..... ..... ......... ... 118
Installing an OOB site server ... ..... ..... ..... ......... ..... ..... ..... ..... ......... 119
Viewing potential OOB site server computers .... ..... ..... ......... ..... 119
Configuring the OOB site server installation settings ... ..... ..... ..... 120
Rolling out the OOB site server .... ..... ..... ..... ..... ......... ..... ..... .... 120
Uninstalling an OOB site server .... ..... ..... ..... ..... ......... ..... ..... ..... .... 121
Configuring the default OOB site server location .... ..... ..... ..... .... ..... .. 122
Chapter 10 About Out of Band Management Component
pages ......... ..... ..... ..... ..... .... ..... ..... ..... ..... ......... ..... ..... ..... . 123
Auxiliary profiles: 802.1x Profiles page .... ..... ..... ..... ..... .... ..... ..... ..... 124
802.1x Profiles: Add 802.1x Profile dialog box ........ ..... ..... ..... ..... 124
Select Certificate Generation Properties dialog box . ..... ..... ......... . 126
Add Certificate Generation Properties dialog box .... ..... ..... ......... 126
Select Certificate Template dialog box .... ..... ..... ..... ..... ......... ..... 127
Auxiliary profiles: Management Presence Servers page . ..... ..... ......... . 127
Management PresenceServers: Add Management Presence Server
dialog box .... ......... ..... ..... ..... ..... .... ..... ..... ..... ..... ......... ... 127
Auxiliary profiles: Remote Access Policies page ..... ..... ..... ..... ..... ...... 128
Remote Access Policies: Create Remote Policy dialog box . ..... ..... .. 129
Auxiliary Profiles: Wireless Profiles page ... ..... ..... ..... .... ..... ..... ..... ... 130
Wireless Profiles: Add Wireless Profile dialog box .... ..... ..... ........ 130
Trusted Root Certificates page . ..... ..... ..... ..... .... ..... ..... ..... ..... ......... 131
Trusted Root Certificates: Select a Certificate Authority dialog
box ..... ..... ..... ..... ..... ......... ..... ..... ..... ..... ......... ..... ..... ..... 131
Trusted RootCertificates: Import Trusted Root Certificate dialog
box ..... ..... ..... ..... ..... ......... ..... ..... ..... ..... ......... ..... ..... ..... 131
Configuration Profiles page .... ..... ..... .... ..... ..... ..... ..... ......... ..... ..... . 131
Setup and configuration profile: General tab .... ..... ......... ..... ..... . 131
Setup and configuration profile: Network tab ......... ..... ..... ..... .... 133
Setup and configuration profile: TLS tab ...... ..... ..... ..... ......... .... 135
Setup and configuration profile: ACL tab ......... ..... ..... ..... ..... ..... 137
Setup and configuration profile: Wireless Profiles tab .... ..... ..... ... 138
Contents10
Page 11
Setup and configuration profile: Power Policy tab ..... ..... ......... .... 139
Setup and configuration profile: Domains tab ... ..... ..... ......... ..... . 140
Setup and configuration profile: Remote Access tab .... ..... ..... ..... . 141
DNS configuration page . ..... ..... ..... .... ..... ..... ..... ..... ......... ..... ..... .... 142
General page ..... ..... ..... ..... .... ..... ..... ..... ..... ......... ..... ..... ..... ..... .... 142
Select Active Directory Organizational Unit dialog box .... ..... ..... .. 144
Maintenance page ..... ..... ..... ..... ..... .... ..... ..... ..... ..... ......... ..... ..... .. 145
Security keys page .... ..... ..... ..... ..... .... ..... ..... ..... ..... ......... ..... ..... ... 145
Service location page . ..... ..... ..... ......... ..... ..... ..... ..... ......... ..... ..... .. 148
Users page .... ..... ..... ......... ..... ..... ..... ......... ..... ..... ..... ..... ......... .... 148
Delayed Setup and Configuration page . ......... ..... ..... ..... ..... ......... .... 149
Intel AMT systems page .... ..... ..... ..... ..... ......... ..... ..... ..... ..... ......... . 150
Profile assignments page .... ..... ......... ..... ..... ..... ..... ......... ..... ..... .... 153
Resource Synchronization page . ..... ......... ..... ..... ..... ..... ......... ..... ... 154
Assign profile dialog box ..... ..... ......... ..... ..... ..... ..... ......... ..... ... 155
Get ASF/DASH Configuration Inventory task ..... ..... ..... ..... .... ..... ..... 156
Update ASF Configuration Settings task .... ..... ..... ......... ..... ..... ..... ... 156
Update DASH Configuration Settings task .... ..... ..... ..... ..... .... ..... ..... 160
OOB Site Service page ... ..... ..... ..... ..... .... ..... ..... ..... ..... ......... ..... .... 161
Certificate Enrollment task . ..... ......... ..... ..... ..... ..... ......... ..... ..... .... 164
Firewall Configuration task . ..... ..... ..... ......... ..... ..... ..... ..... ......... .... 164
FQDN Synchronization task ..... ..... ..... .... ..... ..... ..... ..... ......... ..... .... 165
Install Intel Setup and Configuration Server task ........ ..... ..... ..... ..... . 165
Install OOB Site Service agent task ... ..... ..... ..... ......... ..... ..... ..... ..... . 165
Install Out of Band Management Site Service Agent and Intel Setup
and Configuration Server job . ......... ..... ..... ..... ..... .... ..... ..... ..... . 165
Intel Setup and Configuration Server Upgrade job ... ..... ..... ..... ......... . 166
Intel Setup and Configuration Server Upgrade Job: internal task ... ..... . 166
OOB Site Server Inventory task ..... ..... ..... ..... ..... .... ..... ..... ..... ..... .... 166
Send Intel AMT Hello Message task .... ..... ......... ..... ..... ..... ..... ......... 166
Appendix A Troubleshooting Out of Band Management
Component ..... ......... ..... ..... ..... ..... .... ..... ..... ..... ..... ......... 167
Viewing Intel SCS logs ... ..... ......... ..... ..... ..... ..... ......... ..... ..... ..... .... 167
About Intel SCS error messages .... ..... .... ..... ..... ..... ..... ......... ..... ..... . 169
About Intel AMT setup and configuration issues ... ..... ..... ..... ......... ... 173
About Intel SCS console integration .... ..... ..... ..... ..... ......... ..... ..... .... 174
About Intel AMT filters update ..... .... ..... ..... ..... ..... ......... ..... ..... ..... 174
Troubleshooting OOB site server installation . ..... ..... .... ..... ..... ..... ..... 175
11Contents
Page 12
Appendix B Reference topics . ..... ..... ..... ......... ..... ..... ..... ..... .... ..... ..... ..... 177
About passwords used with Intel AMT . ..... ..... ......... ..... ..... ..... ..... .... 177
About populating filters .... ......... ..... ..... ..... ..... ......... ..... ..... ..... ..... . 178
How Resource Synchronization policy works ... ..... ..... ..... .... ..... ..... ... 181
Remote Configuration certificate requirements ... ..... ..... ..... ..... ......... 182
Remote Configuration certificate – differences between releases ... ..... . 182
Intel AMT Release 2.2 .... ..... .... ..... ..... ..... ..... ......... ..... ..... ..... ... 183
Intel AMT Release 3.0 .... ..... .... ..... ..... ..... ..... ......... ..... ..... ..... ... 183
Intel AMT Release 2.6 .... ..... .... ..... ..... ..... ..... ......... ..... ..... ..... ... 183
Glossary ..... ..... ..... .... ..... ..... ..... ..... ......... ..... ..... ..... ..... ......... ..... ..... ..... ..... ......... ... 185
Index ... ......... ..... ..... ..... ..... ......... ..... ..... ..... ..... ......... ..... ..... ..... ......... ..... ..... ..... ..... . 189
Contents12
Page 13
Introducing Out of Band
Management Component
This chapter includes the following topics:
■ About Out of Band Management Component
■ What’s new in Out of Band Management Component
■ How Out of Band Management Component works
■ What you can do with Out of Band Management Component
■ Where to get more information
About Out of Band Management Component
Altiris Out of Band Management Component software (formerly known as Altiris
Out of Band Management Solution) lets you discover computers with ASF, DASH,
and Intel AMT in your environment and configure the computers for out-of-band
management.
Out-of-band management is the ability to manage client computers regardless of
the state of their power, operating system, or management agents. You can
remotely change the power state of the computer, collect hardware inventory,
and perform other management tasks that would normally require a visit to a
client computer.
See “About out-of-band management” on page 14.
1
Chapter
Page 14
Figure 1-1
Out of Band Management Component features
About out-of-band management
Remote management of client computers often requires the managed computer
to be turned on with an operating system running. When a computer is turned
on with a running operating system, the computer is considered in-band.
Out-of-band iswhen a client computer is in oneof the following out-of-band states:
■ The computer is plugged in but is not actively running (off, standby,
hibernating).
■ The operating system is not loaded (software or boot failure).
■ The software-based management agent is not available.
Out-of-band management is the ability to manage computers in these states.
Computers with Intel AMT, ASF, DASH, or IPMI capabilities can be managed out
of band.
About supported out-of-band management technologies
Out of Band Management Component supports computers with the following
out-of-band management technologies:
Introducing Out of Band Management Component
About Out of Band Management Component
14
Page 15
■ Intel® Active Management Technology (Intel® AMT) 2.0 and later (also known
as Intel® vPro and Intel® Centrino® Pro technology)
See “About Intel AMT” on page 16.
■ Broadcom ASF 2.0 and Intel ASF 2.0
See “About ASF” on page 24.
■ Broadcom DASH
See “About DASH” on page 25.
Altiris products that can manage computers out of band
You can manage computers out of band using the following Altiris products:
■ Altiris Real-Time Console Infrastructure
■ Altiris Real-Time System Manager
These Altiris products let you perform the following out-of-band management
tasks:
■ Turn on, turn off, or restart computers.
■ Configure hardware alerts and change the alerts’ destination address.
■ Collect the hardware information that is stored in the NVRAM of the Intel
AMT device.
■ Boot a computer from a remote disk or an image on a server and run the
operating system repair or reinstall.
■ Start a remote control session from the Symantec Management Console and
access BIOS to view and change settings (Intel AMT only).
What’s new in Out of Band Management Component
In the 7.0 SP3 release of Out of Band Management Component, the following new
features are introduced:
■ Support for Microsoft Windows 7.
You can install Out of Band Task Agent on the computers that are running
Microsoft Windows 7.
How Out of Band Management Component works
Out of Band Management Component installs IntelSCS on the Notification Server
computer and integrates it into the Symantec Management Console. From the
15Introducing Out of Band Management Component
What’s new in Out of Band Management Component
Page 16
Symantec Management Console you can configure Intel SCS settings, discover
Intel AMT capable computers, and configure them for out-of-band management.
See “About the Symantec Management Console” on page 16.
Also, Outof Band Management Component provides you with the tools todiscover
ASF and DASH capable computers and configure them for out-of-band
management.
You can manage configured Intel AMT, ASF, and DASH computers with Altiris
solutions that support out-of-band technologies.
See “Altiris products that can manage computers out of band” on page 15.
About the Symantec Management Console
The Symantec Management Console is the Web browser based administration
console forworking withSymantec ManagementPlatform and solutions, including
Out ofBand ManagementComponent. Theconsole letsyou perform tasks, schedule
events, runreports, perform configuration, configure security, and more.You can
run the console from the Notification Server computer (locally) or from a remote
computer with a network connection to Notification Server. This means that you
can perform administration tasks from wherever you are.
The console lets you set security that is specific to each console user. You specify
which areas of the console a user has access to and the rights that a user has to
perform specific actions. For example, one user can run reports while another
user can only view reports that have already been run.
You can start the console remotely by typing the following URL into the Internet
Explorer's address bar:http://<Notification_Server_name>/altiris/console
For more information on the console, see the Symantec Management Platform
Help, which can be accessed through the console's Help menu.
About Intel AMT
Intel ActiveManagement Technology (Intel AMT) is a part of Intel vPro technology,
which provides the following technology capabilities:
Lets youremotely inventory,diagnose, and repair computers—even
those that are turned off —reducing costly desk-side visits and
increasing user uptime.
Remote manageability
Lets third-party security software identify more threats before
they reachthe operating system. You can isolate infected systems
more quickly and update computers regardless of their power
state.
Security
Introducing Out of Band Management Component
How Out of Band Management Component works
16
Page 17
Intel AMT is a solution that is based in hardware and firmware and is connected
to the system's auxiliary power plane. Despite the power state or the operating
system state of the client computer, Intel AMT provides IT administrators with
access to alerts, hardware inventory, power management, network filtering, and
agent presence functionality. Intel AMT functionality requires the computer to
be plugged into the power source and connected to the network. Intel AMT
functionality does not require a software agent to be installed on the client
computer.
Altiris Out of Band Management Component, Altiris Real-Time Console
Infrastructure, and Altiris Real-Time System Manager software support Intel
AMT 2.0 and later.
See “About configuring Intel AMT computers for out-of-band management”
on page 57.
See “About Intel AMT tasks” on page 26.
About Intel AMT Setup and Configuration Service
Intel AMT Setup and Configuration Service (IntelSCS) providesyou with the tools
to set up and configure Intel AMT devices. Intel SCS is automatically installed on
the OOB site server computer (by default, the Notification Server computer).
See “About OOB site servers” on page 118.
Intel SCS installation creates a new database on the SQL server. This database
stores configuration parameters and administrative connection credentials for
each Intel AMT computer that you set up and configure with Out of Band
Management Component. Out of Band Management Component integrates Intel
SCS intothe Symantec Management Platform and provides theinterface for Intel
SCS in the Symantec Management Console.
About Intel AMT versions and features
Out of Band Management Component supports several versions of Intel AMT.
Table 1-1
Intel AMT versions and features
6.05.15.04.03.02.62.52.22.12.0Feature
D/NDDNDNNDDDesktop (D) or notebook (N) support
XXXXXXXXXXRemote platform (sw\hw) asset
tracking
XXXXXXXXXXRemote diagnostics and repair
17Introducing Out of Band Management Component
How Out of Band Management Component works
Page 18
Table 1-1
Intel AMT versions and features (continued)
6.05.15.04.03.02.62.52.22.12.0Feature
XXXXXXXXXXAgent presencechecking andalerting
XXXXXXXXXSystem isolation and recovery
XXXXXXXXXEnterprise mode with TLS\Kerberos
XXXXXXXXXUpgradeable remote firmware
XXXXXXXRemote configuration
X
1
XXXWireless support (802.11i, VPN)
XXXXXXX802.1x native support
XXXXCIRA (ClientInitiated RemoteAccess)
XXFull compliance to the DASH 1.0
standard
XKVM over IP
1
Notebook computers only
About Intel AMT configuration modes
You can configure Intel AMT computers for out-of-band management in one of
the two modes:
■ Small business mode
See “About Intel AMT small business mode” on page 18.
■ Enterprise mode.
See “About Intel AMT enterprise mode” on page 19.
See “Comparison of Intel AMT small business and enterprise mode” on page 19.
About Intel AMT small business mode
Intel AMTsmall business configuration mode is easy to set up and isrecommended
when you have a few Intel AMT computers. You can also use this mode if your
enterprise doesnot have DHCP or DNS services available or if using these services
is not allowed for security or other reasons.
This mode does not support Transport Layer Security (TLS), so communications
between computers arenot encrypted. This mode works well in the environments
that donot have a security infrastructure. Because small business modeis designed
Introducing Out of Band Management Component
How Out of Band Management Component works
18
Page 19
for small environments, this mode does not support communications across
subnets. If your environment incorporates subnets, use enterprise mode.
See “About TLS” on page 95.
See “About Intel AMT enterprise mode” on page 19.
If youare new to Intel AMT and want to evaluatethe technology, you can configure
a few computers in small business mode. Small business mode lets you get things
set up and running more quickly. Setting up an Intel AMT computer in small
business modeis a manual process that is performed though the Intel AMTcapable
computer’s BIOS. Out of Band Management Component is not involved in the
configuration process. After setup, the computer is ready to be managed out of
band.
See “Configuring Intel AMT computers in small business mode” on page 91.
About Intel AMT enterprise mode
Intel AMT enterprise configuration mode is designed to serve the needs of large
enterprises. When this mode issupported with the propernetwork infrastructure
services, it can provide automated (one-touch or remote) configuration for Intel
AMT devices. This mode also supports the configuration of wireless features on
the Intel AMT device and integration with Microsoft Active Directory.
This mode supports multiple security options: an Intel AMT access control list,
and the option to encrypt communications through the use of Transport Layer
Security (TLS).
See “About TLS” on page 95.
Use Out of Band Management Component to control the process of enterprise
mode Intel AMT configuration from the Symantec Management Console.
See “About configuring Intel AMT computers for out-of-band management”
on page 57.
Comparison of Intel AMT small business and enterprise mode
Intel AMTsmall business configuration mode is easy to set up and isrecommended
when you have a few Intel AMT computers. Intel AMT enterprise configuration
mode is designed to serve the needs of large enterprises and is more secure.
See “About Intel AMT small business mode” on page 18.
See “About Intel AMT enterprise mode” on page 19.
19Introducing Out of Band Management Component
How Out of Band Management Component works
Page 20
Table 1-2
Differences between Intel AMT small business and enterprise modes
Enterprise modeSmall-business modeFeature
Required and provided
through Intel SCS, which is
installed with the solution
Not neededSetup and configuration
application (Out of Band
Management Component)
Can be pre-set up from the
factory, implemented
through a USB key, or
manually through the MEBx
Must be set up through the
MEBx on the computer
Setup and configuration
Intel AMT 2.2, 2.6, 3.0, 4.0,
and 5.0 support zero-touch
remote configurationmethod
Not supportedRemote setup and
configuration
TLS encryption through use
of Microsoft certification
authority
Not supportedEncrypted communications
SupportedNot supportedMicrosoft Active Directory
integration
SupportedNot supportedWireless management
support
SupportedNot supportedNetwork subnet support
SupportedNot supportedAccess control list for
accessing Intel AMT
Centrally managed
passwords through the
management console
Must manually change
passwords on the computer
Intel AMT password support
About Intel AMT security
One of the key benefits of Intel AMT over other out-of-band technologies, such
as Wake on LAN, is the security features.
Introducing Out of Band Management Component
How Out of Band Management Component works
20
Page 21
Table 1-3
Intel AMT security features
DescriptionFeature
The username andthe passwordthat youuse to connect to the Intel
AMT deviceremotely. Thesecredentials shouldnot beconfused with
the MEBx credentials, which by default share the same user name
and password as the remote access Intel AMT credentials.
See “About Intel AMT related credentials” on page 22.
Intel AMT
credentials
The Intel AMT access control list (ACL) manages who has access to
which capabilitieswithin IntelAMT. An ACL entry has a user ID and
a list of realms to which a user has access. This access is required
to use the functionality that is associated with a realm.
Two kinds of ACL entries exist: Kerberos and Digest. The main
difference between them is that Kerberos entries have an Active
Directory SID to identify a user or group of users. Digest entries
have a user name and password for user identification. When
Microsoft ActiveDirectory is used, user identities are imported from
Active Directory; otherwise, user identities are added manually.
Access Control List
(Enterprise mode
only)
A pair of keys that are used to ensure a secure connection when the
configuration server configures an Intel AMT device. After a device
is configured, these keys are no longer used and are deleted from
the Intel SCS database.
PID-PPS security
key pair (Enterprise
mode only)
TLS lets you encrypt communications between the configuration
server andthe IntelAMT deviceafter thedevice hasbeen configured.
The encryption can be one direction (from the Intel AMT device to
the configurationserver) orboth directions (mutual authentication).
If you want to use TLS, you must use Intel AMT in enterprise mode
and have access to Microsoft certification authority.
See “About TLS” on page 95.
TLS encryption
(Enterprise mode
only)
21Introducing Out of Band Management Component
How Out of Band Management Component works
Page 22
Figure 1-2
Out of Band Management Component modes and security
About Intel AMT related credentials
The Intel AMT administrative credentials and MEBx admin credentials often get
confused as the same credentials, but they are different and have different
purposes. By default, the administrator account for both credentials is admin and
the password is admin. The MEBx credentials control local access to the MEBx on
the computer and some Intel AMT settings. The Intel AMT administrative
credentials control remote access to the Intel AMT settings (for example, when
you run an out-of-band task from the Symantec Management Console, or access
the Intel AMT Web UI).
When you access the MEBx for the first time, you must supply the default
administrator credentials, and then you are prompted to change the password.
This change modifies not only the MEBx admin account password but also the
Intel AMT administrative account password.
Later, when you set up and configure Intel AMT computers, you change the Intel
AMT administrator password again and make it different from the MEBx one.
Introducing Out of Band Management Component
How Out of Band Management Component works
22
Page 23
Table 1-4
Out of Band Management Component credentials
DescriptionCredentials
Used to locally access the MEBx. The default administrator
account and password are admin. During the Intel AMT
initialization process, the default password is changed to a
user-specified password(as definedin theconfiguration profile).
See “Creating Intel AMT configuration profiles” on page 62.
MEBx
Used in the remote management of Intel AMT. The default
administrator account and password are admin.
During the Intel AMT setup and configuration process, the
default password is changed to a user-specified or randomly
generated password (as defined in the configuration profile).
See “Creating Intel AMT configuration profiles” on page 62.
Altiris solutions use these credentials to perform remote
management tasks.
Intel AMT
Used to access Intel SCS that is running on the OOB site server
computer (by default, the Notification Server computer).
At thetime ofOut ofBand Management Component installation,
all users in the Symantec Administrators group are added to
the list of the Intel SCS users.
See “Users page” on page 148.
Intel SCS Users
A list of users that can remotely access Intel AMT settings and
the rights that they have.
Intel AMT devices are configured with this list during the setup
and the configuration process (as defined in the configuration
profile).
See “Creating Intel AMT configuration profiles” on page 62.
Access control list
(Enterprise mode only)
Used to access the Symantec Management Console. Users can
have rights to access specific data and perform certain
management tasks.
For more information, see the Symantec Management Platform
Help.
Symantec Management
Console
23Introducing Out of Band Management Component
How Out of Band Management Component works
Page 24
Table 1-4
Out of Band Management Component credentials (continued)
DescriptionCredentials
A pair of security keys that are used to ensure secure
communications betweenthe configurationserver andthe Intel
AMT computer. After a computer is configured, these keys are
no longer used.
These keys are generated and entered intothe Intel AMT device
during the initialization process.
See “About Intel AMT initialization” on page 58.
PID-PPS security key
pair (Enterprise mode
only)
About Intel AMT wireless support
(Intel AMT 2.5, 2.6, 4.0, 6.0 and later)
Out ofBand Management Component lets you configure wireless features of Intel
AMT throughwireless profiles. A wireless profile defines how the systemconnects
to the wireless access point when the operating system is not loaded. Different
wireless profiles can be created and used to support different access points.
Through wireless profiles you can configure the following features:
■ Key management - Wi-Fi Protected Access (WPA).
■ Robust Secure Network (RSN) key management schemes are supported.
■ Encryption algorithm - Temporal Key Integrity Protocol (TKIP) and Counter
Mode CBC Mac Protocol (CCMP) are supported.
■ Authentication - A pass phrase or 802.1x profile can be used to ensure that
only authorized users can establish a connection with the Intel AMT device.
About ASF
ASF (Alert Standard Format) is an industry standards-based technology that lets
IT administrators manage computers regardless of the operating system state.
ASF performs completely out of band and only relies on the operating system to
configure the solution.
ASF provides alerting and power management functionality as long as the
computer is plugged in with Ethernet connection. ASF functionality is
accomplished through hardware on the network card or system board, a software
agent on the client computer, and management software on the server.
Altiris Out of Band Management Component, Altiris Real-Time Console
Infrastructure, and Altiris Real-Time System Manager software support ASF 2.0.
Introducing Out of Band Management Component
How Out of Band Management Component works
24
Page 25
See “ConfiguringASF/DASH computersfor out-of-bandmanagement” on page 111.
See “About ASF tasks” on page 27.
About DASH
DASH (Desktop and Mobile Architecture for System Hardware) is a Web
services-based managementtechnology that enables IT professionals to remotely
manage desktop and mobile computers from anywhere in the world. The
technology lets administrators securely turn the power on/off, query system
inventory, andpush firmware updates among other things, regardless of the state
of the remote computer.
Altiris Out of Band Management Component, Altiris Real-Time Console
Infrastructure, andAltiris Real-TimeSystem Manager software support Broadcom
and Intel implementations of DASH.
See “ConfiguringASF/DASH computersfor out-of-bandmanagement” on page 111.
See “About DASH tasks” on page 27.
Comparison of Intel AMT, ASF, and DASH
Out of Band Management Component supports Intel AMT, ASF, and DASH
out-of-band management technologies.
See “About Intel AMT” on page 16.
See “About ASF” on page 24.
See “About DASH” on page 25.
Table 1-5
Intel AMT, ASF, and DASH comparison
DASHASFIntel AMTFeature
Supports the networks
that include subnets.
Does not support
subnets.
Supports the networks
that include subnets.
Network
support
Supports the user name
and password
authentication,
encrypted
communications using
certificates.
Supports the Operator
and Administrator
Authentication Keys
authentication for
performing remote
power management
commands.
Supports the user name
and password
authentication, an
access control list, and
TLS encryption
(Enterprise mode only)
of communications.
Security
25Introducing Out of Band Management Component
How Out of Band Management Component works
Page 26
Table 1-5
Intel AMT, ASF, and DASH comparison (continued)
DASHASFIntel AMTFeature
Based on an open
standard that is
developed through
DMTF.
Based on an open
standard that is
developed through
DMTF.
Non-standards based.Standards
Small to large
environments with
multiple options for
security.
Small to medium size
environments.
Small to large
environments with
multiple options for
security.
Intended
use
What you can do with Out of Band Management
Component
Out of Band Management Component helps you configure Intel AMT, ASF, or
DASH devices on the computers that support these technologies, so these
computers can be managed out of band.
See “About Intel AMT tasks” on page 26.
See “About ASF tasks” on page 27.
See “About DASH tasks” on page 27.
About Intel AMT tasks
Out of Band Management Component lets you perform the following Intel AMT
tasks:
■ Discover Intel AMT capable computers.
■ Set up and configure computers with Intel AMT so that they can be managed
out-of-band by other Altiris solutions.
■ Define service configuration parameters for Intel SCS.
■ Create the profiles that define the setup and the configuration parameters for
Intel AMT, including wireless parameters.
■ Manage the list of valid PID-PPS keys that match what is to be installed on the
Intel AMT computers that await initialization.
■ Remotely setthe host name, either detected automatically or entered manually,
for an Intel AMT network interface.
Introducing Out of Band Management Component
What you can do with Out of Band Management Component
26
Page 27
■ View and manage the entries that identify each Intel AMT computer that is
configured or not configured.
■ Remotely reset or re-configure Intel AMT computers, synchronize clocks,
change power-saving policies, and so on.
■ Control the list of users that have access to the Intel SCS console and to the
Intel AMT devices and the permissions they have.
See “About configuring Intel AMT computers for out-of-band management”
on page 57.
About ASF tasks
Out of Band Management Component lets you perform the following ASF tasks:
■ Discover ASF-capable computers.
■ Install the ASF management agent on the computers.
■ Collect ASF configuration inventory.
■ Configure thedefault connection, security, and remote powercontrol settings
on client computers with ASF.
■ Configure the ASF alerts that can help you be more proactive in responding
to memory faults, temperature issues, hard drive warnings, chassis intrusion,
and so forth. These alerts help you fix issues before they become destructive.
See “ConfiguringASF/DASH computersfor out-of-bandmanagement” on page 111.
About DASH tasks
Out ofBand Management Component lets you perform the following DASH tasks:
■ Discover DASH-capable computers.
■ Install the DASH management agent on the computers.
■ Collect DASH configuration inventory.
■ Configure connection and security settings on client computers with DASH.
See “ConfiguringASF/DASH computersfor out-of-bandmanagement” on page 111.
Where to get more information
Use the following documentation resources to learn and use this product.
27Introducing Out of Band Management Component
Where to get more information
Page 28
Table 1-6
Documentation resources
LocationDescriptionDocument
http://kb.altiris.com/
You can search for the product name under
Release Notes.
Information about new features and
important issues.
This information is available asan article in
the knowledge base.
Release Notes
The Product Support page, which is
available at the following URL:
http://www.symantec.com/business
/support/all_products.jsp
When youopen yourproduct’s support page,
look forthe Documentationlink onthe right
side of the page.
Information abouthow to install, configure,
and implement this product.
This informationis available in PDF format.
Implementation Guide
■ The Documentation Library, which is
available in the Symantec Management
Console on the Help menu.
■ The Product Support page, which is
available at the following URL:
http://www.symantec.com/business
/support/all_products.jsp
When you open your product’s support
page, look for the Documentation link
on the right side of the page.
Information about how to use this product,
including detailedtechnical informationand
instructions for performing common tasks.
This informationis available in PDF format.
User Guide
The Documentation Library, which is
available in the Symantec Management
Console on the Help menu.
Context-sensitive help is available for most
screens in the Symantec Management
Console.
You can open context-sensitive help in the
following ways:
■ The F1 key
■ The Contextcommand, whichis available
in the Symantec Management Console
on the Help menu.
Information about how to use this product,
including detailedtechnical informationand
instructions for performing common tasks.
Help is available at the solution level and at
the suite level.
This information is available in HTML help
format.
Help
In addition to the product documentation, you can use the following resources to
learn about Altiris products.
Introducing Out of Band Management Component
Where to get more information
28
Page 29
Table 1-7
Altiris information resources
LocationDescriptionResource
http://kb.altiris.com/Articles, incidents,and issuesabout Altiris
products.
Knowledge base
http://www.symantec.com/connect
/endpoint-management-virtualization
An online magazine that contains best
practices, tips, tricks, forums, and articles
for users of this product.
Symantec Connect
(formerly Altiris Juice)
29Introducing Out of Band Management Component
Where to get more information
Page 30
Introducing Out of Band Management Component
Where to get more information
30
Page 31
Planning for Out of Band
Management Component
installation
This chapter includes the following topics:
■ About environment requirements
■ About configuring DNS
■ About configuring DHCP
■ About configuring SQL server
■ About integrating with Microsoft Active Directory
■ About installing Microsoft IIS
■ Installing and configuring CA
■ About installing .NET Framework on an OOB site server
■ About planning OOB site servers hierarchy
■ Configuring a firewall to allow Intel SCS and SQL server connections
■ About ports used by Intel AMT
■ About installing Out of Band Management Component in a lab environment
■ About managing Intel AMT computers without the Altiris Agent installed
2
Chapter
Page 32
About environment requirements
The environment requirements for Out of Band Management Component are as
follows:
■ Before you install Out of Band Management Component, you must configure
the SQL server that you want Intel SCS to use in mixed authentication mode
(Windows Authentication and SQL Server Authentication).
See “About configuring SQL server” on page 34.
■ You must configure DNS to resolve the ProvisionServer host name to the
computer with OOB site server installed (by default, the Notification Server
computer). Youcan do this before or after you installOut of Band Management
Component.
See “About configuring DNS” on page 33.
See “About OOB site servers” on page 118.
Installing Out of Band Management Component and Out of Band site server in
this environment lets you perform the following actions:
■ Configure ASF- and DASH-capable computers for out-of-band management.
■ Manually set up and configure Intel AMT-capable computers for out-of-band
management without the use of Intel AMT security features.
However, if you plan to use more Intel AMT features (for example, TLS, Remote
Configuration, Kerberos users, 802.1x profiles), more conditions must be met.
You can prepare the environment before or after you install Out of Band
Management Component.
Table 2-1
Out of Band Management Component environment requirements
for Intel AMT features
Remote
Configuration
TLS with mutual
authentication,
802.1x profiles
TLSKerberos usersSimple
enterprise mode
Intel AMT setup
and
configuration
Prerequisites
RequiredRequiredRequiredRequiredRequiredWindows 2003
SP2 or later
RequiredRequiredOptionalRequiredOptionalActive Directory
Not supportedNot supportedRequiredOptionalOptionalStand-alone
certification
authority
Planning for Out of Band Management Component installation
About environment requirements
32
Page 33
Table 2-1
Out of Band Management Component environment requirements
for Intel AMT features (continued)
Remote
Configuration
TLS with mutual
authentication,
802.1x profiles
TLSKerberos usersSimple
enterprise mode
Intel AMT setup
and
configuration
Prerequisites
RequiredRequiredOptional
(supported only
where Active
Directory is
present)
OptionalOptionalEnterprise
certification
authority
RequiredOptionalOptionalOptionalOptionalDHCP server
(with option 15
support)
See “About integrating with Microsoft Active Directory” on page 35.
See “Installing and configuring CA” on page 36.
See “About configuring DHCP” on page 34.
About configuring DNS
The OOBsite server computer (by default, the Notification Server computer) must
be registered in the DNS as ProvisionServer. Intel AMT computers send their
Hello packets to this host name. If the OOB site server computer already has a
name, other than ProvisionServer, add a CNAME (canonical name) record to the
DNS. To do this with a Microsoft DNS server, open the MMC DNS branch, open
the ForwardLookup Zones branch, right-click the entry for theNotification Server
computer, and click New Alias. Then type ProvisionServer as the alias name.
You must create a ProvisionServer entry for each DNS domain.
If you plan on installing multiple OOB site servers to different subnets or
geographic locations,be sure that you configure DNS so that IntelAMT computers
at each location contact their OOB site server computer.
See “About OOB site servers” on page 118.
After you install Out of Band Management Component, you can test if
ProvisionServer resolves to the actual OOB site server computer.
See “DNS configuration page” on page 142.
33Planning for Out of Band Management Component installation
About configuring DNS
Page 34
About configuring DHCP
The Dynamic Host Configuration Protocol (DHCP) is an Internet protocol for
automating the configuration of computers that use TCP/IP.
The DHCP can be used for the following purposes:
■ To automatically assign IP addresses.
■ To deliver TCP/IP stack configuration parameters such as the subnet mask
and default router.
■ To provide other configuration information such as the addresses for printer,
time and news servers.
The DHCP server dynamically provides an IP address to Intel AMT devices.
You must configure your DHCP server to support Option 15 and be able to return
the local domain suffix.
About configuring SQL server
Intel SCS requires Microsoft SQL Server 2005. Microsoft SQL Server 2008 is not
currently supported.
If you already installed Symantec Management Platformon Microsoft SQL Server
2008, you can install Microsoft SQL Server 2005 on another computer in your
network, and then configure Out of Band Management Component settings.
For instructions, see Out of Band Management Component Release Notes.
Microsoft SQLServer mustbe configured in mixed authentication mode (Windows
Authentication and SQL Server Authentication).
Out ofBand ManagementComponent usestwo SQLdatabases: NotificationServer's
database (Symantec_CMDB) and Intel SCS (Symantec_CMDB_IntelAMT).
If you want to install multiple OOB site servers to different subnets or geographic
locations, ensure the SQL server is accessible from all these locations. All OOB
site servers must use the same SQL server and the same database.
See “About planning OOB site servers hierarchy” on page 38.
You must configure the firewall on the SQL server computer to allow connections
to the SQL server.
See “Configuring a firewall to allow Intel SCS and SQL server connections”
on page 39.
You can install SQL server on the Notification Server computer; however, if you
plan to use several other Altiris solutions or Altiris solutions that are database
Planning for Out of Band Management Component installation
About configuring DHCP
34
Page 35
intensive, considerusing atwo-server configuration—onecomputer for Notification
Server and one for SQL server.
Table 2-2
SQL server installation guidelines
Two-server
configuration
One-server
configuration
Factor
50002000Maximum number of computers to
manage
ModerateModerateUpdate times for solutions and
Notification Server processes
ManySeveralNumber of solutions that run along
with Out of Band Management
Component
155Number of active console users
About integrating with Microsoft Active Directory
Intel SCS uses Active Directory (AD) for Kerberos authentication using Intel AMT
objects. You must integrate Out of Band Management Component with AD if you
want to add Kerberos users to the Intel AMT Access Control List. Kerberos users
are users in the form of DOMAIN\username.
Integration with AD is also required when you want to use 802.1x authentication.
The Intel AMT data that is stored in AD is used in certificate requests for that
Intel AMT computer.
When AD integration is enabled, during setup and configuration of an Intel AMT
device, Intel SCS creates a directory entry that is based on the
Intel-Management-Engine class.
This directory entry contains the following data:
■ An AD object that represents the Intel AMT device.
■ An attribute for connecting the AD computer object to the Intel AMT object.
To integrate Intel SCS with AD, the OOB site server computer (by default, the
Notification Server computer) must be a member of a domain.
See “Integrating Intel SCS with Active Directory” on page 55.
35Planning for Out of Band Management Component installation
About integrating with Microsoft Active Directory
Page 36
About installing Microsoft IIS
Notification Server, Intel SCS software, and Microsoft certification authority (if
used) all require Microsoft Internet Information Services (IIS) version 6.
Microsoft IIS is a prerequisite for Notification Server installation, and it is already
installed onthe NotificationServer computer. For default Out of Band Management
Component installation, no additional steps need to be performed on IIS.
You mustinstall Microsoft IIS on the computer (otherthan the Notification Server
computer) that you want to use for the following purposes:
■ As an OOB site server
See “About OOB site servers” on page 118.
■ As a computer that hosts Microsoft certification authority
See “Installing and configuring CA” on page 36.
Note: To enable Web enrollment for certificates, install IIS before installing the
certification authority.
Installing and configuring CA
To usecertain Intel AMT features, you mustinstall and configure the certification
authority (CA).
Table 2-3
Intel AMT features and the CA they require
CA to installIntel AMT feature
If youdo nothave ActiveDirectory, installa Stand-alone
CA.
If you have Active Directory, you can install either a
Stand-alone or an Enterprise CA.
TLS
Install an Enterprise CA.TLS with Mutual Authentication
Install an Enterprise CA.Remote Configuration
Install aStand-alone CAon the same computer where the OOB site server computer
(by default, the Notification Server computer) is installed. If you use a Stand-alone
CA, there can be only one Intel SCS instance in the environment.
Install an Enterprise CA on Microsoft Windows Server 2003 Enterprise Edition
with ServicePack 1 or later. The Enterprise CA hostmust be a member of an Active
Directory domain. It can be the same host as the domain controller. The user who
Planning for Out of Band Management Component installation
About installing Microsoft IIS
36
Page 37
performs the installation must be a member of the domain and have sufficient
administration privileges. For example,the usermust be amember ofthe Domain
Admins group.
Make sure the CA that you installed is configured to generate certificates
automatically (this is the default setting) sothat Intel SCS can requesta certificate
each time it performs a setup of an Intel AMT device. Otherwise, you have to
intervene each time a device is set up.
Warning: To enable Web enrollment for certificates, install IIS before installing
the CA.
See “About installing Microsoft IIS” on page 36.
To install the CA
1
On the computer where you want to install the CA, click the Windows Start
button, and then click Control Panel > Add or Remove Programs >
Add/Remove Windows Components.
2
On the Windows Components Wizard page, check Certificate Services.
A warning is displayed indicating that the computer name or the domain
membership of the computer cannot be changed while it acts as a certificate
server. Click Yes.
3
Click Details. Make sure that both Certificate Services CA and Certificate
Services Web Enrollment Support are checked, and then click OK.
4
Click Next.
5
On the CA Type page, select either Enterprise root CA or Stand-alone root
CA and click Next.
6
On the CA Identifying Information page, type the common name for this
CA.
This is the name by which the CA will be known.
7
Type the distinguished name suffix, if it is not already there.
This isthe domain suffix of the host.It is generated automatically in anActive
Directory environment.
8
Click Next.
9
Click Next.
10
If there is a message that requests to stop the IIS, click Yes.
The installation runs to completion.
37Planning for Out of Band Management Component installation
Installing and configuring CA
Page 38
To configure the CA to automatically issue certificates
1
On the computer with CA installed, click the Windows Start button, and then
click Administrative Tools > Certification Authority.
2
In the Certification Authority window, right-click the first sub-branch and
click Properties.
3
Click the Policy Module tab.
4
Click Properties, and then click Follow the settings in the certificate
template, if applicable. Otherwise, automatically issue the certificate.
5
Click OK, respond to the message, and then click OK.
6
Click the root branch and use the buttons on the toolbar to restartthe service.
About installing .NET Framework on an OOB site
server
The .NETFramework isMicrosoft’s managedcode programmingmodel forbuilding
applications on Windows clients, servers, and mobile or embedded devices.
You must install Microsoft .NET Framework 2.0 (with ASP.NET) and Microsoft
Data Access Control 2.8 (MDAC) on the computer that you want to use as OOB site
server.
See “About OOB site servers” on page 118.
You can download and install the .NET Framework 2.0 from the Microsoft Web
site http://www.microsoft.com/downloads/details.aspx?
FamilyID=0856eacb-4362-4b0d-8edd-aab15c5e04f5.
In the case of a default OOB site server installation (on the Notification Server
computer), you don't have to install .NET Framework 2.0 additionally on the
Notification Server computer. Notification Server requires and installs the .NET
Framework 3.5 software, which includes .NET Framework 2.0 SP1.
About planning OOB site servers hierarchy
When you install Out of Band Management Component, the OOB site server is
installed onthe Notification Server computer. In a lab environment,you can keep
the OOB site server installed on the Notification Server computer.
In production environment, to reduce the workload on the Notification Server
computer, you may consider moving the OOB site server to another computer.
Planning for Out of Band Management Component installation
About installing .NET Framework on an OOB site server
38
Page 39
It ispossible that Intel AMT computers in your environment arelocated in multiple
subnets, domains, or geographic locations, and cannot contact the only OOB site
server directly(for example, due to network issues). In this case, consider installing
an OOB site server at each of those locations.
For the OOB site servers hierarchy to work properly, the following conditions
must be met:
■ The OOBsite servercomputer mustmeet the minimum software requirements.
See “Prerequisites for OOB site server installation” on page 118.
■ The OOB site server computer can access the same SQL Server that is used by
all OOB site servers.
See “About configuring SQL server” on page 34.
■ DNS for this location is configured to resolve the ProvisionServer host name
to the OOB site server computer that is installed in this location.
See “About configuring DNS” on page 33.
See “About OOB site servers” on page 118.
Configuring a firewall to allow Intel SCS and SQL
server connections
You must configure a firewall on the OOB site server computer (by default, the
Notification Server computer) to allow incoming traffic to Intel SCS.
On the computer with Microsoft SQL Server installed, you must configure the
firewall to allow incoming traffic to the SQL server.
Configuring firewall software on the client Intel AMT computers is not necessary
because Intel AMT management is performed at the hardware level.
See “About ports used by Intel AMT” on page 40.
To configure a firewall to allow Intel SCS connections
1
Open the Control Panel on the computer with Intel SCS installed (this is the
OOB site servercomputer, bydefault, the Notification Server computer ), and
then click Windows Firewall.
2
In the Windows Firewall dialog box, on the Exceptions tab, click Add
Program.
3
Click Browse, navigate to the instance of Intel SCS that you want to access
through the firewall, and then click Open.
By default, Intel SCS is located at C:\Program
Files\Intel\AMTConfServer\Windows Service\AMTConfigWinService.exe.
39Planning for Out of Band Management Component installation
Configuring a firewall to allow Intel SCS and SQL server connections
Page 40
4
Click OK.
5
Click OK.
To configure a firewall to allow SQL server connections
1
Open the Control Panel on the computer with SQL Server installed, and then
click Windows Firewall.
2
In the Windows Firewall dialog box, on the Exceptions tab, click Add
Program.
3
Click Browse, and navigate to the instance of SQL Server that you want to
access through the firewall, and then click Open.
For example, browse to C:\Program Files\Microsoft SQL
Server\MSSQL.1\MSSQL\Binn\Sqlservr.exe.
Note that the path may be different depending on where SQL Server 2005 is
installed and which instance you are using.
4
Click OK.
5
Click OK.
If you still cannot connect to the SQL server remotely, try adding TCP port
1433 to the firewall exceptions list.
About ports used by Intel AMT
By default, Intel SCS (a component of the OOB site server) listens on port 9971.
Intel AMT devices send their Hello packets to this port.
Intel SCSand Altirissolutions thatsupport out-of-band management communicate
with Intel AMT devices using the following ports:
■ In non-secure mode, Intel AMT devices listen on port 16992
■ In TLS mode, Intel AMT devices listen on port 16993
See “Configuring a firewall to allow Intel SCS and SQL server connections”
on page 39.
About installing Out of Band Management Component
in a lab environment
To evaluate Out of Band Management Component, you only need a server in a lab
environment with the minimum requirements and a few out-of-band capable
client computers. This configuration lets you run through the installation and
Planning for Out of Band Management Component installation
About ports used by Intel AMT
40
Page 41
get a feel for configuring computers and performing basic tasks. In a lab
environment, you can install the SQL server and the OOB site server on the same
computer where you installed Notification Server.
We recommend that you configure the Altiris Agent settings for evaluation use.
See “Configuring the Altiris Agent settings for evaluation use” on page 52.
To reduce server workload in production environment, we recommend that you
use different computers for Notification Server, SQL server, and OOB site server.
Depending on the amount of Intel AMT computers in your enterprise and the
number of geographic locations, you can install more OOB site servers.
See “About planning OOB site servers hierarchy” on page 38.
About managing Intel AMT computers without the
Altiris Agent installed
To use the full set of features that Altiris solutions offer, we recommend that you
install the Altiris Agent on the computers in your environment. However, Out of
Band Management Component lets you set up and configure the Intel AMT
computers that do not have the Altiris Agent installed.
If you choose not to install the Altiris Agent on the computers with Intel AMT,
you cannot perform the following actions:
■ Discover unconfigured Intel AMT capable computers in your environment.
■ Use other Altiris solutions to run in-band management tasks (for example,
software inventory, software installation, and so on) on these computers.
■ Run the jobs that contain in-band tasks. For example, turn on the computer
(out-of-band) > collect software inventory (in-band) > run a script (in-band) >
turn off the computer (out-of-band).
■ Use the Delayed Setup and Configuration policy or Send Intel AMT Hello
message task to reset an unconfigured Intel AMT device remotely without
touching the computer.
■ Initialize computers with Intel AMT 2.2. and 2.6 using the Remote
Configuration feature.
With agentless Intel AMT computers you can perform the following actions:
■ Use Out of Band Management Component to set up and configure known Intel
AMT computers that are initialized, and send configuration requests to the
configuration server.
41Planning for Out of Band Management Component installation
About managing Intel AMT computers without the Altiris Agent installed
Page 42
■ Run out-of-band managementtasks fromthe Symantec Management Console.
For example, you can collect Intel AMT hardware inventory; turn on, turn off,
and restart the computers; configure Intel AMT alerts; and so on.
■ Use the SOL/IDE-R, Network Filtering, and other out-of-band features of Intel
AMT.
■ Initialize computers with Intel AMT 3.0 and later using the Remote
Configuration feature.
To createcomputer resources for agentless Intel AMT computers in theSymantec
Management Console, run the Resource Synchronization policy.
See “Synchronizing Intel SCS and Notification Server resources” on page 88.
After this policy has run, the computer resources appear in the Configured Intel
AMT Computers filter. This policy creates resources only for the Intel AMT
computers that you set up and configured with Out of Band Management
Component.
The computers that do not have the Altiris Agent installed do not appear in the
standard Symantec Management Console filters like Windows Computers.
Note: To configure ASF and DASH capable computers with Out of Band
Management Component you must install the Altiris Agent on those computers.
Planning for Out of Band Management Component installation
About managing Intel AMT computers without the Altiris Agent installed
42
Page 43
Installing Out of Band
Management Component
This chapter includes the following topics:
■ System requirements
■ Installing the Out of Band Management Component product
■ Upgrading the Out of Band Management Component product
■ Uninstalling Out of Band Management Component
System requirements
Out of Band Management Component has the following requirements:
■ Out of Band Management Component installation requirements
See “About Out of Band Management Component requirements” on page 43.
■ Client computer software and hardware requirements
See “About clientcomputer softwareand hardware requirements” on page 44.
About Out of Band Management Component requirements
Out of Band Management Component requires the following:
■ Symantec Management Platform 7.0 SP4.
When you install Out of Band Management Component through Symantec
Installation Manager,Symantec ManagementPlatform is installed or upgraded
automatically.
For more information on Symantec Management Platform prerequisites and
installation instructions, see the Symantec Management Platform Help.
3
Chapter
Page 44
See “Where to get more information” on page 27.
■ Microsoft SQL Server 2005.
See “About configuring SQL server” on page 34.
■ SQL server is configured in mixed authentication mode.
See “About configuring SQL server” on page 34.
Out of Band Management Component also requires that you configure your
environment, such as DNS, DHCP, and so on.
See “About environment requirements” on page 32.
You can configure the environment before or after you install Out of Band
Management Component.
About client computer software and hardware requirements
The client computers that you want to configure for out-of-band management
with Out of Band Management Component must meet certain hardware and
software requirements.The client computers must support one of the out-of-band
management technologies.
Table 3-1
Client computer software requirements
DescriptionRequirement
60 MB free hard disk space
64 MB RAM (128 MB recommended)
Hardware
Windows 2003 Server SP2 or later
Windows XP SP2 or later
Operating system
Table 3-2
Client computer out-of-band technology requirements
DescriptionTechnology
Computers with Intel AMT have an Intel
vPro or Centrino Pro label on them.
Intel AMT 2.0, 2.1, 2.2, 2.5, 2.6, 3.0, 4.0, 5.0
and later
The Broadcom andIntel implementations of
ASF are supported.
Broadcom ASF 2.0 or Intel ASF 2.0
Broadcom implementation of DASH
technology is supported.
Broadcom DASH
Installing Out of Band Management Component
System requirements
44
Page 45
Installing the Out of Band Management Component
product
Use SymantecInstallation Managerto installOut ofBand ManagementComponent.
For more information on installing products, see the Symantec Installation
Manager documentation.
See “Where to get more information” on page 27.
Upgrading the Out of Band Management Component
product
Use Symantec Installation Manager to upgrade Out of Band Management
Component.
For more information on upgrading products, see the Symantec Installation
Manager documentation.
See “Where to get more information” on page 27.
After you upgrade the product, you must upgrade the Out of Band Task Agents
that are installed on the target computers.
To upgrade the Out of Band Task Agent
1
In the Symantec Management Console, on the Actions menu, click
Agents/Plug-ins > Rollout Agents/Plug-ins.
2
In the left pane, click Remote Management > Out of Band Management >
Out of Band Task Agent - Upgrade.
3
Turn on the policy.
To turn on the policy, at the upper right of the page, click the colored circle,
and then click On.
4
Click Save changes.
Uninstalling Out of Band Management Component
To uninstall Out of Band Management Component perform the following steps:
45Installing Out of Band Management Component
Installing the Out of Band Management Component product
Page 46
Table 3-3
Uninstalling Out of Band Management Component
DescriptionActionStep
This step is required if you do not want
to reinstall Out of Band Management
Component later.
See “Uninstallingthe Outof BandTask
Agent” on page 46.
Uninstall the Out of Band Task
Agent from the client computers.
Step 1
This step removes the product from
Notification Server.
See “Uninstalling Out of Band
Management Component from
Notification Server” on page 47.
Uninstall Out of Band
Management Component from
Notification Server.
Step 2
Uninstalling the Out of Band Task Agent
If you do not want to reinstall the Out of Band Management Component, remove
the Out of Band Task Agent from the client computers.
The agent uninstallation process can take some time to start, depending on the
intervals that are set between the updates of the Altiris Agent.
See “Configuring the Altiris Agent settings for evaluation use” on page 52.
Do not uninstall the Out of Band Management Component software from
Notification Server until the task has run on all computers. When Out of Band
Management Component is uninstalled, there is no automated way to uninstall
the agents.
To uninstall the Out of Band Task Agent
1
In the Symantec Management Console, on the Actions menu, click
Agents/Plug-ins > Rollout Agents/Plug-ins.
2
In the left pane, click Remote Management > Out of Band Management >
Out of Band Task Agent - Unistall.
3
Turn on the policy.
To turn on the policy, at the upper right of the page, click the colored circle,
and then click On.
4
Click Save changes.
Installing Out of Band Management Component
Uninstalling Out of Band Management Component
46
Page 47
Uninstalling Out of Band Management Component from Notification
Server
Use Symantec Installation Manager to uninstall Out of Band Management
Component.
For more information on uninstalling products, see the Symantec Installation
Manager documentation.
See “Where to get more information” on page 27.
47Installing Out of Band Management Component
Uninstalling Out of Band Management Component
Page 48
Installing Out of Band Management Component
Uninstalling Out of Band Management Component
48
Page 49
Preparing target computers
for management
This chapter includes the following topics:
■ Preparing target computers for management
Preparing target computers for management
Before you can use Out of Band Management Component, you must prepare the
computers that you want to manage.
Table 4-1
Process for preparing target computers for management
DescriptionActionStep
Discovery helps you find the host
names of the computers on which you
can install the Altiris Agent.
See “Discovering computers”
on page 51.
Discover manageable computers
in your environment.
Step 1
4
Chapter
Page 50
Table 4-1
Process for preparing target computers for management (continued)
DescriptionActionStep
The Altiris Agent lets Notification
Server get information from and
interact with the client computers.
See “Installing the Altiris Agent”
on page 51.
For theconfiguration and management
of Intel AMT computers, the Altiris
Agent is optional. However, for easier
Intel AMT setup and configuration, we
recommend that you install the agent.
See “About managing Intel AMT
computers without the Altiris Agent
installed” on page 41.
Install the Altiris Agent to target
computers.
Step 2
For easierconfiguration andevaluation
of Out of Band Management
Component, make the Altiris Agent
request configurationfrom Notification
Server more frequently.
See “Configuring the Altiris Agent
settings forevaluation use” on page 52.
(Optional) Configure the Altiris
Agent settings for evaluation use.
Step 3
The Out of Band Discovery policy lets
you findthe computersthat arecapable
of out-of-band management.
See “Discovering out-of-band capable
computers” on page 52.
Discover out-of-band capable
computers.
Step 4
You must install this agent to the ASF
and the DASH computers in your
environment.
We recommend installing this agent to
the Intel AMT computers in your
environment for easier setup and
configuration.
See “Installing the Out of Band Task
Agent” on page 53.
Install the Out of Band Task
Agent.
Step 5
Preparing target computers for management
Preparing target computers for management
50
Page 51
Discovering computers
Discovery lets you find the hostnames of the computers where you can install the
Altiris Agent. You can discover computers on the network using a domain or a
workgroup search.
For more information on resource discovery, see the Symantec Management
Platform Help.
See “Preparing target computers for management” on page 49.
To discover computers
1
In the Symantec Management Console, on the Actions menu, click Discover
> Import Domain Membership/WINS.
2
In theAddDomain box, type the domain name, and then click the Add symbol.
3
Check Domain Membership, and then click Discover Now.
4
As the discovery process finishes, click View discovery reports to view the
list of discovered computers.
Installing the Altiris Agent
The Altiris Agent is the software that establishes communication between
Notification Serverand the computers in your network. Computers with theAltiris
Agent installed on them are called managed computers. Notification Server then
interacts with the Altiris Agent to monitor and manage each computer from the
Symantec Management Console.
You must install the Altiris Agenton the computersthat you want tomanage with
Out of Band Management Component.
For moreinformation onthe Altiris Agent, see the Symantec Management Platform
Help.
See “Preparing target computers for management” on page 49.
To install the Altiris Agent
1
In the Symantec Management Console, on the Actions menu, click
Agents/Plug-ins > Push Altiris Agent.
2
On the Altiris Agent Installation page, install the Altiris Agent to computers
in your environment.
For more information on how to install the Altiris Agent, see the Symantec
Management Platform Help (Press F1 or clickHelp > Context in the Symantec
Management Console).
51Preparing target computers for management
Preparing target computers for management
Page 52
Configuring the Altiris Agent settings for evaluation use
(Optional)
By default, the Altiris Agent requests new configuration from Notification Server
once per hour. This means that it can take up to one hour for a rollout policy to
reach the target computer.
If you are evaluating this solution in a lab environment, you can change the
configuration request interval to speed up the evaluation process.
The next time the Altiris Agent downloads configuration information, these
settings take effect. If you used the default agent configuration values before the
change, updates can take up to one hour before these changes are effective.
See “Preparing target computers for management” on page 49.
To configure the Altiris Agent for evaluation use
1
In the Symantec Management Console, on the Settings menu, click
Agents/Plug-ins > Targeted Agent Settings.
2
In the left pane, under Policy Name, click the policy that applies to the
computers that you want to configure. For example, click All Desktop
computers (excluding 'Site Servers').
3
On the General tab, in the Download new configuration every box, change
the value to 5 minutes.
This forces the agent to check more frequently for changes so you can see
the results of the changes you make more quickly.
4
In the Upload basic inventory every box, change the value to 15 minutes.
This forces inventory data to be sent more frequently.
5
Click Save changes.
Discovering out-of-band capable computers
If you want to manage computers out of band, the first step is to know which
computers on your network are out-of-band capable. Out of Band Management
Component includes the Outof Band Discovery policy that can help you discover
these computers. The policy requires that the computers to be checked for
out-of-band capability be turned on and running a supported version of the
Windows operating system and the Altiris Agent. After the policy runs on the
client computers, the out-of-band capable computers are added to the
corresponding filters.
See “About client computer software and hardware requirements” on page 44.
See “Preparing target computers for management” on page 49.
Preparing target computers for management
Preparing target computers for management
52
Page 53
To discover out-of-band capable computers
1
Install the Altiris Agent on the client computers, if they are not already
installed.
See “Installing the Altiris Agent” on page 51.
2
In the Symantec Management Console, on the Actions menu, click
Agents/Plug-ins > Rollout Agents/Plug-ins.
3
In the left pane, click Remote Management > Out of Band Management >
Out of Band Discovery.
4
(Optional) By default, the policy is configured to run on all Windows
computers. If you want to run the policy on a different set of computers,
under Applied to, change the resource targets.
5
Turn on the policy.
To turn on the policy, at the upper right of the page, click the colored circle,
and then click On.
6
Click Save changes.
To view the list of the out-of-band capable computers
1
In the Symantec Management Console, on the Manage menu, click Filters.
2
In the left pane, click Out of Band Management.
3
Click one of the following filters:
■ ASF/DASH Capable Computers
■ Intel AMT Capable Computers
Installing the Out of Band Task Agent
The Out of Band Task Agent runs on client computers and lets you perform ASF
and DASHin-band configuration tasks. It is also used for the Delayed Configuration
feature.
See “About resending Hello messages” on page 89.
See “Preparing target computers for management” on page 49.
To deploy the Out of Band Task Agent
1
In the Symantec Management Console, on the Actions menu, click
Agents/Plug-ins > Rollout Agents/Plug-ins.
2
In the left pane, click Remote Management > Out of Band Management >
Out of Band Task Agent - Install.
53Preparing target computers for management
Preparing target computers for management
Page 54
3
(Optional) By default, the policy is configured to run on all Windows
computers, which the Out of Band Discovery policy has detected as
out-of-band capable. If you want to run the policy on a different set of
computers, under Applied to, change the resource targets.
4
Turn on the policy.
To turn on the policy, at the upper right of the page, click the colored circle,
and then click On.
5
Click Save changes.
Preparing target computers for management
Preparing target computers for management
54
Page 55
Configuring Out of Band
Management Component
This chapter includes the following topics:
■ Integrating Intel SCS with Active Directory
Integrating Intel SCS with Active Directory
(Intel AMT only)
Microsoft’s Active Directory (AD) is a directory service that integrates with
Windows 2003 Server. AD is an optional environment prerequisite.
See “About environment requirements” on page 32.
You mustintegrate Intel SCS with Active Directory ifyou want to use the following
Intel AMT features:
■ Kerberos authentication using AMT objects
■ User lists
■ 802.1X Profiles
To integrate Intel SCS with Active Directory
1
Ensure the OOB site server computer (by default, the Notification Server
computer) is registered in a domain.
2
Create anew organizational unit in the Active Directoryfor Intel AMT devices
as follows:
■ On the domain controller computer, in the Administrative Tools, click
Active Directory Users and Computers.
5
Chapter
Page 56
■ Right-click on the domain node, and then click New > Organizational
Unit.
■ Type the name of the unit.
Example: IntelAMT
Note: Do not use spaces in the organizational unit’s name.
■ Click OK.
Later, when you assign configuration profiles to Intel AMT devices, you can
specify the organizational unit where the configured Intel AMT devices are
registered.
3
In the Symantec Management Console, on the Settings menu, click All
Settings.
4
In the left pane, click Remote Management > Out of Band Management >
Configuration Service Settings > General.
5
Check Active Directory Integration.
6
In the Default AD OU drop-down list, click the name of the organizational
unit that you created.
In this example, click IntelAMT.
7
Click Save changes.
Configuring Out of Band Management Component
Integrating Intel SCS with Active Directory
56
Page 57
Configuring Intel AMT
computers for out-of-band
management
This chapter includes the following topics:
■ About configuring Intel AMT computers for out-of-band management
■ Prerequisites for Intel AMT configuration
■ Configuring Intel AMT computers for out-of-band management
■ About resending Hello messages
■ Configuring Intel AMT computers in small business mode
About configuring Intel AMT computers for
out-of-band management
Before you can manage Intel AMT computers out of band, you must configure the
Intel AMT devices.
Configuration ofIntel AMT computers in enterprise mode consists of the following
stages:
You initialize Intel AMT computers by installing PID-PPS pairs into the
Intel AMT firmware either manually or automatically (using the Remote
Configuration feature).
See “About Intel AMT initialization” on page 58.
Initialization
6
Chapter
Page 58
Initialized computers enter the setup mode and start requesting
configuration by sending Hello messages to the computer with the
ProvisionServer host name. The ProvisionServercomputer is theOOB site
server that you installed in your environment.
See “About OOB site servers” on page 118.
You must configure DNS to resolve the ProvisionServer host name to that
server.
See “About configuring DNS” on page 33.
Setup
When the OOB site server computer (by default, the Notification Server
computer) receives a Hello message, a configuration process is initiated.
The Intel AMT computer gets configured with the appropriate
configuration settings that you defined in the Intel AMT configuration
profile.
See “Creating Intel AMT configuration profiles” on page 62.
See “About Intel AMT setup and configuration” on page 59.
Configuration
See “Prerequisites for Intel AMT configuration” on page 61.
See “Configuring IntelAMT computersfor out-of-band management” on page 61.
About Intel AMT initialization
Initialization (previously known as pre-provisioning) is the process of populating
the client Intel AMT computers with the Provisioning ID and the Provisioning
Pre-Shared Key(PID-PPS) pairs.These pairs are needed for secure communications
during the setup and configuration process.
Depending on your infrastructure and the Intel AMT firmware version, you can
use the following methods of initialization:
The zero-touch Remote Configuration method is the easiest way of
initializing a large amount of Intel AMT computers. This method
works onIntel AMT3.0 orlater. This method requires you to purchase
a certificate.
Using this feature does not require you to visit the physical location
of the computer with Intel AMT.
See “Prerequisites for using the Remote Configuration feature”
on page 69.
See “InitializingIntel AMTcomputers usingthe RemoteConfiguration
feature” on page 65.
Remote
Configuration
Configuring Intel AMT computers for out-of-band management
About configuring Intel AMT computers for out-of-band management
58
Page 59
If you cannot purchase a remote configuration certificate, or if you
have computers with Intel AMT versions that do not support Remote
Configuration, you must visit the physical locationof each Intel AMT
computer and initialize them manually.
In somecases, youcan perform one-touch manual initialization using
a USB key. In othercases, you must type securitykeys (PID-PPS pairs)
into the Intel AMT device manually through the BIOS.
See “Initializing Intel AMT computers manually ” on page 76.
Manual
initialization
When initialized for the first time, the Intel AMT device sends Hello messages to
Intel SCS periodically for about six hours. If for some reason the configuration
server is unavailable for more than six hours, Intel AMT setup and configuration
fails. To set up and configure the Intel AMT device, you must resend Hello
messages when the configuration server becomes available.
See “About resending Hello messages” on page 89.
If you want to initialize, set up, and configure Intel AMT capable notebook
computers, make sure you connect the computers to the wired network.
See “Prerequisites for Intel AMT configuration” on page 61.
See “Configuring IntelAMT computersfor out-of-band management” on page 61.
About Intel AMT setup and configuration
Setup and configuration (sometimes referred to as provisioning) is a process of
data exchange between the Intel AMT device and the configuration server. At the
end of the setup and configuration process the Intel AMT computer is ready for
out-of-band management.
The setupand configuration process starts right after you initialize the Intel AMT
computer.
See “About Intel AMT initialization” on page 58.
59Configuring Intel AMT computers for out-of-band management
About configuring Intel AMT computers for out-of-band management
Page 60
Figure 6-1
Intel AMT setup and configuration process
The setup and configuration goes through the following steps:
1
An initialized Intel AMT device on the client computer requestsan IPaddress
from a DHCP server.
2
The Intel AMT device performs a DNS lookup for ProvisionServer to find the
configuration server (OOB site server).
If there is no ProvisionServer record in the DNS, and you are not authorized
to addDNS records, you can manually type the IP addressof the configuration
server into the Intel AMT computer's MEBx.
3
The Intel AMT device sends a TCP/IP Hello message to the configuration
server.
If for some reason the configuration server is unavailable for more than six
hours, the device stops sending messages.
See “About resending Hello messages” on page 89.
4
Based on the UUID that is located in the Hello message, Out of Band
Management Componentsearches theIntel SCSdatabase forthe configuration
profile and the host name that you assigned to this Intel AMT device.
Configuring Intel AMT computers for out-of-band management
About configuring Intel AMT computers for out-of-band management
60
Page 61
5
If you use TLS to secure communications, Intel SCS requests a certificate for
Intel AMT from a Microsoft certification authority (CA) server.
6
If you enabled integration with Active Directory, Intel SCS defines the device
as an AMT object in the Microsoft Active Directory domain controller.
7
The Intel SCS service completes configuration using SOAP commands.
After setupand configuration, the computer is ready for out-of-band management
with Altiris solutions.
See “Altiris products that can manage computers out of band” on page 15.
See “Prerequisites for Intel AMT configuration” on page 61.
See “Configuring IntelAMT computersfor out-of-band management” on page 61.
Prerequisites for Intel AMT configuration
Before you proceed with Intel AMT setup and configuration, the following
conditions must be met:
■ An OOBsite server is installed in your environment and theAMTConfig service
is running.
See “About OOB site servers” on page 118.
■ The OOB site server computer is registered in the DNS as ProvisionServer.
See “About configuring DNS” on page 33.
■ You configured the firewall to allow incoming traffic to Intel SCS.
See “Configuring a firewall to allow Intel SCS and SQL server connections”
on page 39.
■ You discovered out-of-band capable computers and installed the management
agents.
See “Preparing target computers for management” on page 49.
Configuring Intel AMT computers for out-of-band
management
To configure Intel AMT computers for out-of-band management in enterprise
mode you must complete the following steps:
See “About Intel AMT configuration modes” on page 18.
61Configuring Intel AMT computers for out-of-band management
Prerequisites for Intel AMT configuration
Page 62
Table 6-1
Process for configuring Intel AMT computers for out-of-band
management
DescriptionActionStep
Configuration profiles contain Intel
AMT configuration parameters.
See “Creating Intel AMT configuration
profiles” on page 62.
Create a configuration profile.Step 1
Out of Band Management Component
can assign a configuration profile and
a host name to the Intel AMT device
automatically, based on the rules that
you define.
See “Configuring the automatic Intel
AMT configurationprofile assignment”
on page 64.
Configure an automatic profile
assignment.
Step 2
To getconfigured, theIntel AMTdevice
must send a configuration request to
Intel SCS.
See “About Intel AMT initialization”
on page 58.
See “Initializing Intel AMT computers
using the Remote Configuration
feature” on page 65.
See “Initializing Intel AMT computers
manually ” on page 76.
Initialize the Intel AMT
computers.
Step 3
After youset up and configure the Intel
AMT computers, they are ready for
out-of-band management.
See “Setting up and configuring
initialized Intel AMT computers”
on page 82.
Set up and configure the Intel
AMT computers.
Step 4
Creating Intel AMT configuration profiles
The setup and configuration of an Intel AMT device in enterprise mode requires
a configuration (previously known as provision) profile. Configuration profiles
contain Intel AMT configuration parameters. Profiles determine which features
are enabledin the device, what authentication mechanism to use,and which users
have access to device features.
Configuring Intel AMT computers for out-of-band management
Configuring Intel AMT computers for out-of-band management
62
Page 63
You can define as many configuration profiles as you want. For example, you can
use a different profile for different sites. Each profile can be assigned to one or
more Intel AMT devices.
A configuration profile can contain auxiliary profiles, which configure additional
Intel AMT features.
You can use the following auxiliary profiles in a configuration profile:
The 802.1x profiles let you specify security settings and
can be applied to configuration and wireless profiles.
802.1x Profiles
Contains the list of Management Presence Servers (MPS)
that you can use in a Remote Access Policy.
Management Presence
Servers
A remote access policy contains the information that is
needed for the Intel AMT devices to connect to the
Management Presence Servers (MPS). MPS is needed for
the client-initiated remote access (CIRA) functionality.
Remote Access Policies
Certificates areused forthe RemoteConfiguration and TLS
features.
Trusted Root Certificates
Wireless profiles let you specify wireless settings and are
applied to configuration profiles. For each configuration
profile, there can be multiple wireless profiles applied to
it to specify settings for multiple wireless access points.
See “Configuring Intel AMT wireless settings” on page 64.
Wireless Profiles
Out of BandManagement Component installs with a default configuration profile
already created. For evaluation, you can keep the default profile and proceed to
the next step.
See “Configuring IntelAMT computersfor out-of-band management” on page 61.
To create a new configuration profile
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, click Remote Management > Out of Band Management >
Configuration Service Settings > Configuration Profiles.
3
In the right pane, click the Add symbol.
4
In the dialog box, specify the parameters for the profile.
See “Configuration Profiles page” on page 131.
63Configuring Intel AMT computers for out-of-band management
Configuring Intel AMT computers for out-of-band management
Page 64
Configuring Intel AMT wireless settings
(Intel AMT 2.5, 2.6, 4.0, and 6.0 only)
Wireless profilesare used to configure IntelAMT 2.5, 2.6, 4.0, 6.0 wireless settings.
A wireless profile defines which protocols are used between an Intel AMT device
and a wireless access point when the Intel AMT computer is in a sleep state and
the operating system’s wireless settings are not accessible. Wireless profiles
conform to IEEE 802.11i.
For the computers that are used in different wireless environments, different
wireless profiles can be created and associated with a configuration profile.
An Intel AMT notebook computer that is configured with a wireless profile offers
full IntelAMT management functionality through the wireless connection, except
for setup and configuration. Setup and configuration is possible only through a
wired network connection.
See “Creating Intel AMT configuration profiles” on page 62.
To create a wireless profile
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, click Remote Management > Out of Band Management >
Configuration Service Settings > Auxiliary Profiles > Wireless Profiles.
3
On the Wireless Profiles page, click the Add symbol.
4
In the Add Wireless Profile dialog box, configure the wanted settings and
click OK.
See “Auxiliary Profiles: Wireless Profiles page” on page 130.
Configuring the automatic Intel AMT configuration profile assignment
The ResourceSynchronization policy let you automatically map a configuration
profile to Intel AMT computers in an unconfigured state.
For the automatic mapping to work, you must let Out of Band Management
Component detect the FQDN of the Intel AMT device.
You can do this in the following ways:
■ If you want toconfigure amanaged IntelAMT computerwith the AltirisAgent
installed, let the Altiris Agent register with Notification Server and send basic
inventory.
Basic inventory includes the UUID of the Intel AMT device and the FQDN that
is usedby the operating system. Out of Band ManagementComponent assigns
this FQDN to the Intel AMT device at the time of setup and configuration.
Configuring Intel AMT computers for out-of-band management
Configuring Intel AMT computers for out-of-band management
64
Page 65
■ If you want to configure unmanaged computers, you can check Use DNS IP
resolution to find FQDN when assigning profiles on the Resource
Synchronization page.
In thiscase, Out of Band Management Component performs a DNS lookup and
assigns the Intel AMT device a DNS name, rather than the FQDN that is stored
in the database.
To usethis option you must have a properly configured networkinfrastructure
where dynamic IP addresses are properly resolved to DNS names. Otherwise,
an incorrect FQDN can be assigned to the Intel AMT device and the device will
not be accessible.
See “Configuring IntelAMT computersfor out-of-band management” on page 61.
To configure automatic profile assignment
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, click Remote Management > Out of Band Management >
Intel AMT Systems > Resource Synchronization.
3
Under Profile assignment settings, add a profile to assign to all Intel AMT
computers that request configuration.
You canadd more than one profile, for example,if you want to assign different
profiles to computers from different domains.
4
If you want to assign an FQDN to an Intel AMT computer that does not have
the Altiris Agent installed and whose FQDN is not known to Notification
Server , check Use DNS IP resolution to find FQDN when assigning profiles.
5
Turn on the policy and click Save changes.
Initializing Intel AMT computers using the Remote Configuration
feature
(Intel AMT 3.0 and later)
The zero-touch Remote Configuration feature lets you initialize Intel AMT 3.0
and later computers without a need to visit the computers' location and manually
install thePID-PPS pair. Preparing the infrastructure for the Remote Configuration
requires you to perform some advanced server-side configuration and purchase
a certificate.However, when all set, initializing thousands ofIntel AMT computers
becomes an easy and automated task.
If youcannot purchase a remote configuration certificate, or if youhave computers
with Intel AMT versions that do not support Remote Configuration, you must
initialize Intel AMT computers manually.
65Configuring Intel AMT computers for out-of-band management
Configuring Intel AMT computers for out-of-band management
Page 66
See “Initializing Intel AMT computers manually ” on page 76.
Computers withIntel AMT3.0 and later support bare-metal Remote Configuration
(configuration without the need for an operating system).
Note: Computers with Intel AMT 2.2 and 2.6 are also capable of automatic remote
configuration, but require a software agent to initiate the Remote Configuration
process.
See “ResendingHello messages with the Delayed Configuration policy” on page 89.
See “Configuring IntelAMT computersfor out-of-band management” on page 61.
Table 6-2
Process for initializing Intel AMT configuring using the Remote
Configuration feature
DescriptionActionStep
Understand what certificates you need
and how Remote Configuration works.
See “About the Intel AMT Remote
Configuration feature” on page 67.
Learn how Remote Configuration
works.
Step 1
You must prepare your environmentto
support Remote Configuration.
See “Prerequisitesfor usingthe Remote
Configuration feature” on page 69.
Make sure you meet the
requirements for this feature.
Step 2
You must generate and install
certificates.
See “Configuring your OOB site server
computer (by default, the Notification
Server computer) for Remote
Configuration” on page 69.
Configure yourOOB siteserver for
remote configuration.
Step 3
Enable the Remote Configuration
feature support in Intel SCS.
See “Enabling the Remote
Configuration feature in Out of Band
Management Component” on page 75.
Configure Out of Band
Management Component for
remote configuration.
Step 4
Start and monitor the Remote
Configuration process.
See “Starting the Intel AMT Remote
Configuration” on page 75.
Start the Remote Configuration.Step 5
Configuring Intel AMT computers for out-of-band management
Configuring Intel AMT computers for out-of-band management
66
Page 67
About the Intel AMT Remote Configuration feature
An Intel AMT device is prepared for remote configuration by having security
certificate hashes added to the Intel AMT firmware. There are two sources of
hashes within the Intel AMT firmware:
These hashescorrespond tocertificates fromcommercial SSL certificate
providers, such as Verisign. Several of these hashes are added to the
firmware by Intel. Others can be added by the computer OEM in
partnership withcommercial certificateproviders. In this case, you must
request a security certificate from the certificate provider that
corresponds to the hash you want to use.
Certificate
provider
These hashes are based on your own root certification authority. In this
case, you issue the necessary certificate from your own certification
authority. You can use this method for evaluation of the Remote
Configuration feature in a lab environment before you purchase a
commercial certificate from a certificate provider.
The hash that you must add to the Intel AMT firmware is displayed at
the Thumbprint field of the trusted root CA certificate.
These hashes can be added to the Intel AMT firmware by an OEM (on
your request) or you can flash the firmware yourself. You can also enter
the hash into the MEBx manually, throughthe Setup and Configuration
> TLS PKI > Manage Certificate Hashes menu.
Self-provided
When you power-on the computer, the Intel AMT device starts sending Hello
messages to the ProvisionServer host name (OOB site server computer). As part
of the Hello message, the Intel AMT device sends all of the hashes to the
configuration server. Out of Band Management Component authenticates to the
Intel AMT device with a certificate compatible with one of the hashed root
certificates and installs PID-PPS key pairs automatically on the Intel AMT device
(initializes the device).
The remote configuration workflow is as follows:
67Configuring Intel AMT computers for out-of-band management
Configuring Intel AMT computers for out-of-band management
Page 68
1
The Intel AMT computer is connected to the network and plugged-in for the
first time.
2
The Intel AMT device opens its network interface for 24 hours, and starts
sending Hello messages.
Note: The interface is open for 24 hours only the first time that it is enabled.
If thetime runs out before the setup andconfiguration completes or the Intel
AMT device is unconfigured or partially unconfigured, any subsequent calls
to start configuration will open the interface for only six hours.
See “About resending Hello messages” on page 89.
3
Intel SCS on the configuration server extracts the hashes from the Hello
message.
4
Intel SCS sends a certificate chain that includes a trusted root certificate
matching one of the received hashes.
5
The Intel AMT device validates the Intel SCS certificate. Intel AMT checks
that the OID or the OU is correct and that it is derived from a certification
authority that matches one of the root certificate hashes.
6
The Intel AMT device verifies that the suffix matches the DNS suffix in the
Intel SCS certificate.
7
Intel SCSand the Intel AMT device perform a complete mutual authentication
session key exchange:
■ The Intel AMT device uses a self-signed certificate and sends its public
key.
■ Intel SCScreates a TLS session master key, encrypts it with the Intel AMT
device public key, and sends it to the Intel AMT device.
■ The device decrypts the master key with its private key. The key is the
shared secret used to establish the setup and configuration TLS session.
8
One-Time Password (OTP) verification: Intel SCS requests the OTP from the
Intel AMT device. The device sends the OTP securely. The SCS verifies the
OTP for correctness.
9
Intel SCS changes the Intel AMT password from its default and completes
the setup and configuration process.
See “Initializing Intel AMT computers using the Remote Configuration feature”
on page 65.
Configuring Intel AMT computers for out-of-band management
Configuring Intel AMT computers for out-of-band management
68
Page 69
Prerequisites for using the Remote Configuration feature
Before you can use theRemote Configurationfeature, the followingrequirements
must be met:
■ Active Directory is present in your environment.
■ Enterprise certification authority installed in your environment.
See “Installing and configuring CA” on page 36.
■ The Intel AMT device is configured to receive its IP address from a DHCP
server. The DHCP server supports option 15 and will return the local domain
suffix.
See “About configuring DHCP” on page 34.
■ The IntelAMT device is pre-programmed with at least one active root certificate
hash.
See “About the Intel AMT Remote Configuration feature” on page 67.
■ The OOB site server computer (by default, the Notification Server computer)
is registered with the DNS that is accessible to the Intel AMT device with the
name ProvisionServer. The OOB site server computer is in either the same
domain as the device or a domain with the same suffix.
See “About configuring DNS” on page 33.
See “Initializing Intel AMT computers using the Remote Configuration feature”
on page 65.
Configuring your OOB site server computer (by default, the
Notification Server computer) for Remote Configuration
To configure your OOB site server (by default, the Notification Server computer)
for the Remote Configuration feature support, you must acquire and install the
Remote Configuration certificate. This certificate is used by Intel SCS to
authenticate to the Intel AMT devices.
Table 6-3
Process for configuring your OOB site server computer for Remote
Configuration
DescriptionActionStep
Certificate templatedefines the format
and content of a certificate.
See “Preparing a certificate template
for Remote Configuration” on page 70.
Prepare a certificate template.Step 1
69Configuring Intel AMT computers for out-of-band management
Configuring Intel AMT computers for out-of-band management
Page 70
Table 6-3
Process for configuring your OOB site server computer for Remote
Configuration (continued)
DescriptionActionStep
You must publich the certificate
template so that a certification
authority (CA) can issue certificates
based on it.
See “Issuing the new certificate
template for Remote Configuration”
on page 72.
Issue the new template.Step 2
Certificate request lets you get a
certificate from a CA.
See “Preparinga certificaterequest for
Remote Configuration” on page 72.
Prepare a certificate request.Step 3
(Optional)
This step is only required if you
purchase the certificate from an
external certificate vendor.
See “Acquiring and installing a
certificate from an external certificate
vendor” on page 74.
Acquire the certificate.Step 4
See “Initializing Intel AMT computers using the Remote Configuration feature”
on page 65.
Preparing a certificate template for Remote Configuration
You mustcreate a new certificate template that youwill use to request a certificate.
See “Configuring your OOB site server computer (by default, the Notification
Server computer) for Remote Configuration” on page 69.
To prepare a certificate template for Remote Configuration
1
On the computer with the certification authority (CA) installed, click Start >
Run.
2
In the Open box, type mmc, and then click OK.
3
In the Microsoft Management Console, click File > Add/Remote Snap-in.
4
Click Add.
5
Click Certificate Templates, click Add, and then click Close.
Configuring Intel AMT computers for out-of-band management
Configuring Intel AMT computers for out-of-band management
70
Page 71
6
Click OK.
7
In the tree, click Console Root > Certificate Templates.
8
In the right pane, right-click the User template, and then click Duplicate
Template.
9
Type the template display name.
For example, type AMT Remote Configuration.
10
Check Publish certificate in Active Directory.
11
On the Request Handling tab, check Allow private key to be exported.
12
On the Request Handling tab, click CSPs.
13
In the CSP Selection dialog box, under CSPs, check Microsoft Strong
Cryptographic Provider, and then click OK.
14
On the Subject Name tab, click Supply in the request.
15
On the Security tab, grant Read, Write, and Enroll permissions to both the
Domain Admins group and the Notification Server’s Application Identity
account.
For more information about the Notification Server’s Application Identity
account, see the Symantec Management Platform Help.
16
On the Extensions tab, click Application Policies, and then click Edit.
17
In theEdit Application Policies Extension dialog box, click Add, click Server
Authentication, and then click OK.
18
In the Edit Application Policies Extension dialog box, click Server
Authentication, and then click Edit.
Verify the Object identifier is 1.3.6.1.5.5.7.3.1 and then click Cancel.
19
Click Add once more, and then, in the Add Application Policy dialog box,
click New.
20
In the New Application Policy dialog box, in the Name box, type a name for
the new application policy.
For example, type AMT Remote Configuration OID.
21
In the Object identifier box, type 2.16.840.1.113741.1.2.3 and then click
OK.
22
Click the application policy you just created (in this example, click AMT
Remote Configuration OID), and then click OK.
23
Click OK.
24
Click OK to save and close the properties of the new template.
71Configuring Intel AMT computers for out-of-band management
Configuring Intel AMT computers for out-of-band management
Page 72
Issuing the new certificate template for Remote Configuration
You must issue the new template that you prepared.
See “Configuring your OOB site server computer (by default, the Notification
Server computer) for Remote Configuration” on page 69.
To issue the new template
1
On the computer with the certification authority (CA) installed, click Start >
Control Panel > Administrative Tools > Certification Authority.
2
In the left pane, click your CA.
3
Right-click CertificateTemplates, and then click New > Certificate Template
to Issue.
4
In the Enable Certificate Templates dialog box, click the template that you
prepared earlier (in this example, click AMT Remote Configuration), and
then click OK.
Preparing a certificate request for Remote Configuration
You must prepare a certificate request that you will use to create your own
certificate or submit to one of the commercial SSL certificate providers, whose
root certificationauthority hash is already in the firmwareof the Intel AMT device.
You must do this for each OOB site server in your environment.
See “About OOB site servers” on page 118.
See “Configuring your OOB site server computer (by default, the Notification
Server computer) for Remote Configuration” on page 69.
To prepare a certificate request
1
Log on to the OOB site server computer (by default, the Notification Server
computer) using the Application Identity Account.
For more information about the Notification Server’s Application Identity
account, see the Symantec Management Platform Help.
2
From the OOB site server computer (by default, the Notification Server
computer), open the Certificate Services Web page of your certification
authority (CA) (http://<ca_server_name>/certsrv/) in the Internet Explorer.
3
Click Request a certificate.
4
Click advanced certificate request.
5
Click Create and submit a request to this CA.
Configuring Intel AMT computers for out-of-band management
Configuring Intel AMT computers for out-of-band management
72
Page 73
6
From the Certificate Template drop-down list, click the template that you
prepared and issued earlier (in this example, click AMT Remote
Configuration).
See “Preparing a certificate template for Remote Configuration” on page 70.
See “Issuing the new certificate template for Remote Configuration”
on page 72.
7
In the Name box, type the FQDN of the OOB site server computer (by default,
the Notification Server computer).
For example:
provisionserver.west.yourenterprise.com
8
In the Department box, type the following string exactly as follows:
Intel(R) Client Setup Certificate
9
Fill inthe email, company, city, state, and countryboxes with your company’s
data.
Note that you must type the full name of the state: for example, type Texas
instead of TX. Verisign® fails to issue the certificate if the state name is
abbreviated.
10
Under Key Options, in the Key Size box, type 1024.
11
Check Mark keys as exportable.
12
Under Additional Options, click PKCS10.
13
If youare preparing a certificate request for acommercial certificate provider:
■ Check Save request to a file.
■ Type the full path name of the request file to create in the Full path name
box.
For example:
c:\request.txt
■ Click Save.
The certificate request is created and written to the file that youspecified.
■ Acquire and install a certificate from an external certificate vendor.
See “Acquiring and installing a certificate from an external certificate
vendor” on page 74.
14
If you are preparing a certificate request for your own certification authority:
■ Click Submit.
■ Click Install this certificate to install the certificate.
73Configuring Intel AMT computers for out-of-band management
Configuring Intel AMT computers for out-of-band management
Page 74
The certificate installs into the Certificates - Current User > Personal >
Certificates store. To view this certificate, add the Certificates - Current
User snap-in to the Microsoft Management Console.
■ Enable the Remote Configuration feature in Out of Band Management
Component.
See “Enabling the Remote Configuration feature in Out of Band
Management Component” on page 75.
Acquiring and installing a certificate from an external certificate vendor
(Commercial provided certificates only)
These steps are only required if you want to purchase a Remote Configuration
certificate.
See “About the Intel AMT Remote Configuration feature” on page 67.
See “Configuring your OOB site server computer (by default, the Notification
Server computer) for Remote Configuration” on page 69.
To acquire a certificate
1
Contact one of the vendors whose root certificate hashes are built into the
Intel AMT firmware. A list of the hashes should be provided by the platform
vendor. You canalso seethe hashes by logging into the MEBx of an Intel AMT
computer.
2
Go to the certificate vendor’s Web site, submit the certificate request (CSR)
that you prepared and purchase an SSL certificate.
See “Preparing a certificate request for Remote Configuration” on page 72.
For example, the following link to Verisign® site
http://www.verisign.com/ssl/intel-vpro-technology/index.html describes
how topurchase an appropriate certificate. The site documentsthe steps that
are required to request, enroll, install, and move an SSL certificate.
3
Save the acquired certificate on the OOB site server computer (by default,
the Notification Server computer) into a text file with a .cer extension.
To install the certificate into the current user certificate store
1
Logon to the OOB site server computer (by default, the Notification Server
computer) using the Application Identity Account.
For more information about the Notification Server’s Application Identity
account, see the Symantec Management Platform Help.
2
Double-click the .cer file to open the certificate.
3
Click Install Certificate and follow the wizard.
Configuring Intel AMT computers for out-of-band management
Configuring Intel AMT computers for out-of-band management
74
Page 75
4
In the wizard, click Automatically select the certificate store based on the
type of certificate.
The certificate must be installed into the Certificates - Current User >
Personal > Certificates store. To view this certificate, add the Certificates Current User snap-in to the Microsoft Management Console.
5
Enable the Remote Configuration feature in Out of Band Management
Component.
See “Enablingthe Remote Configuration feature in Out of Band Management
Component” on page 75.
Enabling the Remote Configuration feature in Out of Band
Management Component
After you configured your OOB site server computer (by default, the Notification
Server computer) for Remote Configuration, you must enable the Remote
Configuration feature in Out of Band Management Component.
See “Initializing Intel AMT computers using the Remote Configuration feature”
on page 65.
To enable the Remote Configuration feature
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, click Remote Management > Out of Band Management >
Configuration Service Settings > General.
3
In the right pane, check Allow Remote Configuration.
4
Click Save changes.
5
Proceed to the next step.
See “Starting the Intel AMT Remote Configuration” on page 75.
Starting the Intel AMT Remote Configuration
Plug in the network cable, power cable, and turn on your Intel AMT 3.0 or later
computer. The Intel AMT device sends itscertificate hashesto the OOB site server
computer (by default, the Notification Server computer). Then, Intel SCS
authenticates to the Intel AMT device with a certificate chain that includes a
trusted root certificate matching one of the received hashes (you can view the
certificate's hash on the certificate's Details tab, in the Thumbprint field). After
that, theIntel AMT device checks the hashes and theDNS suffix in the certificate,
and goes through the setup and configuration process.
75Configuring Intel AMT computers for out-of-band management
Configuring Intel AMT computers for out-of-band management
Page 76
After you plugged in an Intel AMT computer for the first time, it sends Hello
messages to the OOB site server computer (by default, the Notification Server
computer) onlyfor the first 24 hours. If the computer wasnot set up and configured
during that time (due to Intel SCS unavailable, or network problems), you must
make the Intel AMT device to resend Hello messages.
See “About resending Hello messages” on page 89.
Note: To start the remote configuration process on computers with Intel AMT 2.2
and 2.6, youmust usethe DelayedConfiguration policy. Only Intel AMT versions
3.0 and later support bare-metal remote configuration where no management
agent and no running operating system are required.
See “About resending Hello messages” on page 89.
See “Initializing Intel AMT computers using the Remote Configuration feature”
on page 65.
Initializing Intel AMT computers manually
(all Intel AMT versions)
Manual initialization of Intel AMT computers is performed at the computer
location and, in most cases, requires an administrator to physically touch the
computers.
If you have a large number of Intel AMT 3.0 or later computers, we recommend
that you initialize the computers using the Remote Configuration feature.
See “Initializing Intel AMT computers using the Remote Configuration feature”
on page 65.
You can initialize Intel AMT computers manually in the following ways:
■ Ask an OEM to prepare computers for initialization
See “Initializing OEM-prepared computers manually” on page 77.
■ Use a USB key
See “Initializing computers manually using a USB key” on page 77.
■ Type PID-PPS pairs into the MEBx
See “Initializing computers manually through MEBx” on page 80.
The USB and MEBx methods require you to visit each Intel AMT computer's
location and perform some manual configuration.
See “Configuring IntelAMT computersfor out-of-band management” on page 61.
Configuring Intel AMT computers for out-of-band management
Configuring Intel AMT computers for out-of-band management
76
Page 77
Initializing OEM-prepared computers manually
The OEM (original equipment manufacturer) initialization method lets you
pre-program the computers at the factory (on agreement with the OEM) and does
not require you to touch the computers at the site.
When an OEM delivers computers with the Intel AMT device already initialized,
the PID-PPS key pairs are already entered into the Intel AMT device firmware.
All thatremains is to import the file that contains PID-PPS pairs that aresupplied
by the OEM (in the form of a setup.bin file) into the Intel SCS database.
After you plugged in an Intel AMT computer for the first time, it sends Hello
messages to OOB site server computer (by default, the Notification Server
computer) onlyfor the first 24 hours. If the computer wasnot set up and configured
during that time (due to Intel SCS unavailable, or network problems), you must
make the Intel AMT device to resend Hello messages.
See “About resending Hello messages” on page 89.
See “Initializing Intel AMT computers manually ” on page 76.
To import security keys supplied by an OEM
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, click Remote Management > Out of Band Management >
Configuration Service Settings > Security Keys.
3
On the Security Keys page, click the Import security keys symbol.
4
Browse to the security keys file, and then click Import.
Initializing computers manually using a USB key
If the Intel AMT device on a computer is not initialized by the OEM, USB key
initialization isthe recommendedmethod. This method is much less labor intensive
and error prone than initialization through MEBx.
To use the USB initialization method with Intel AMT 2.0, 2.2, and 2.6 computers,
the MEBx settings on the computer must be in the factory default state.
This means that the following conditions are met:
■ No PID-PPS pairs installed
■ Factory default MEBx and Intel AMT passwords
If youhave already accessed the MEBx and changed the factorydefault password,
you cannot use the USB key initialization method unless you reset the MEBx to
factory defaults. Usually, you can reset the MEBx by removing and replacing the
77Configuring Intel AMT computers for out-of-band management
Configuring Intel AMT computers for out-of-band management
Page 78
system board battery or pressing the reset button if the system board has such a
button.
If you do not want to reset the MEBx, use the MEBx initialization method for
systems with changed passwords.
See “Initializing computers manually through MEBx” on page 80.
It is important to have the USB key properly configured. USB key requirements
vary from hardware vendor to vendor, but your USB key should work on most
computers if you meet the general USB key requirements.
The USB key requirements are as follows:
■ Format the USB key with FAT16 (some USB keys comeformatted withFAT32).
■ We do not recommend using USB keys larger than 512 MB.
■ The setup.bin file must be the only file that is stored on the USB key.
See “Initializing Intel AMT computers manually ” on page 76.
To initialize Intel AMT manually using the USB key
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, click Remote Management > Out of Band Management >
Configuration Service Settings > Security Keys.
3
(Optional) To use previously generated keys that have not been used, on the
Security Keys page, click the PID-PPS keys you want to export to the USB
key.
4
On theSecurity Keys page, click the Exportsecuritykeysto USB key symbol.
5
If you want to export the keys that you have already generated, in the Export
Security Keys to USB Key dialog box, click All or Only Selected.
Configuring Intel AMT computers for out-of-band management
Configuring Intel AMT computers for out-of-band management
78
Page 79
6
If you want to generate new keys, click Generate keys before export, and
then specify the following options for generating the key file:
Type a number equal or greater than the number of
Intel AMTcomputers youwant toinitialize withthe
USB key. Each key is used only once. There is no
problem with exporting extra keys for use later or
even not at all.
Number of security keys to
generate
The valuefor IntelAMT computersin factorydefault
state is "admin".
(Intel AMT 2.5, 3.0, 4.0, and 5.0 only) If you changed
the default MEBx password through the computer's
BIOS, specify your password.
Factory default Intel
Management Engine (MEBx)
password
This password will replace the default MEBx
password.
See “About Intel AMT related credentials”
on page 22.
Note: You must type a strong password.
See “About passwords used with Intel AMT”
on page 177.
NewIntelManagementEngine
password
7
Click Generate.
A file with the keys is created in the format expected by the platform BIOS.
8
Click the Download USB key file link, and then save the file to the USB key.
9
Click Close.
The exported keys are also added to the Intel SCS database.
10
Go to the physical location of the Intel AMT computer, and then connect the
cables (including network), a monitor, and a keyboard.
11
Insert the USB key and power-up or restart the computer.
12
Follow the on-screen instructions to initialize the computer.
The specificPID-PPS key pair that is used to initialize the computer is marked
on the USB key as used, so the key cannot be used again.
79Configuring Intel AMT computers for out-of-band management
Configuring Intel AMT computers for out-of-band management
Page 80
13
Restart the computer.
The computer starts sending Hello messages to the OOBsite server computer
(by default, the Notification Server computer). Out of Band Management
Component configures the Intel AMT computer with the profile that you
assigned to this resource.
14
(Optional) Use the USB key to initialize other computers.
Initializing computers manually through MEBx
Manual initializationthrough MEBx requires significantly more timeand is more
prone toerrors, because you must manually type allof the information. In general,
use the USB key initialization if you can.
See “Initializing computers manually using a USB key” on page 77.
If youhave Intel AMT 3.0 or later computers in your environment, try theRemote
Configuration method.
See “Initializing Intel AMT computers using the Remote Configuration feature”
on page 65.
You must use the manual Intel AMT initialization through MEBx in the following
situations:
■ You have accessed the computer MEBx and changed the factory default MEBx
password, and thus cannot use the USB initialization method.
■ You have not configured the DNS to resolve the ProvisionServer host name
to theOOB site server computer (by default, theNotification Server computer).
See “About configuring DNS” on page 33.
(You can still use the USB key method, but you must enter the MEBx after
initialization and manually type the IP address of the OOB site server).
■ You cannot use the other initialization methods.
■ You want to quickly configure a single computer for evaluation in enterprise
mode and make it manageable out of band.
After you initialize the computer, the computer entry should appear in the
Symantec Management Console, on the Intel AMT Systems page.
See “Initializing Intel AMT computers manually ” on page 76.
To manually initialize Intel AMT through MEBx
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, click Remote Management > Out of Band Management >
Configuration Service Settings > Security Keys.
Configuring Intel AMT computers for out-of-band management
Configuring Intel AMT computers for out-of-band management
80
Page 81
3
On the Security Keys page, click the Generate security keys symbol.
4
In the Generate Security Keys dialog box, specify the following, and then
click OK when done:
Type a number equal or greater than the number
of Intel AMT computers you want to initialize.
Each key is used only once. There is no problem
with generating extra keys for use later or even
not at all.
Number of security keys to
generate
The default value is "admin", unless you
specifically asked the OEM to preconfigure Intel
AMT computers with a different password.
Factory default Intel
Management Engine (MEBx)
password
This password will replace the default MEBx
password.
See “About Intel AMT related credentials”
on page 22.
New Intel Management Engine
password
5
(Optional) Click the keys you want to use.
6
Click the Print security keys symbol.
A new window opens with the selected keys and passwords listed in a
printer-friendly format.
7
Print the contents of the window, and then close the window.
8
Click the keys that you printed and then click the Mark selected security
keys as already used symbol.
The keys are removed from the list and added to the Intel SCS database (If
you do not use all of the keys you have marked as used, this is not a problem).
9
Go to the physical location of the Intel AMT computer, and then connect the
cables, a monitor, and a keyboard.
81Configuring Intel AMT computers for out-of-band management
Configuring Intel AMT computers for out-of-band management
Page 82
10
Turn on the computer and press Ctrl+P during initial startup (POST) to enter
the Management Engine BIOS Extension (MEBx).
The Ctrl+P shortcut can vary between OEM-provided BIOSs. Refer to the
manufacturer’s documentation for accessing the ME BIOS sub-menu.
The default MEBx password for the computers in the factory-default state is
"admin". The first time you log on to the MEBx, you must change the default
password.
The new passwords must be a strong password.
See “About passwords used with Intel AMT” on page 177.
Use the new password from the print-out you made.
11
Enable Intel AMT, if it is not already enabled.
Exiting the MEBx and restarting the computer might be required for the
additional Intel AMT configuration options to appear in the MEBx.
12
If you have the Intel AMT already enabled, before you make any further
changes, select Un-Provision > Full Unprovision in the MEBx to reset all
Intel AMT settings to their defaults. This removes any settings that can fail
the setup and configuration process. We recommend you doing so even if
this is the first time you accessed the MEBx.
13
Set the Provision Mode to Enterprise, if it is not already set.
14
Modify the Provisioning Server settings. Type the IP of the configuration
server andSCS port (the port that Intel SCS is listening to forHello messages).
By default, the port is 9971.
To view the port, in the Symantec Management Console, click Settings> All
Settings> Remote Management >Out of Band Management > Configuration
Service Settings > General.
15
Type a PID-PPS pair from the print-out you made.
16
Mark the key pair on the paper as used. Each PID-PPS pair can only be used
once.
17
Configure additional parameters, if necessary.
18
Exit the MEBx.
Setting up and configuring initialized Intel AMT computers
The Intel AMT computers that you initialized are sending configuration requests
to the ProvisionServer host name and are ready for setup and configuration.
See “About Intel AMT initialization” on page 58.
Configuring Intel AMT computers for out-of-band management
Configuring Intel AMT computers for out-of-band management
82
Page 83
See “About Intel AMT setup and configuration” on page 59.
After youset upand configure Intel AMT computers you can perform thefollowing
actions:
■ Manage Intel AMT computers out of band with Altiris solutions that support
out-of-band technologies.
See “Altiris products that can manage computers out of band” on page 15.
■ Configure additional parameters in the setup and configuration profile (such
as users, power-saving options).
See “Creating Intel AMT configuration profiles” on page 62.
■ Run Intel AMT maintenance tasks.
See “Maintenance page” on page 145.
■ Configure your Intel AMT computers to use TLS or TLS with Mutual
Authentication for secure communications.
See “About TLS” on page 95.
See “Configuring IntelAMT computersfor out-of-band management” on page 61.
Table 6-4
Process for setting up and configuring Intel AMT computers
DescriptionActionStep
Out of Band Management Component
displays Intel SCS management pages
in theSymantec ManagementConsole.
See “Understanding the Intel SCS
interface” on page 84.
Understand the Intel SCS
interface in the Symantec
Management Console.
Step 1
Configuration profiledefines IntelAMT
configuration parameters.
See “About assigning a configuration
profile” on page 85.
Assign a configuration profile to
Intel AMT computers, if not
already assigned.
Step 2
The Intel SCS pages in the Symantec
Management Console let you view the
status of Intel AMT devices.
See “About monitoring the setup and
configuration process” on page 87.
Watch the Intel AMT computers
getting configured.
Step 3
83Configuring Intel AMT computers for out-of-band management
Configuring Intel AMT computers for out-of-band management
Page 84
Table 6-4
Process for setting up and configuring Intel AMT computers
(continued)
DescriptionActionStep
Synchronization creates resources for
Intel AMT computers in the
Notification Server database. This
ensures that Altiris solutions can
manage Intel AMT computers.
See “Synchronizing Intel SCS and
Notification Server resources”
on page 88.
Synchronize Intel SCS and
Notification Server databases.
Step 4
Understanding the Intel SCS interface
Out of Band Management Component displays the Intel SCS interface in the
Symantec Management Console.
To watch and troubleshoot the setup and configuration process, you need the
following two lists of Intel AMT devices:
A list of Intel AMT devices that have sent Hello messages to the
SCS. These devices can be configured or unconfigured. You can
update the configuration of one or all of the already configured
devices, among other operations.
Intel AMT Systems
A list of profile assignments that are created by the administrator
or thatare created automatically by the Resource Synchronization
policy.
See “Configuring the automatic Intel AMT configuration profile
assignment” on page 64.
Each entry relates a specific Intel AMT device, defined by its UUID
and FullyQualified DomainName (FQDN),to aconfiguration profile.
Profile Assignments
Also, the Intel SCS logs can provide you with the information about the setup and
configuration of Intel AMT computers.
See “Viewing Intel SCS logs” on page 167.
See “Setting up and configuring initialized Intel AMT computers” on page 82.
Configuring Intel AMT computers for out-of-band management
Configuring Intel AMT computers for out-of-band management
84
Page 85
To view the Intel AMT Systems list
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, click Remote Management > Out of Band Management >
Intel AMT Systems > Intel AMT Systems.
About assigning a configuration profile
Intel AMT setup and configuration is an automatic process that is performed by
Intel SCS. To initiate the setup and configuration process, you must assign a
configuration profile to the Intel AMT device that is displayed in the Intel SCS
interface, on the Intel AMT Systems page.
See “Understanding the Intel SCS interface” on page 84.
After youassign a profile, the Intel AMT devicebecomes configured and the status
of the corresponding entry in the list changes. You can click the Refresh symbol
to see the changes in the status.
You can assign a profile in the following ways:
■ Automatically when a Hello message is received.
See “Aboutassigning a profile to multiple computers automatically” on page 85.
■ Manually to a single computer.
See “Assigning a profile to a single computer manually” on page 86.
■ Manually to multiple computers.
See “Assigning a profile to multiple computers manually” on page 86.
See “Setting up and configuring initialized Intel AMT computers” on page 82.
About assigning a profile to multiple computers automatically
You can configure Out of Band Management Component to assign a specific
configuration profile to all unconfigured Intel AMT computers automatically as
soon as Intel SCS receives a configuration request.
See “Configuring the automatic Intel AMT configuration profile assignment”
on page 64.
If you followed the instructions provided in this chapter, you have already
configured the automatic configuration profile assignment. You can open the
Intel AMT Systems page and see if the Intel AMT devices that you want to
configure already have an FQDN and the profile assigned to it.
See “Understanding the Intel SCS interface” on page 84.
See “About assigning a configuration profile” on page 85.
85Configuring Intel AMT computers for out-of-band management
Configuring Intel AMT computers for out-of-band management
Page 86
Assigning a profile to a single computer manually
By assigning a profile to an Intel AMT resource that is known to Intel SCS, but is
in an unconfigured state, you initiate the setup and configuration process.
You can also assign a new profile to a device, that is already configured with
another profile. After doing so, click the Re-configure symbol.
If you do not see the Intel AMT capable computer that you want to set up and
configure in the list, make sure that the Intel AMT device has been properly
initialized in the last 6 hours. Make sure that the Intel AMT capable computer is
turned on and is connected to the network.
See “About Intel AMT initialization” on page 58.
See “About resending Hello messages” on page 89.
See “About assigning a configuration profile” on page 85.
To assign a profile to a single computer manually
1
Open the Intel AMT Systems page.
See “Understanding the Intel SCS interface” on page 84.
2
In the grid, click a computer.
3
Click the Assign profile symbol.
4
In the Edit mapping dialog box, type the FQDN of the computer.
This FQDN will be assigned to the Intel AMT device during setup and
configuration.
5
If you enabled Active Directory integration, select the organizational unit
where you want to register AMT objects.
Example: IntelAMT
See “Integrating Intel SCS with Active Directory” on page 55.
6
From the Profile drop-down list, select a configuration profile.
See “Creating Intel AMT configuration profiles” on page 62.
7
If you want Intel SCS to automatically reconfigure the selected Intel AMT
device when the settings in the configuration profile change, check
Re-configure if settings change.
8
Click OK.
Assigning a profile to multiple computers manually
Batch profile assignment is possible for the Intel AMT capable computers, whose
FQDN isknown to Out of Band Management Component. To let the solutiondetect
the FQDN, you must install the Altiris Agent on the target computers.
Configuring Intel AMT computers for out-of-band management
Configuring Intel AMT computers for out-of-band management
86
Page 87
See “Preparing target computers for management” on page 49.
See “About assigning a configuration profile” on page 85.
To assign a profile to multiple computers manually
1
Open the Intel AMT Systems page.
See “Understanding the Intel SCS interface” on page 84.
2
(Optional) In the grid, click the computers to which you want to assign a
profile.
3
Click the Create assignments symbol.
4
If you want to replace existing profile assignments, check Override existing
profile assignments.
This option changes the profile assignment, but does not re-configure the
Intel AMT device with the new configuration profile.
5
If you want to re-configure Intel AMT devices immediately, check
Re-configure Intel AMT if assignments change.
If you do not check this option, you can re-configure manually later.
6
Use the symbols on the toolbar to configure the configuration profile
mappings.
You can assign different profiles to computers from different domains.
7
Click OK.
About monitoring the setup and configuration process
After you assign a profile to the Intel AMT device, the setup and configuration
process starts. You can watch the Intel AMT device status on the Intel AMT
Systems page.
See “Understanding the Intel SCS interface” on page 84.
The status of the device must change from UnConfigured to InConfiguring, and
then to Configured.
Also, you can watch the Intel SCS logs for messages.
See “Viewing Intel SCS logs” on page 167.
You can troubleshoot the Intel AMT setup and configuration process.
See “About Intel AMT setup and configuration issues” on page 173.
When the computers are set up and configured, we recommend that you run the
Resource Synchronization policy manually to synchronize the Intel SCS and
Notification Server databases.
87Configuring Intel AMT computers for out-of-band management
Configuring Intel AMT computers for out-of-band management
Page 88
See “Synchronizing Intel SCS and Notification Server resources” on page 88.
See “Setting up and configuring initialized Intel AMT computers” on page 82.
Synchronizing Intel SCS and Notification Server resources
If you want to run out-of-band management tasks (for example, the Real-Time
Console Infrastructure tasks) on the computers with Intel AMT, you must enable
and runthe ResourceSynchronization policy. This policy synchronizesthe Intel
SCS and Notification Server databases. Synchronization is critical if you set up
and configured your Intel AMT computers with a random password. This policy
lets you map the Intel AMT administrative credentials that are stored in the Intel
SCS database to the appropriate Notification Server resources.
This policy also creates new resources for the computers that do not have the
Altiris Agent installed.
After the synchronization is complete, Altiris solutions can find Intel AMT
administrative credentials in the Intel SCS database for each of the computers
that you want to manage.
After the task runs, the computers that are set up and configured with Out of
Band Management Component, appear in the Configured Intel AMT Computers
filter.
See “Setting up and configuring initialized Intel AMT computers” on page 82.
To run the Resource Synchronization policy
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, click Remote Management > Out of Band Management >
Intel AMT Systems > Resource Synchronization.
3
(Optional) Under Synchronize Intel SCS and Notification Server resources,
create or modify the schedule on which to run the synchronization.
By default, the synchronization is run weekly.
4
Under Last synchronization statistics, click Run now.
To view the Configured Intel AMT Computers filter
1
In the Symantec Management Console, on the Manage menu, click Filters.
2
In the left pane, click Out of Band Management > Configured Intel AMT
Computers.
The computers that are displayed in this filter are ready to be managed
out-of-band with Altiris solutions.
See “Altiris products that can manage computers out of band” on page 15.
Configuring Intel AMT computers for out-of-band management
Configuring Intel AMT computers for out-of-band management
88
Page 89
About resending Hello messages
When you power-on an Intel AMT computer for the first time, the Intel AMT
device starts sending configuration requests to the OOB site server computer (by
default, the Notification Server computer) for 6 hours (24 hours for Intel AMT 3.0
and later).
If for some reason the Intel AMT device is not configured during this time, you
can remotely restart the sending of requests in one of the following ways:
■ Enable the Delayed Configuration policy (Intel AMT 3.0 and later only).
See “Resending Hello messages with the Delayed Configuration policy”
on page 89.
■ Run the Send Intel AMT Hello Message task (Intel AMT 3.0 and later only).
See “Resending Hello messages with the Send Intel AMT Hello Message task”
on page 90.
■ Visit the Intel AMT computer location, unplug the computer for 20 seconds,
and then plug it in again (all Intel AMT versions).
Resending Hello messages with the Delayed Configuration policy
The Delayed Configuration policy lets you re-open the Intel AMT interface for
the computers that are in the delayed configuration state for another 6 hours.
Computers that entered the delayed configuration state appear in the All Intel
AMT Computers in Delayed Configuration State filter.
Resending Hello messages with the Delayed Configuration policy is an in-band
functionality and requires the Windows operating system to be running and the
Altiris Agent to be installed on the Intel AMT computer. Delayed Configuration
requires that you use DHCP in your environment.
You can also use the Delayed Configuration policy to start the Remote
Configuration sequence on computers with Intel AMT 2.2 and 2.6.
See “About resending Hello messages” on page 89.
To enable the Delayed Configuration policy
1
Install the Altiris Agent on the Intel AMT computers, if it is not already
installed.
See “Installing the Altiris Agent” on page 51.
2
Install the Out of Band Task Agent on the client computer, if it is not already
installed.
See “Installing the Out of Band Task Agent” on page 53.
89Configuring Intel AMT computers for out-of-band management
About resending Hello messages
Page 90
3
In the Symantec Management Console, on the Settings menu, click All
Settings.
4
In the left pane, click Remote Management > Out of Band Management >
Intel AMT Systems > Delayed Setup and Configuration.
5
In theright pane, configure and enable the Delayed Setup and Configuration
policy.
For help, in the Symantec Management Console, on the Help menu, click
Context.
See “Delayed Setup and Configuration page” on page 149.
Resending Hello messages with the Send Intel AMT Hello Message task
The SendIntel AMT Hello Message task lets you simulate sending a Hello packet
to Intel SCS. Intel SCS responds to this Hello packet and starts configuring the
computer's Intel AMT device.
Resending Hello messages with the Send Intel AMT Hello Message task is an
in-band functionality and requires the Windows operating system to be running
and the Altiris Agent to be installed on the Intel AMT computer.
See “About resending Hello messages” on page 89.
To run the Send Intel AMT Hello Message task
1
Install the Altiris Agent on the Intel AMT computers, if it is not already
installed.
See “Installing the Altiris Agent” on page 51.
2
Install the Out of Band Task Agent on the client computer, if it is not already
installed.
See “Installing the Out of Band Task Agent” on page 53.
3
In the Symantec Management Console, on the Manage menu, click Jobs and
Tasks.
4
In the left pane, click Samples > Remote Management > Intel SCS tasks and
jobs > Send Intel AMT Hello Message.
5
In the right pane, select the OOB site server to which you want the target
computer to send the Hello packet.
6
Run the task one time or on a schedule.
For more information, view topics about running and scheduling tasks in the
Symantec Management Platform Help.
Configuring Intel AMT computers for out-of-band management
About resending Hello messages
90
Page 91
Configuring Intel AMT computers in small business
mode
You can use small business mode in the following situations:
■ You are evaluating Altiris solutions that can manage computers out-of-band
and want to get set up and running quickly.
■ You do not have the necessary network infrastructure (DHCP and DNS) to use
enterprise mode.
■ You do not need encrypted communications.
To configure Intel AMT computers in large-scale organizations, especially ones
that include subnets and require security, use enterprise mode.
See “Configuring IntelAMT computersfor out-of-band management” on page 61.
Small-business mode is straightforward to configure. The process is manually
performed through the Intel Management Engine BIOS extension (MEBx) on the
Intel AMT computer. Out of Band Management Component is not involved in this
process.
See “About Intel AMT configuration modes” on page 18.
After you configure the Intel AMT computer in small business mode, it is ready
for out-of-band management with Altiris solutions. To run out-of-band
management tasks on this computer from the Symantec Management Console, a
computer resource representing the computer must be created in the CMDB . If
there is no such resource in the CMDB , simply install the Altiris Agent on the
client computer.Computers with the Altiris Agent installed appear in thestandard
Notification Server filters: for example, Windows Computers.
See “Installing the Altiris Agent” on page 51.
91Configuring Intel AMT computers for out-of-band management
Configuring Intel AMT computers in small business mode
Page 92
To configure Intel AMT devices in small business mode
1
Go to the physical location of the Intel AMT computer, and then connect the
cables, a monitor, and a keyboard.
2
Turn onthe computerand pressCtrl+P during POST to enter the Management
Engine BIOS Extension (MEBx).
The Ctrl+Pshortcut canvary depending on the OEM-provided BIOS. For more
information on accessing the ME BIOS sub-menu, see the hardware
manufacturer’s documentation.
The default MEBx password for computers in the factory-default state is
"admin". When you log on to the MEBx for the first time, you must change
the default password to a strong password.
See “About passwords used with Intel AMT” on page 177.
3
Enable Intel AMT in the Intel AMT computer's MEBx, if it is not already
enabled.
You might have to exit the MEBx and restart the computer for the additional
Intel AMT configuration options to appear in the MEBx.
4
If youhave Intel AMT already enabled, before makingany changes, you must
select Un-Provision > Full Unprovision in the MEBx to fully unconfigure the
Intel AMT device.
5
Set theProvision Model to SmallBusiness (listed asSmall-Medium Business
with some computers).
6
Configure the network settings of the Intel AMT device.
We recommend that the TCP/IP settings be the same as the settings for the
network interfacecard of the computer. If the networkcard uses DHCP, select
DHCP in the MEBx. For computers that use a static IP address, you must
specify the following in the MEBx:
■ Host name of the Intel AMT computer
Warning: Intel AMT does not support host names with an underscore ("_")
character.
■ IP address of the Intel AMT computer
■ Subnet mask
■ Default gateway address
■ Preferred DNS address
Configuring Intel AMT computers for out-of-band management
Configuring Intel AMT computers in small business mode
92
Page 93
■ Domain name
7
Exit the MEBx.
The computer restarts.
Intel SCS is not involved in the small business Intel AMT configuration process.
An Intel AMT computer that is configured in small business mode does not send
a configuration request to the configuration server and does not appear in the
list of Intel AMT systems that are known to Intel SCS. After you perform manual
configuration through MEBx, the computer is ready to be managed out of band
with Altiris solutions.
Next, you must create or modify a connection profile in Protocol Manager. You
use this profile when you run out-of-band tasks on Intel AMT computers that are
configured in small business mode.
To configure a connection profile
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, click Monitoring and Alerting > Protocol Management >
Connection Profiles > Manage Connection Profiles.
3
In the right pane, click the connection profile that you want to use to connect
to IntelAMT computers with Altiris solutions, and thenclick the Edit symbol.
4
In the Define Group Settings dialog box, expand the AMT section.
5
Turn on the AMT protocol, if it is not turned on yet.
To turn on the protocol, click the colored circle on the right, and then click
On.
6
Under Runtime credentials, click the Add symbol.
7
In theAdd credential dialog box, in theCredential type drop-down list, click
AMT Credentials.
8
Type a name for the credentials.
For example, type My AMT
9
Type the Intel AMT user name and password.
The user name is "admin". The password is the new secure password you
specified when you first accessed the MEBx.
10
Click OK.
93Configuring Intel AMT computers for out-of-band management
Configuring Intel AMT computers in small business mode
Page 94
11
Under Runtime credentials, in the drop-down list, click or browse for the
credentials that you just configured.
In this example, click My AMT.
12
Click OK.
For more information, view topics about using connection profiles and
credential manager in the Symantec Management Platform Help.
Configuring Intel AMT computers for out-of-band management
Configuring Intel AMT computers in small business mode
94
Page 95
Configuring TLS
This chapter includes the following topics:
■ About TLS
■ About configuring and enabling TLS
■ Configuring TLS
■ Configuring TLS with mutual authentication
About TLS
Transport Layer Security (TLS) provides communications security and privacy
over the Internet and enterprise networks. The TLS protocol establishes a secure
channel of communication between the Intel AMTdevice andNotification Server.
See “About configuring and enabling TLS” on page 95.
About configuring and enabling TLS
(Optional)
Out of Band Management Component and the Intel AMT devices that are set up
and configured in enterprise mode support Transport Layer Security (TLS)
encryption for secure communications between each other.
You can configure TLS in the following two modes:
When Altiris solutions connect to the Intel AMT devices that are
configured in enterprise mode with TLS enabled, they verify the
identity of Intel AMT devices by requesting a certificate.
See “Configuring TLS” on page 96.
TLS
7
Chapter
Page 96
When your Intel AMT computers are configured to use TLS with
mutual authentication, the server requestsa certificate from the
client, and the client requests a certificate from the server.
See “Configuring TLS with mutual authentication” on page 100.
TLS with mutual
authentication
Configuring TLS
When youset upand configure an Intel AMT computer with TLS, Intel SCS accesses
the trusted certification authority (CA), enrolls for certificate on behalf of each
Intel AMT device, and then installs the certificate into the Intel AMT device.
Table 7-1
Process for configuring TLS
DescriptionActionStep
Specific operating system and
infrastructure requirements must be
met.
See “Aboutenvironment requirements”
on page 32.
Meet the requirements for TLS.Step 1
CA issues certificates to Intel AMT
devices.
See “Installing and configuring CA”
on page 36.
Install Microsoft certification
authority (CA), if it is not already
installed.
Step 2
You need this certificate if you want to
use theSOL/IDE-R functionalityof Intel
AMT.
See “Exporting the CA Root Certificate
for the Altiris Real-Time System
Manager software” on page 97.
(Optional) Export the CA root
certificate.
Step 4
Altiris solutions use this connection
profile to connect to the Intel AMT
devices that are configured in secure
mode.
See “Configuringthe connectionprofile
to use TLS” on page 97.
Configure connection profiles to
use the secure mode.
Step 5
After this step, the computers can be
managed in secure mode only.
See “Configuring Intel AMT computers
to use TLS” on page 98.
Configure Intel AMT computers
to use TLS.
Step 6
Configuring TLS
Configuring TLS
96
Page 97
Exporting the CA Root Certificate for the Altiris Real-Time System
Manager software
(Optional)
To usethe SOL/IDE-Rfunctionality of Intel AMT with Real-Time System Manager,
you mustexport the CA root certificate to a file, and then configure the connection
profile to use this file.
This certificate is used to validate the authenticity of the managed Intel AMT
computer and the Notification Server computer during SOL and IDE-R
communication.
You can obtain the CA root certificate in the following ways:
■ Export the CA root certificate from the Local computer certificate store.
■ Download theCA certificatefrom the CA computer using the certificate services
Web site (http://<ca_server_name>/certsrv/).
See “Configuring TLS” on page 96.
To export the CA root certificate
1
On the CA computer, click Start > Run.
2
In the Open box, type mmc, and then click OK.
3
In the Microsoft Management Console, click File > Add/Remove Snap-in.
4
Click Add.
5
Click Certificates, and then click Add.
6
Click Computer account, and then click Next.
7
Click Local computer, click Finish, and then click Close.
8
Click OK.
9
In the Microsoft Management Console tree, locate your CA root certificate in
the Trusted Root Certification Authorities folder, and then open the
certificate.
10
Click the Details tab.
11
Click Copy to File.
12
Use the wizard to export the certificate in the Base-64 encoded X.509 format.
Configuring the connection profile to use TLS
You mustconfigure the connection profile to use secure mode for communications
with Intel AMT computers.
97Configuring TLS
Configuring TLS
Page 98
If youwant to use the SOL/IDE-R functionality, you must configurethe connection
profile with the trusted root CA certificate that you exported.
See “Exporting the CA Root Certificate for the Altiris Real-Time System Manager
software” on page 97.
This certificateis used to validate the authenticity ofthe managed AMT computer
and the Notification Server computer during SOL and IDE-R sessions.
For more information on connection profiles, see the Symantec Management
Platform Help.
See “Configuring TLS” on page 96.
To configure the connection profile to use TLS
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, click Monitoring and Alerting > Protocol Management >
Connection Profiles > Manage Connection Profiles.
3
Click the connection profile that you use to connect to Intel AMT computers
with Real-Time System Manager, and then click the Edit symbol.
4
In the Define Group Settings dialog box, expand the AMT section.
5
Check Secure mode.
6
If youwant to use the SOL/IDE-R functionality, in the Trusted CA certificate
location box, click Browse and browse tothe CA certificate that youexported
earlier.
See “Exporting the CA Root Certificate for the Altiris Real-Time System
Manager software” on page 97.
Configuring Intel AMT computers to use TLS
Now you can modify one of the existing configuration profiles to use TLS, and
then reconfigure your Intel AMT computers.
After the Intel AMT computers are reconfigured, they are ready to be managed
out of band in secure mode.
See “Altiris products that can manage computers out of band” on page 15.
See “Configuring TLS” on page 96.
Configuring TLS
Configuring TLS
98
Page 99
To modify the configuration profile to use TLS
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, click Remote Management > Out of Band Management >
Configuration Service Settings > Configuration Profiles.
3
Open the profile that you want to modify.
4
On the TLS tab, check Use TLS.
5
Click Local Interface: TLS Server Authentication. Click Network Interface:
TLS Server Authentication.
6
Select the Server Certificate from the drop-down list. If the list is empty, do
the following in order:
■ Click the Browse for Certificate Generation Properties symbol.
■ In the Select Certificate Generation Properties dialog box, click the Add
symbol to add a new certification authority (CA) to the list.
■ Specify the CA settings in the Add Certificate Generation Properties
dialog box.
The default template for TLS is WebServer.
■ Click OK.
■ On the Select Certificate Generation Properties page, click the CA that
you just added, and then click OK.
7
Click OK to close the profile.
To reconfigure Intel AMT computers
1
In the Symantec Management Console, on the Settings menu, click All
Settings.
2
In the left pane, click Remote Management > Out of Band Management >
Intel AMT Systems > Intel AMT Systems.
3
(Optional) Click the computers that you want to reconfigure.
4
On the toolbar, click the Re-configure symbol.
The reconfiguration process is initiated.
After reconfiguration, the communications with Intel AMT computers are
secure.
99Configuring TLS
Configuring TLS
Page 100
Configuring TLS with mutual authentication
TLS with mutual authentication addsmore security to communications with Intel
AMT devices. Mutual authentication, also known as two-way authentication, is a
process whereby two parties, typically a client and a server, authenticate each
other in such a way that both parties are assured of the identity of the other. In
mutual authentication, the server requests a certificate from the client, and the
client requests a certificate from the server.
Table 7-2
Process for configuring TLS with mutual authentication
DescriptionActionStep
To use this feature, you must first
complete all of the steps that are
required for TLS.
See “Configuring TLS” on page 96.
Meet the requirements for TLS
with mutual authentication.
Step 1
You mustissue andinstall anIntel AMT
client certificate that will be used to
authenticate to the client Intel AMT
computers.
See “Creating and installing a client
certificate using an Enterprise CA”
on page 100.
Install a client certificate.Step 2
You must modify the Intel AMT
configuration profile and reconfigure
Intel AMT computers.
See “Configuring Intel AMT computers
to use TLS mutual authentication”
on page 108.
Configure Intel AMT computers
to use TLS with mutual
authentication.
Step 3
Creating and installing a client certificate using an Enterprise CA
You mustcreate an Intel AMT client certificate for TLS withmutual authentication
and install the certificate in the certificate store of the Intel SCS user.
See “Configuring TLS with mutual authentication” on page 100.
Configuring TLS
Configuring TLS with mutual authentication
100
Loading...