Presentation on theme: "Intel® AMT Keyboard, Video & Mouse Remote Control"— Presentation transcript:
1 Intel® AMT Keyboard, Video & Mouse Remote Control <Presenter’s Name>Application EngineerSoftware and Services Group<month>, 2009
2 Legal DisclaimerInformation in this document is provided in connection with Intel products. No license, express or implied, by personnel or otherwise, to any intellectual property rights is granted by this document. Except as provided in Intel's Terms and Conditions of Sale for such products, Intel assumes no liability whatsoever, and Intel disclaims any express or implied warranty, relating to sale and/or use of Intel products including liability or warranties relating to fitness for a particular purpose, merchantability, or infringement of any patent, copyright or other intellectual property right. Intel products are not intended for use in medical, life saving, or life sustaining applications. Intel may make changes to specifications and product descriptions at any time, without notice. Designers must not rely on the absence or characteristics of any features or instructions marked "reserved" or "undefined." Intel reserves these for future definition and shall have no responsibility whatsoever for conflicts or incompatibilities arising from future changes to them. Products referenced herein may be incomplete or contain errors known as errata which may cause the products to deviate from published specifications. Current characterized errata are available upon request. Intel® Active Management Technology requires the computer have an Intel® AMT-enabled Intel chipset, network hardware and software, connection with a power source, and a network connection. Intel® Virtualization Technology requires a computer system with an enabled Intel® processor, BIOS, virtual machine monitor (VMM) and for some uses, certain platform software enabled for it. Functionality, performance or other benefits will vary depending on hardware and software configurations. Intel Virtualization Technology-enabled BIOS and VMM applications are currently in development. Copyright (c) Intel Corporation * Other names and brands may be claimed as the property of others.
3 Expanding Redirection Capabilities Current Support (Intel® AMT Release 5.x and earlier)IDE RedirectionSerial RedirectionIntel® AMT Release 6IDE & Serial RedirectionKeyboard, Video & Mouse (KVM) Remote Control
4 Select a machine to manage Example Use-CasesOS Blue-screenOS UnresponsiveBoot ProcessCorrupt Network DriverConsole_XComputer StateComp A UnhealthyComp B OS unresponsiveComp C RebootingComp D OS HealthyComp A ScreenDsfsd.sys failed at mem location 0x1234hfhsMemory dump:3409afed 3409afedSelect a machine to manageConsole
5 Advantages of KVM Remote Control Works in many situationsOS malfunctions (hung, degraded response)BIOS levelOS bootOS installationOS repair (safe mode, system restore)Virtual environmentsCorrupt network driver or Filtered network trafficRobust, hardware based solutionReduced hardware cost (compared to 3rd party hardware solutions)
6 Terminology Term Definition KVM Server The KVM service running on the managed client.A KVM Server runs in the Intel® vPro™ management engine.KVM ClientThe ISV console connecting to the KVM Server.spriteA graphic overlay that is drawn directly to the monitor by the integrated hardware. Similar to volume / channel indication on television.Sprite GraphicKVM ClientKVM Session RequestPasscode:KVM ServerIntel® vPro™ SystemRemote Console
7 Example Deployment Flow System Received & InstalledPhysically deployedIntel® vPro™ Drivers / Services InstalledOptional MEBx Settings (manual)KVM DisableUser Consent Disable (enable remote switch)Intel® vPro™ SetupConfiguration (remote)Set RFB PasswordEnable / disable user consent (requires MEBx setting)Enable / disable port 5900Enable redirection listenerOptional User SettingsConsent Opt-Out (MEBx)Session Notifications (IMSS)Prior to KVM Remote Control use, several steps with some notable options are required. This occurs in conjunction with Intel® vPro™ Setup & Configuration.
8 Example KVM Remote Control Session Console Initiates SessionIntel® AMT AuthenticationOptional TLS Session EstablishedVNC* AuthenticationUser Consent Code ValidationSession EstablishedSession User NotificationIMSS IconSpriteSession TerminatedConsole terminates or…User terminates (IMSS or Physical Disconnect)KVMPasscodeConnectSessionTerminatedPasscodeIntel® vPro™ SystemRemote Console* Other names and brands may be claimed as the property of others.
9 Example User Consent Flow User calls help-deskHelp-desk connects to Intel® AMTME Generates consent codeConsent code displayed locally in spriteUser reads consent code to help-deskHelp-desk enters consent codeKVM Remote Control session beginsBy default, the user must consent to each KVM Remote Control session. This may be disabled by:OEMDuring USB initiated setupUser opts out through MEBxOptionally enabled / disabled remotely if allowed in MEBx
10 Wireless Connectivity Host Wireless Driver Managing All TrafficIntel® AMT Session EstablishedKVM Remote Control Session BeginsME Transitions to “Operational” State: Controls Wireless ConnectionME Maintains Control of Wireless Connection During KVM Remote Control Session and Power ControlKVM Remote Control Session EndsME Transitions to “Pipe” State: Host Manages Wireless Connection (if available)Management traffic passes through the host wireless driver when operational. (“Pipe” mode)The management engine (ME) manages wireless connectivity when the host driver is absent. (“Operational” mode)Intel® AMT implements “link sensitive” behavior during some use-cases to avoid connectivity interruptions.Starting with Intel® AMT 6.0, you can control the link preference to fit your use-case through AMT_EthernetPortSettings.SetLinkPreference
12 Enhanced Intel® AMT Connection Console GUIISV Console or…Integrated VNC* ViewerViewer LibraryRFB APISDK Proxy LibraryDigest Authentication or…KerberosTLSIntel® vPro™ PlatformIntel® AMT ports 16994/16995TLS* Other names and brands may be claimed as the property of others.
13 ProtocolsRealVNC* Remote Frame Buffer (RFB) Protocol(RFB 3.8)Supporting versions 3.8 and 4.xUses port 5900 (default)Adds RFB password for port 5900 (VNC Authentication)KVM Remote Control ProtocolImplemented as proxyUses ports 16994/16995Listens on port 5900 (default)Extends RFB capabilitiesDigest & Kerberos authenticationTLS Encryption* Other names and brands may be claimed as the property of others.
14 Protocol & Viewer Options Protocol OptionsViewer CompatibilityRemote Frame Buffer 3.8Open sourceRemote Frame Buffer 4.xImproved performanceNo GPL codeEnhanced error reportingLicensed separately by RealVNC*KVM Server3rd PartyReal VNC*Intel® vPro™ViewerRealVNC 3.8†XRealVNC 4.x (Intel® SDK)RealVNC 4.x* Other names and brands may be claimed as the property of others.† Compatibility depends on 3rd party implementation.
15 SDK ComponentsRealVNC* Viewer LibraryCustomized for use with Intel® vPro™ TechnologyBinary onlyRFB 4.xC interfaceIntegrated viewerLicensed separately by RealVNCKVM Proxy Library / SampleSource providedListens for viewerProxies RFB through Intel® AMT Redirection ProtocolSOCKS proxyViewer SampleDemonstrates custom viewer and proxy useDocumentationThe RealVNC viewer library is licensed by Intel from RealVNC and provided to ISV’s under the same conditions of the rest of the SDK. The viewer is provided as a binary only and cannot be modified. The integrated viewer in the library may be invoked if the ISV doesn’t want to write an viewer integrated in their console.The Viewer sample shows how to write a RFB viewer that may interact with the Intel KVM proxy.* Other names and brands may be claimed as the property of others.
16 Configuration (partial list) MEBx (local configuration screens)Disable / enable KVM Remote Control (just like legacy redirection features)Disable / enable user consent requirementsIntel® AMT (network interface)Disable / enable KVM Remote Control (if enabled in MEBx)Set RFB passwordEnable / disable port 5900 for legacy VNC connectionsPorts 16994/16995 available for Intel® AMT redirection connectionsDisable / enable user consent (if allowed by MEBx)User consent timeouts and session timeoutsIntel® Management & Security StatusSelect sprite languageNotification optionsHot-key disconnect
17 Architecture Considerations Integrated(SDK Sample)ConsoleConsole GUIVNC LibraryCentral ServerIntel® AMT Redirection ProxyTLSDistributed(Example #1)RFBCentral ServerConsoleConsole GUIVNC LibraryIntel® AMT Redirection ProxyTLSDistributed(Example #2)ConsoleConsole GUIVNC LibraryIntel® AMT Redirection ProxyTLS
19 SummaryKeyboard, Video & Mouse (KVM) Remote Control Added in AT6 For New Use-CasesBasic Protocol is RealVNC* Remote Frame Buffer (RFB) 3.8 or 4.xIntel® KVM Remote Control Proxy Gives Greater Security* Other names and brands may be claimed as the property of others.
22 Remote KVM Protocols APF TLS RFB VNC* Library Intel® Redirection Proxy Intel® Remote Connectivity GatewayIntel® vPro™ PlatformAPFTLSRFB* Other names and brands may be claimed as the property of others.
23 Access Monitor – KVM Related Events KVM session start KVM session end KVM enable KVM disableRFB password failed X times KVM user consent options changed RFB password changed
24 Intel® Management and Security Status (IMSS) Enhancements Display the enabled/disabled status of the KVM featureIndicate if there is an active KVM sessionNotify the user that a KVM session is startingProvide an option to stop the KVM sessionSelect language for sprite messages
25 User Consent Switches Remote user consent control through API OEM Setting: Allow Remote User Consent ControlNoDefaultSettingsRemote user consent control through APIIPS_KVMRedirectionSettingData -> OptInPolicyMust be allowed by firmware settingOEM sets the defaultOEM settings may be overridden by MEBxYesMEBx Setting: Allow Remote User Consent ControlNoYesAMT Admin: User Consent SettingUser ConsentRequiredNot RequiredKVM Session
26 KVM BIOS/FW Settings Matrix KVM Enabled (Y/N)User Consent (On/Off)Remote Config of User Consent (On/Off)Manual Touch for IT (Yes/No)YesOnNoOffOn or OffRecommended OEM SettingsGood for IT, no touchBad for IT, requires touch