1. Managing Computers With Intel AMT Greg Rusu +41 41 748 22 13 rug@brainware.ch

2. 2 (c) 2008 Brainware Solutions AG Agenda Overview Network Requirements Certificates Intel SCS Server Columbus 6.10 Configuration Usage samples Columbus AMT License Key Requirements

3. 3 (c) 2008 Brainware Solutions AG Overview AMT = “Active Management Technology” Mechanism for securely managing PCs Intel-proprietary, labeled as “vPro” Two flavors: Enterprise & Small Business Evolving technology 4 versions of vPro firmware released in 2007 2 versions on Desktops, 2 on Notebooks 3 versions of back-end server released in 2007 Requires sophisticated environment DHCP required and DNS must allow dynamic updates IIS, ASP.Net 2.0, and MS SQL Server run the back-end Certificate Authority required for secure net traffic Firewalls/routers must allow specific ports Competing technologies on the horizon DASH is emerging as industry standard Similar in approach to AMT Intel AMT will evolve to support

4. 4 (c) 2008 Brainware Solutions AG Overview – „vPro“ Systems The Intel AMT device functions only when “Provisioned” Provisioning is the authentication and authorization process by which the AMT client and SCS server are bound together The UUID and a Private Key shared by the AMT client and the SCS server are confirmed during the “provisioning” process

5. 5 (c) 2008 Brainware Solutions AG Overview – Enterprise & SMB FunctionalityEnterprise Small Business (SMB) Encrypted traffic with AMT client Frequent user or PC changes Static IP or Window Workgroups (i.e. NetBIOS) Active Directory

6. 6 (c) 2008 Brainware Solutions AG Overview – Enterprise & SMB (cont.) Windows 2003 Server SP2.Net 2.0 SP1 IIS DHCP DNS AD SQL Server 2005 or Express Certificate Authority Intel SCS Columbus 6.10 Multi-core Xeon, 4GB RAM, Typical Enterprise Server Windows 2003 Server SP2 DHCP DNS Columbus 6.10 Dual-Core, 2GB RAM, Typical Small Business Server

7. 7 (c) 2008 Brainware Solutions AG Network Requirements – Minimum 1 2 3 4 5 Option 81 (Dynamic update of DNS name and PTR records) “provisionserver” added to Forward and Reverse zones Schema is extended for Intel AMT objects Must see DNS. Ports 9971, 16992-16994. Must see DNS. Port 443, 9971, 16992-16994.

8. 8 (c) 2008 Brainware Solutions AG Certificates Required TLS PSK Preshared key used for the AMT Client to communicate with the SCS during setup. Source: Intel SCS creates this. Server Certificate Certificate used to allow HTTPS communication with the Intel SCS. Source: Microsoft Certificate Authority (CA). Optional TLS Certificate Allows secure communication between the AMT client and the SCS. Source: Microsoft CA, Verisign, etc. 802.1x Certificate Allows the AMT client to connect to a 802.1x secured network. Source: Microsoft CA, Verisign, etc. Mutual Authentication Root Certificate Allows the AMT client to authenticate the SCS Source: Microsoft CA, Verisign, etc.

9. 9 (c) 2008 Brainware Solutions AG Intel SCS Server Optional component Certificate needed for this HTTPS communication MS SQL Server 2005 or Express

10. 10 (c) 2008 Brainware Solutions AG Columbus 6.10 Configuration Columbus AMT License key Intel AMT requires advanced environment and specialized training Special terms apply for obtaining a Columbus AMT License key Installation Select Intel vPro Support under Infrastructure Server and Management Console Configuration Infrastructure > Index Agent > AMT Configure AMT Configure SCS server Management “AMT Management” of selected clients

11. 11 (c) 2008 Brainware Solutions AG Usage Examples System Discovery Discover systems even if powered off BIOS/Firmware Update Reflash BIOS and set firmware remotely Diagnostics Run remote diagnostics against defective systems Quarantine Isolate suspect systems from the network

12. 12 (c) 2008 Brainware Solutions AG Pitfalls FQDN Mismatch SCS and AMT clients find one another through DNS Multi-homed clients may not register the same FQDN SCS cannot find the AMT client Workaround – well-planned and controlled hostname assignments SCS server capacity SCS is improving but not fully matured 1800 AMT clients will peg a quad-core 3GHz server for over two hours during setup Encrypted communications, SOAP and database transactions are not optimized Workaround – host SCS on multiple front-end servers with strong back- end database server (“Strong” = 4GB RAM, 3 GHz multi-core CPUs) One Database SCS uses one single MS SQL Server to store all AMT client information Provisioned AMT clients will not “talk” to another SCS server that is not pulling from the same MS SQL Server and has the same certificates. Workaround – cluster front-end SCS servers and replicate your one SQL Server instance across multiple physical servers

13. 13 (c) 2008 Brainware Solutions AG Columbus AMT License Key Requirements Columbus Intel AMT vPro functionality is licensed under the following terms: 1.Columbus Enterprise or Complete licensing 2.License keys can only be issued to companies along with a booking of two days paid consulting services 3.Helpdesk does not service Intel AMT questions, and all related questions are subject to paid consulting hours

14. 14 (c) 2008 Brainware Solutions AG Questions & Discussion