Deployment Scenarios of Intel® vPro™, Part 2: Five Deployment Models

As noted at the introduction of this series, there is an expectation that the reader is already familiar with the provisioning process of Intel® vPro™ within an Altiris environment. Materials on Altiris Juice, User guides, online or instructor led training, or other sources provide a necessary foundation in understanding the core provisioning process.

This article introduces five models or approaches to deploying, configuring, and using the Intel® vPro™ technology with Altiris Out-of-Band Management. The five base scenarios provide a foundation for custom and advanced deployments that are currently in use, have been tested in the lab, or are being discussed as this article is being drafted.

This article is by no means an authoritative guide on appropriate deployment models, yet is provided as a starting point for discussions, lab testing, and advanced deployment scenarios. In the brief description provided with each model, I will note whether that model is currently being deployed in production environments, being discussed, and so forth.

Key Security and Configuration Considerations to Keep In Mind

Previous articles have hinted at and hopefully future materials will further reinforce some key items to keep in mind. This is a short list with further explanations and experiences needed to fully appreciate and understand:

• Once provisioned, the Intel® vPro™ management engine is a service awaiting an authenticated request. The provisioning of an Intel® vPro™ client defines the future authentication and authorization of requests against the management firmware. Authentication is handled either via MD5 Digest or Kerberos (see Kerberos Authentication of Intel vPro in an Altiris Environment).

  In addition, the provision profile and Altiris Real-Time Console Infrastructure configuration define TLS and Mutual TLS certificates that could be applied to the client configuration. Therefore, both the authentication of the request and the encryption via issued certificates requires awareness and association to a defined domain, certificate authority, and so forth.

• Communications to the provisioning service (e.g. AMTSCS virtual web directory) and requests to the Intel® vPro™ clients are handled via SOAP over HTTP. In regards to service configuration settings, use of SSL on the AMTSCS virtual web directory is recommended.
• Access to the core Intel® vPro™ configuration database requires a SQL account login defined during the installation process. In addition, user access control to the configuration service settings is defined by Windows Domain or Local User accounts.

Other authentication and authorization related concepts for Intel® vPro™ in an Altiris environment are provided via articles such as Altiris Handling of the Intel AMT connection credentials with Out of Band Management (OOB) and Real-Time System Manager (RTSM). Again - the above is only a short list of security and configuration related considerations before introducing the deployment models. The key takeaway is ONLY properly authenticated, authorized, and secured connectivity sessions are allowed.

In the following sections, the Altiris environment is noted by "NS" or "OOBM" yet includes the following core and supporting modules:

• Notification Server 6.0.6074 with SP3 applied
• Real-Time Console Infrastructure 6.3.1066
• Real-Time Systems Manager 6.3.1066
• Out of Band Management 6.2.1035.
• Out of Band Setup and Configuration Solution 6.2.1040
• Altiris Task Management 6.0.1356

A previous article on Optimal Client Environment for Intel vPro provisioning along with other materials on OOB Discovery still applies.

Traditional Single Altiris Out-of-Band Management Installation

This is the default or most common model in deploying Altiris Out-of-Band management for the provisioning and usage of Intel® vPro™ technology. A single server hosts the Altiris Notification Server and Out-of-Band Management solutions. Either locally or in close association to the Altiris Notification Server is a Microsoft SQL Server hosting both the Altiris CMDB and IntelAMT databases. An environment has been created to provide an optimal situation for configuration and using the technology (previous series provides some examples).

Click to view.

This core environment is the most commonly used deployment approach today. It provides the foundation to build upon as we briefly review other models and approaches to an Altiris environment.

Multiple Altiris Out-of-Band Management Installations with Single IntelAMT Database

Having a single Altiris Notification Server that is client facing may be suitable for small or medium deployment situations. However, an increasing number of requests and situations have arisen when multiple Altiris Notification Servers are required. The reason for multiple client facing NSservers could be due to client load, separate divisions due to acquisitions or divestitures, development testing versus production environments, and so forth.

An earlier post by Joel Smith highlighted how to setup a multiple Altiris NSserver environment with Intel® SCS - see Using Out of Band Management with Intel SCS in a Multiple Notification Server Environment.

A few key items to keep in mind:

• All participating servers MUST be running the same version of Intel® SCS. This is due to APIs, database schema, and related items. The easiest method of determining what version is running is to check the AMTconfig service.
• The oobprov.exe provisioning script and customized DLL (Interop.AeXClient.dll) must be in the same directory path on each participating Altiris NS Server
• Resource synchronization should be enabled to assign the configuration parameters (e.g. Profile Assignment settings) by default, yet NOT replicate the IntelAMT entries to each Altiris NS Server.
• If the ProvisionServer DNS record is used, it can direct provisioning events to the preferred Altiris NS server. One caveat seen at a few customer sites is that more than one client facing Altiris NS server was in the same DNS content (e.g. NS1.mycompany.com and NS2.mycompany.com). In that situation, take a look at the Intel® vPro™ Activator Utility referenced in this article.

The following diagram provides a simplified view how the setup might be accomplished. Notice that a single IntelAMT database instance exists, yet the connections are in place for both Altiris NS servers to access the database.

Click to view.

This model has been used in lab environments, along with a few production environments. It is recommended that lab testing and familiarization with the approach be completed before implementing in production. In addition, the next article will provide some additional insights on the Intel® SCS provisioning service.

Provisioned via Altiris OOBM, Managed by Other Consoles

It is quite common that a single enterprise environment will have more than one client management solution. The Altiris Client Management Suite may be the primary tool, yet other consoles or customized in-house utilities may be in place to further enable a particular environment or management preference.

This model takes the approach that the Altiris NSserver with Out-of-Band Management maintains the Intel® vPro™ configuration, thus acting as the ProvisionServer. From a previous article on core provisioning requirements (see it here), the first three criteria have been completed. The goal is completing the 4th requirement - updating the management consoles to be aware of and able to access the provisioned Intel® vPro™ clients. In addition, a post deployment provisioning situation may occur, which was referenced in the series Post-Deployment Provisioning of Intel® vPro™ Technology.

If you have ever used the Intel® WebUI or Intel® System Defense Utility, then you have effectively used this very model. Either the Altiris environment was not correctly configured to access the provisioning Intel® vPro™ client, or there was a particular usage model or approach that you preferred with one of the free utilities.

A key reminder: once an Intel® vPro™ client is provisioned, any properly authenticated and authorized request can be made to utilize the technology. The first section of this article references a few of the security considerations.

If using TLS or Kerberos, the "non-Altiris" management consoles MUST be part of the same DNS domain, Microsoft Active Directory Forest, and have the root certificate in their local computer certificate store.

Click to view.

A minor variation on the image shown above is to use a "non-Altiris" management console such as LANDesk, SupportSoft, SMS with Intel® AMT add-on, HP OOBM, and so forth. The core requirements still apply, and the method to update the consoles with lists of provisioned Intel® vPro™ systems is via their respective network discovery or related processes to find provisioned Intel® vPro™ or Intel® AMT capable clients. The Altiris NS server maintains the configuration of the Intel® vPro™ clients, yet other consoles are able to utilize the configured technology for remote out-of-band management purposes.

Click to view.

If unsure or doubtful that this can be accomplished - take a look here and try it out in your own environment. In my own lab, I setup a primary Altiris NSserver to configuration and manage Intel® vPro™ clients. Next, I setup a second Altiris NSserver, added the root certificate to the local computer certificate store, directed the Altiris NS Agent on a few clients to the second server and enabled OOB Discovery. Within a short period of time, I was able to issue commands from either Real-Time console to the provisioned Intel® vPro™ clients using Kerberos authentication and TLS encryption.

Multiple Intel® SCS based solution

A slight variation to the previous models is to have a non-Altiris management console hosting the Intel® SCS provisioning service. The core requirements and recommendations still apply in regards to Intel® SCS versions, authentication credentials, and so forth.

This model has been proven within a lab environment and is also referenced in a production environment.

Click to view.

The next article in this series will explore a little more detail on the underlying Intel® SCS provisioning service. That information will help to further understand the requirements, considerations, and communications necessary to make this model work.

Provisioned by Other Consoles, Interfaced by Altiris for Usage

The fifth and final model may be assumed by some, yet I chose to call it out. If the Intel® vPro™ clients are already provisioned, than a discovery of the systems and appropriate credentials provided for authentication are all the Altiris environment needs to know. In essence, this is a variation of the third approach referenced above.

There are two common approaches to discovering provisioning Intel® vPro™ clients into an Altiris environment. The key is to ensure Inv_OOB_Capability, Inv_AeX_AC_Location, and Inv_AeX_AC_Identification tables in the Altiris CMDB are updated:

• Use of the Altiris NS Agent and OOB Discovery as reference in this article.
• Use of the Altiris Network Discovery with AMT scan option enabled. The image below provides an example. Two key reminders:
  • If TLS or Kerberos are NOT used, than ONLY the Small Business option is needed. Otherwise, use the Enterprise mode options to properly authenticate and locate the systems.
  • Network Discovery with AMT Scan works ONLY if the Intel® vPro™ client is provisioned, thus enabling the network interface for management communications
    
    

    Click to view.

The model below is a simplified version of previous models. The key difference to note is that OOB Configuration requests (i.e. items requiring a ProvisionServer) are not present. The main concern customers and partners have highlighted is maintaining the configuration should the FQDN change or minor updates needed within the configuration settings of the Intel® AMT client. Take another look at this article. Specifically - methods and approaches to remotely update the FQDN (i.e. Intel® AMT Reflector) and to remotely unprovision the system.

Click to view.

If the long term intent is for the target Altiris environment to act as ProvisionServer and maintain the configuration, utilize the approaches and ideas referenced to remotely reset the configuration. The core reminder is to ensure a method of initializing the provisioning is in place:

• Target Intel® vPro™ clients and the Altiris environment support Remote Configuration
• The PID\PPS (aka security keys, pre-shared keys, etc) can be distributed out to the client systems
• Method or utility to initiate and direct the hello packets for provisioning (e.g. Intel® vPro™ Activator Utility or similar)

Summary

Once the core provisioning process methods, utilities, and approaches are understood - the different deployment models and approaches can be pursued to fit a majority of environments. Determining what environment will provision and maintain the configuration of the Intel® vPro™ firmware is still relevant yet provides some flexibility per environmental considerations. Once the Intel® vPro™ client is provisioned, it is only a matter of properly authenticated and authorized requests. This provides new flexibility and consideration, especially in finding the right tools and consoles to take full advantage of all the out-of-band capabilities within the Intel® vPro™ technology.

The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries

Deployment Scenarios of Intel® vPro™, Part 1: Deployment Scenarios Introduction

Deployment Scenarios of Intel® vPro™, Part 3: Setup and Configuration Application