Deployment of Intel® AMT clients requires interaction with key enterprise infrastructure components. Planning and preparations will be needed before full realization of the target benefits within Intel® AMT whether in SMB or enterprise mode. This article addresses the server, network, and protocol infrastructure of Intel® AMT deployment in enterprise mode.

This is the fifth of a few articles to discuss enterprise integration of the Intel® vPro™ processor technology and Intel® Centrino® Pro platforms in an Altiris environment. The previous articles include:

• Enterprise Integration Overview – www.symantec.com/connect/node/1542
• Future State and Client Platform Readiness – www.symantec.com/connect/node/1581
• Intel® AMT provisioning – www.symantec.com/connect/node/1673
• Altiris Provisioning Interface – www.symantec.com/connect/node/1799

Subsequent articles will have a similar introduction to identify their respective contents and portions. This – the fifth article – focuses on enterprise infrastructure requirements and considerations to fully realize the benefits of Intel® AMT, which is part of the Intel® vPro™ processor technology and Intel® Centrino® Pro platforms.

Infrastructure Components

Below is a logical diagram of the infrastructure components, followed by list divided into the main sections of server, network, and protocol. The gray area in the diagram symbolizes the managed corporate network. Sub-bullet items are listed in alphabetical order below not necessarily due to preference nor importance. The list may appear daunting at first, yet consider the benefits that the platform will provide. Most of the infrastructure items may already exist or are one time considerations to support the enhanced manageability and security of the hundreds, thousands, or tens of thousands of Intel® AMT based clients.

Some public comments have suggested that Intel® AMT is a proprietary solution. If a solution is built upon standard and reliable server, network, and protocol infrastructures – is it proprietary? Perhaps that is a longer discussion for a future article.

Click to view.

Server Infrastructure

From the previous discussions on Intel® AMT provisioning, the Altiris interface, and so forth – the following server components should be expected. Read about the basic role and importance of each.

• DHCP – Dynamic IP addresses are common for enterprise client environments. Once the Intel® AMT engine is in setup mode, it is ready to request and receive DHCP requests. The DHCP server or scope options should include option 15, which returns the DNS suffix with the IP lease. The gateway and other default DHCP options will most likely be enabled. Option 15 is needed to parse the correct fully qualified domain name (FQDN) of ProvisionServer (e.g. ProvisionServer.domainA.com) for hello packet requests. Large environments could have multiple ProvisionServer, one per DNS suffix or domain. For environments which support static IP for enterprise clients, manual provisioning is required as the IP address and DNS domain will need to be entered in the MEBx (management engine BIOS extensions)
• DNS – Intel® AMT uses DNS name resolution to locate ProvisionServer, to identify clients by their Fully Qualified Domain Name (FQDN), and so forth. Either a HOST or ALIAS record must be created for each ProvisionServer in the environment, differentiated by the DNS suffix. The record must be "ProvisionServer". Dynamic DNS (DDNS) is preferred in DHCP environments, thus dynamically updating the DNS entries based on DHCP lease assignments. In addition, client operating systems supporting DHCP option 81 will return their FQDN to the DHCP and DDNS systems. For the provisioning process, a DNS reverse lookup could be used to obtain the FQDN and complete the provisioning process.
• Management Console – This is the Altiris server infrastructure and environment including modules such as Notification Server (NS), Out of Band Management Server (OOBM), and Real Time Service Management (RTSM). For full Intel® AMT functionality, Altiris Client Management Suite Level 2 or above is required. For new Altiris environments, Manageability Toolkit for Intel® vPro™ Technology is an alternative option. This server will send the appropriate webservice calls to Intel® AMT clients. The server may also act as the Provisioning Server, running the ooprv.exe and AMTconfig processes. Platform Event Traps (PET) which are stored in the Intel® AMT log can be subscribed to and actions taken based on sequences defined in the Altiris console. A future article will address this in more detail.
• Microsoft Active Directory – In enterprise mode, Intel® AMT supports integration with domain users for Kerberos authentication. Within the Altiris OOBM Provisioning interface, the users listed define what local or domain users have access to that portion of the console. Kerberos authentication would replace the Digest User authentication used when connecting to Intel® AMT client devices. In addition, 802.1x authentication of the Intel® AMT engine when the client is off will require a certificate stored within Microsoft Active Directory. These features will likely require an extension to the directory schema. The current Altiris environment for Intel® AMT does not support Microsoft Active Directory integration, thus a schema extension is not applicable for now. Further integration with Microsoft Active Directory is expected in a future release.
• Microsoft SQL Server – SQL2000 with SP3 or higher (including Microsoft SQL2005) is required for the Provisioning Server and Altiris environments. The SQL database should be local to the Management console server to reduce latencies across the network. In addition to the Altiris database and associated tables, a new database will appear labeled IntelAMT. This database holds the configuration data of all Intel® AMT clients. Currently, only one instance of IntelAMT can exist within a Microsoft Active Directory forest. The Provisioning Servers points to this IntelAMT database instance for Intel® AMT client configurations.
• Microsoft Internet Information Server (IIS) – Intel® AMT utilizes SOAP v1.1 based webservice calls to communicate between the clients and the management console. During installation, a virtual directory is created and named AMTSCS. Microsoft IIS must be locally installed on the Provisioning Server and Management Console systems.
• Provisioning Server – This is the "ProvisionServer" which is running the AMTconfig service. All enterprise mode deployments of Intel® AMT will include a Setup and Configuration Application (SCA). Altiris utilizes the Intel® Setup and Configuration Service (SCS) which is an implementation of an SCA. Hello packets are sent to this server to initiate the configuration process. This server also handles the maintenance operations discussed in the previous article.
• Public Key Infrastructure and Certificate Authority – The PKI\CA server and infrastructure is required for issuing server authentication certificates to Intel® AMT clients using Transport Layer Security (TLS) for the authentication and encryption of sessions and communications. Currently, a Microsoft Certificate Authority server is required for issuing server authentication certificates to the Provisioning Server on behalf of the Intel® AMT clients. Future developments are underway for other certificate authority solutions. Within the Intel® AMT profile along with Altiris OOBM Configuration, the necessary configurations are made to communicate with the certificate authority and handle certificate requests. This includes the PEM file location which describes the security chain of an enterprise PKI environment. The level of encryption is configurable, although the default is 1024-bit AES (Advanced Encryption Standard). For redirection sessions where console screens, commands, and drive images are being exchanged on the managed networks - authentication and encryption of the communication channel may be preferred. Certificates issued must match the Intel® AMT hostname. Both standalone and enterprise PKI are supported, as long as the certificate issuing server is a Microsoft Certificate Authority. For example, in an enterprise PKI setup, the leaf or subordinate server in a security chain of trust. Server authentication certificates are installed on the Intel® AMT client since they provide the service which is consumed by the management console. Mutual TLS, where both the Intel® AMT client and management console must authenticate to each other, is supported by Intel® AMT and will be added to the Altiris implementation in the near future.
• RADIUS server – A remote authentication dial-in user service (RADIUS) server is needed in 802.1x environments. This functionality could be handled by Microsoft Internet Authentication Service (IAS) server. 802.1x is commonly used with wireless networks to authenticate clients into a managed network. Wired networks can also support 802.1x, or port based authentication. Some of the authentication protocols supported by Intel® AMT clients before the host operating systems is loaded include EAP-TLS, PEAP-TLS, PEAP-MSCHAPv2, and LEAP

Network Infrastructure

With Intel® Active Management Technology using standard TCP\IP protocols and IANA registered ports, communications are routable and reliable within a managed network. If familiar with Wake-on-LAN (WoL) or Pre-Execution environment (PXE) boot, experiences may vary about the implementation and usage of these predecessors to what is now within the Intel® vPro™ and Intel® Centrino® Pro platforms. The following are a few points to consider in regards to the network infrastructure:

• Firewall ports – If management traffic traverses an internal firewall, the following IANA (Internet Assigned Numbers Authority) ports are assigned for Intel® AMT. Port 16992 for non-TLS communications, port 16993 for TLS communications, port 16994 for non-TLS redirection, and port 16995 for TLS redirection sessions. In addition, port 9971 is the default port for the configuration process used by hello packets sent to ProvisionServer. This port can be changed, yet that will require changing the provisioning port in the Altiris console along with manual provisioning of the clients. Some OEMs may offer a service to programmatically change the default provisioning port of 9971 within the Intel Management Engine BIOS extension (MEBx)
• NAC – Cisco Network Access Control is support with Intel® Centrino® Pro (e.g. Intel® AMT 2.5) and higher. The Intel® AMT client must authenticate via the Cisco NAC device before it is granted access on the network.
• VLAN – Virtual LANs are often used to separate management traffic from production traffic. They are also used to create virtual segments on a single or multiple physical networks. Each VLAN has a specific and unique ID associated to it. Within the Intel® AMT profile, the VLAN ID can be set for clients within a specific location or virtual LAN.
• VPN tunnels – If a virtual private network device is between the managed device(s) and the VPN segment, this is essential an extension of the managed network. If software based VPN is running on top of the host operating system, the manageability and security features operate over the Layer 3 VPN connect - thus a functional operating system is needed. For example, mobile clients connecting via a public hotspot will likely utilize an L3 VPN running on top of the host operating systems. The Intel® AMT inventory, platform event traps, agent presence, and other features are still functional. Although it is technologically possible to imbed VPN functionality into the MEBx thus allowing for full out-of-band capability, the variety of VPN solutions, upgrades, and associated validation are overwhelming.

Protocol Infrastructure

In addition to the physical components of the network, the protocols for Intel® AMT communications are summarized below.

• 802.1x – Used for port authentication as mentioned earlier.
• 802.11 bgn – Wireless communication infrastructure protocols supported by Intel® Centrino® Pro (e.g. 802.11b, 802.11g, and 802.11n Draft version). The 802.11n is draft version and is expected to be updated once the standard is fully ratified in the industry and products are updated.
• 802.11i – Utilizing Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES). 802.11i is also referred to as WPA2 (Wireless Protected Access v2) - this is viewed as trusted wireless security protocol. Combined with 802.1x, this protocol requires compliant wireless access points, RADIUS servers, and so forth
• SNMP – Simple Network Management Protocol is used to communication Platform Event Traps (PET) based on subscriptions and configuration within the management console.
• SOAP v1.1 – Simple Object Access Protocol v1.1 is the webservice protocol used to send and receive management and security related commands.
• TCP\IP – Provides reliable and routable communications.
• WMI – Windows Management Interface is used by the Altiris infrastructure to remotely obtain data on an operational system (e.g. the FQDN), to gracefully shutdown the Windows Operating Systems before using Intel® AMT to power off the system, and so forth. WMI requires the clients to be within the management domain. Some production environments limit or restrict WMI usage.

Enterprise mode integration of Intel® AMT will require collaboration between client, server, infrastructure, security, operations, and other teams within an IT department. The list above provides a brief summary on the roles of each component for the greater platform solution. The next article will address some the IT governance and support processes that may be affected by Intel® AMT client integration. Again - the intent is not to overwhelm yet to educate on what is needed. This will help when discussing troubleshooting, deployment scenarios for central versus distributed environments, and so forth.

The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries.