You may have heard of Intel vPro AMT and Altiris' Solution to support it. Out of Band Management makes the most out of this functionality, but not understanding what is available and how it can be deployed may lead to unforeseen complications. This article details what should be planned for and how it might be deployed.

Introduction

Having a clear understanding of what is required for a successful Intel vPro AMT and Altiris Out of Band Management deployment, and subsequently planning for the implementation, will ensure that everything runs smoothly. Also understanding what features and options to deploy or which ones to forgo will show what requirements need to be in place before a successful deployment. This article strives to outline what is required depending on what features are going to be used so that educated decisions can be made and proper planning realized.

Pre-Planning

Before defining what requirements need to be in place it's important to know why those requirements need to be met. Planning can't properly be conducted if you don't know what it is you are trying to accomplish. The following questions should be considered:

1. How will Intel's vPro AMT technology be utilized in the environment?
2. What features of AMT do you require to utilize?
3. What are the end goals to be accomplished?
4. What hardware availability do you have to support the environment?

Identify Goals

Goals may greatly differ between one environment and another; however the functionality set available with Out of Band Management and Intel vPro can help make some uniformed decisions on implementation and goals. Consider the following functionality statements to help identify the goals:

• Hardware level remote control > Serial over LAN, IDE Redirect (IDER), allowing remote control and remote boot off a ISO or other image if the Hard drive fails or the Operating System is nonfunctional.
• Reliable Remote Power options > Wake On LAN has an abysmal failure rate in many environments. With AMT's power functionality systems can be reliably powered on, from any state, and can also be powered off.
• Remote Inventory for basic hardware information, whether the system is powered on or off from the hardware layer (no OS requirements).
• SNMP Alert trapping > AMT will monitor the system and supports a number of SNMP alerts that Altiris can capture and report on.
• System Defense > This option allows an administrator to enforce restrictions on Ports and protocols to a system that represents a potential harm to the network.

The following questions should also be asked when identifying the goals of this deployment:

1. What do you want to accomplish?
2. What will be the criteria for success?
3. What are your expectations, and are they realistic?
4. Do your goals match the functionality set provided by Altiris and Intel?

Here is a list of sample goals to consider:

1. Avoid costly desk visits to fix issues with the hard drive or OS by enabling remote capabilities.
2. Control the power state effectively to rollout critical updates while reducing rollout times and effectively meeting SLAs.
3. Reduce Operating System overhead by reducing what running process or agents required to support the system.
4. Create a complex and secured authenticated environment virtually impossible to crack to ensure data integrity within your company.

Define Process

Understanding the full process from initial implementation to ongoing cycles will enable a successful rollout of Out of Band Management with Intel vPro AMT technology. Once goals are set, it's time to understand what's required to accomplish those goals. The following list walks you through most considerations for rolling out the environment.

1. What security model will be used? The following models are available for implementation:
   • Small Business Mode > This options is not recommended. It uses only a username, password model with only standard authentication encryption. This method does not require server-based provisioning. This does not require the Intel SCS Component, but does require multi-touch-provisioning for each local system.
   • Enterprise Mode without TLS > This mode provides the security benefits of Provisioning and ongoing authentication management from the Notification Server and Intel SCS without the added layer of certificate-based security. This requires Intel SCS, and provides USB provisioning for one-touch pre-provisioning.
   • Enterprise Mode with TLS > This is the ultimate security model with certificate-based encryption improbable to break. This does require Intel SCS and Microsoft's Certificate Authority Servers for implementation.
2. Notification Server implementation is required for Out of Band Management Solution. Notification Server requires a Server-class machine for the Application Install to include all Altiris Solutions including Out of Band. It also requires a full install of Microsoft SQL Server (recommended 2005). This can be installed on the same Server as Notification Server, or can be installed on a separate SQL Server for distributed Resource Load. Check the Notification Server Reference Guide to obtain prerequisite information. As a quick reference, the Notification Server requires:
   • Windows Server 2000, 2003
   • Internet Information Services (IIS)
   • .NET 1.1
   • SQL Server 2000 or 2005
3. The Intel Setup and Configuration Service Component must be installed on the Notification Server. The same SQL instant that the Altiris database is installed is recommended for use with the IntelAMT component database.
4. If using TLS > Microsoft Certificate Authority > The Notification Server can be used as the Certificate Authority, however load considerations should be taken into account when deciding where each piece should be installed. Possible configurations are shown in the following diagram (remove the Microsoft CA for Enterprise Mode without TLS):
   

   Click to view.

   How this would be deployed depends on a large number of factors. Factors include:

   • Number of managed Intel vPro AMT clients
   • Number of Altiris Solutions installed and in use
   • Number of Altiris managed clients
   • How often all functions (vPro or Altiris) are in use at any given time
5. Define how systems will be provisioned. This is a crucial process that must be properly defined so no unexpected problems arise with partial or unprovisioned systems. Different provision method include:
   1. Manufacturer provided pre-provisioning > The PID PPS key-pair for provisioning authentication must be imported into the Notification Server and Intel AMT so that systems arriving from the manufacturer are automatically provisioned.
   2. USB -- One-touch Provisioning > Generate Security keys and place on USB drives for one-touch provisioning as systems arrive before being deployed into the work-place.
   3. Manually enter PID PPS key pair (not recommended) The key is to have a solid process in place as systems come in so that they are provisioned or ready to be remotely provisioned when deployed into the environment.
6. Altiris Console Access > Plan on who will be using the Altiris Console with this Solution and provide them the proper access within the Altiris Security model, and within the Intel AMT security model. The security setup for AMT is shown here:
   

   Click to view.

   The above provides console access. The following screenshots shows actual AMT authentication for users trying to access remote AMT systems:

   

   Click to view.

7. Other processes > it's a good idea to have processes for all operations with Out of Band Management and Intel AMT, both how they are used, and how situations are handled for each of the functionality. For example System Defense can be initiated to a point that the system is unreachable, which may be desired in severe situations, however this leaves the system cut off and will require a desk visit.

Setup Plans

The actual implementation should be carefully planned. Understanding the underlining technology is crucial, as is how all the moving parts work together. The following items should be considered when planning the full rollout.

Ports

Having the proper ports setup will ensure all communication is setup correctly. You need to setup the network so the proper ports are open to allow for communications between the Intel AMT systems and the Intel Setup and Configuration Server (Intel SCS). For the ability to enable clients to send to the SCS, open port 9971 on the Server as this is the default port used by Intel SCS. For HTTP, Intel AMT listens on port 16992. With TLS connections enabled for HTTPS, Intel AMT listens on port 16993. To summarize:

• Notification Server -- Intel SCS: 9971
• Client communication via HTTP: 16992
• Client communication via HTTPS: 16993

Deployment Plans

For review, additional planning items, and clarification, the following should be prepared by the end of the Planning phase.

1. Have a Security Model chosen
2. Be in the process of or have the hardware necessary to support the chosen environment
3. Understand the installation process for all components
4. Notify and train all involved parties to fulfill their part of the process
5. Understand the Discovery processes for supported AMT systems already out in the environment
   • Network Discovery > Agentless solution to scan the network with support for identifying Intel AMT capable systems
   • Out of Band Management Discovery > Supported by the Altiris Agent, this discovery can find all capable AMT systems regardless of the AMT state on the system.
6. Have processes in place for newly arriving AMT capable systems for provisioning and deployment
7. Have processes in place for who will use the Altiris Console, what functions they are able to use, and how they are to use those functions

Education and Training

Education and training is essential for a successful deployment. All parties should be trained in their part of the process before rollout to ensure a smooth transition. A good source of knowledge can be found at the following sites:

• http://Juice.altiris.com
• https://kb.altiris.com
• http://www.altiris.com/Support/Documentation.aspx

Check the Altiris site for education opportunities from a services department for when they become available:

• http://www.altiris.com/Services/Education2.aspx

Conclusion

If you are unsure how your environment should look, please consult with both Altiris and Intel for a proper deployment plan that will work well for your environment. This document should provide at least a starting perspective for deploying the Altiris Out of Band Management Solution with Intel AMT.