You've decided to implement Altiris-Symantec's Out of Band Management Solution with Intel vPro AMT technology. You've made goals on what you wish to accomplished, and planned for the implementation. What else needs to be done before installing and using the Solution? Prepare your environment properly with the help of this article.

Introduction

It can be frustrating when you move to install a new Solution and find you aren't properly prepared to support it in your environment. This article strives to give you the information you need to properly prepare the environment for the deployment of Out of Band Management for the Intel vPro AMT systems. The following key items will be addressed:

1. What hardware do I need?
2. How should the various hardware elements be setup before installing the Solutions?
3. What additional configuration needs on the network need to be met?

Component Setup

The section covers those items that are recommended for most environments and some optional ones. The core items are required for all environments, while the optional elements are not required but recommended. If you are already an Altiris-Symantec based customer the Altiris setup will already be in place and ready to use. For those who do not have a Notification Server environment, how this should be setup is covered briefly here.

Notification Server

This is a required element. For all Altiris-Symantec based items the Notification Server is required. How the actual Notification Server is configured depends on a myriad of factors that are difficult to quantify or benchmark. The following questions should be asked before selecting hardware for the Notification Server:

1. How many computers will be managed by the Notification Server?
2. What Solutions will be used on the managed computers?
3. Will Asset and Network Device data also be used on the NS?
4. How many users will be simultaneously using the Altiris Console?
5. How aggressive will update schedules be set on the NS?

Before covering possible configurations, consider the following use cases:

1. Altiris Manageability Toolkit for vPro only > This setup will only require one server, and even the recommended specifications can be lowered.
2. Altiris Client Management Suite + the Toolkit > This setup should scale according to the following diagrams. The node count recommendation assumes that most of both the Suite and the Toolkit functionality will be utilized. Proper scaling of the solutions can allow more managed nodes.
3. Altiris Total Management Suite with the Toolkit > If fully utilized, Total Management Suite can have significant impact on Server resources. Diagram #2 should be utilized.

The following numbers are not necessarily what is best in your environment, but should be considered as a general suggestion for Server load.

Basic Notification Server Solution

Reference the following diagram:

The single-server solution allows a minimum of hardware but does not scale well for large environment. The following factors should be considered when considering this solution:

• Up to 2000 active managed computers
• Moderate update times for All Solutions and NS Processes
• Client Management Suite and Altiris Manageability Toolkit for Intel vPro Technology
• 5 active Console users

Two Server Notification Server Solution

Reference the following diagram:

The dual server solution places SQL on a separate server. Notification Server and Solutions are heavy SQL applications. On heavier loads, the load can be distributed between two servers easily by moving SQL off the NS system. Some customers have achieved high managed node numbers using this system, though how the Solutions are scaling makes a big impact.

• Up to 5000 active managed computers (this is under the assumption that most Solutions are being utilized)
• Moderate Update Times for All Solutions and NS Processes
• Client Management Suite/Total Management Suite with the Toolkit
• 15 active console users

Additional consideration

Consider the following when making the hardware decisions:

• If your environment begins reaching 10,000 active managed nodes, you may consider a multiple NS interface. The article does not discuss enterprise scaling with multiple Notification Servers.

SQL Server

This is a required element. Both Altiris-Symantec and Intel require a Microsoft SQL Database. The Notification Server discusses some basic SQL suggestions, but this section goes into more detail and recommendations. SQL server is heavily used by Notification Server, and having a good configuration will go a long way in providing good performance and operation of the full system.

The following recommendations are for any environment or setup type:

1. Do not install multiple Notification Server databases to a single SQL Server instance.
2. If using a separate SQL Server, ensure a broad network pipe between the Notification Server and the SQL Server. This will serve both NS and Intel SCS optimal database interactions.
3. Both the Altiris and IntelAMT database should be on the same SQL Server instance.

The following are optional recommendations:

1. Depending on the SQL infrastructure, the Altiris and Intel database should have a dedicated SQL Server instance. If the Notification Server will have heavy loads, even a separate dedicated SQL Server hardware.
2. The Notification Server SQL credentials (typically the Application Identified used to install and configure Notification Server) should have full Enterprise Administrator rights on the SQL Server instance. Where this is not applicable, note the following:
   1. Full rights are required to the Altiris database
   2. Limited rights are required on the Master and Temp system databases
3. For especially heavy SQL utilization or general optimization, SQL tweaks can be implemented. See the following link for information:
   • https://kb.altiris.com/article.asp?article=3977&p=1

Active Directory and Users

Active Directory is not a required element. Understanding how Active Directory interfaces with the systems will help when setting up User Security. There are four types of user roles when using Notification Server with the Toolkit.

1. Domain or Local User > This is considered the environmental logged on user as a local user or an Active Directory Domain user. Both other user types tap into this user's security.
2. Altiris Console, Security User/Role > To use the Altiris Console and have rights to conduct Notification Server functions a user must have rights to that within the Notification Server Security model. The two parts of the model are Roles (which give function-based rights) and Scopes (which is a console-relational system). The two work together to provide or limit access. For default all-access join AD Groups or AD Users to the Altiris Administrators local account. This will give them full rights to Notification Server.
3. Out of Band Management Console Users > NS Security can provide access to the Out of Band Management Provisioning nodes, but a separate security model surrounds the actual use of those nodes. This is tied to AD and Local Users or Groups directly.
4. Intel AMT Users > These users are given, through the Intel SCS Component, access to AMT functionality for target systems. These are tied to local or AD users directly.

DHCP and DNS

This is not a required element. The only direct relationship to the Altiris-Intel infrastructure is the ProvisionServer CNAME for automatic Provisioning Server redirection. Without this the IP address of the Notification Server (aka both Provisioning Server and Intel SCS) has to be manually entered into the Intel ME locally on each system to be provisioned. Enterprise Mode requires DHCP to be available in the environment.

To have ProvisionServer resolve to the proper address in DNS, you must create a CNAME or Alias for the configuration server with the name "ProvisionServer".

Microsoft Certificate Authority

This is not a required element. For the best security for all AMT transactions, Transport Layer Security (TLS) is a high recommendation. This requires that a Microsoft Certificate Authority (CA) or multiple CA servers be setup and configured in the environment.

First, consult Microsoft's documentation on installing a CA. Once completed, walk through the following steps to prep the server for use with the Altiris-Intel TLS environment.

Creating a Certificate Template

1. While logged onto the CA that will issue the certificates, click Start > Administrative Tools > Certificate Authority.
2. In the left pane, right-click 'Certificate Templates' and select 'Manage'.
3. In the resulting pane, right-click the 'Web Server' template and select 'Duplicate Template'.
4. In the resulting screen, make the following changes:
   1. Under the 'General' tab, name the template names to something unique, and adjust the validity timeframe to 2 years (this can be a different value, but 2 years is the recommended), and uncheck 'Publish certificates in Active Directory'.
   2. Under the 'Request Handling' tab, change 'Purpose' to Signature and encryption and uncheck all selected boxes. Also change the minimum key size to 1024.
   3. Under the 'Subject Name' tab select 'Supply' in the request.
   4. Under the 'Issuance Requirements' tab uncheck all boxes and remove all requirements for enrollment.
   5. Under the 'Superseded Templates' tab remove all templates.
   6. Under the Extensions tab, conduct the following operations:
      1. Double-click 'Application Policies and remove all items save for 'Server Authentication'. If Server Authentication is not present, add it using the Add button.
      2. Double-click 'Issuance Policies' and remove everything.
      3. Double-click 'clickKey Usage' and select 'Digital Signature. Change 'Encryption' to 'Key Exchange only with key encryption'. Uncheck 'Make this extension critical'.

Securing your Web Browser

To install a certificate into the NS system's Operating System:

1. On the Notification Server, open Internet Explorer and go to http://<your_SUBCA>/certsvr (note that this location is based off of the CA you are trying to reach)
2. Select 'Request a certificate.
3. Select 'Submit an advanced certificate request'.
4. Select 'Create' and submit a request to the certificate authority:
   1. In 'Certificate Template', select 'Web Server'.
   2. In 'Name', input the Fully Qualified Domain Name (FQDN) of the Notification Server computer (ie: mynsserver.altiris.com)
   3. In 'Request Format', enter PKCS10.
5. Click Submit.
6. Answer 'Yes' to all prompts.
7. Select 'Install this certificate' and click 'Yes' to all prompts.

   This installs the certificate on the Notification Server operating system, but not into your Web Browser.

To install a certificate into the NS system's Web Browser:

1. On the Notification Server computer, browse through Start > All Programs > Administrator Tools > and click on Internet Information Services (IIS) Manager.
2. In the left pane, browse to Internet Information Services > and click on Web Sites.
3. In the right pane, right-click the 'Default Web Site' and select 'Properties'.
4. Select the 'Directory Security' tab.
5. Click the Server Certificate button.

   A wizard opens to help you create a certificate.

   1. Click Next.
   2. Select 'Create a new certificate' and click 'Next'.
   3. Select 'Send the request to an immediately to the online certification Authority' and click 'Next'.
   If you do not have this option, then your server does not know about your certificate authority. See the Microsoft Certificate Authority documentation on for details on fixing the problem.
   4. Enter your organization and unit and click 'Next'. These are not to be confused with Active Directory OUs. The common name can be the name of your computer, but we recommend that you use the FQDN that is registered with DNS.
   5. Choose the certificate authority that will process your request and click 'Next'.
   6. Verify that the information is correct and click 'Next'.
   7. Click 'finish'.

SSL is now available for your web server

Exporting and Using Your Certificate

Multiple CA solutions require that the certificates be concatenated in order to properly authenticate between the different CA levels. Keep in mind that the following instructions are for multiple CA Servers and that only the single CA needs to be included if only one CA exists.

To export your certificate:

1. In Internet Explorer on the NS, access a secure (https) web site.

   A secure Web site will display a lock icon at the bottom of the console int he status bar.

2. Double-click the 'lock' icon.
3. Select the 'Certification Path' tab.
4. Double-click each CA until you reach the root of the chain.
5. For every CA selected, click the 'Details' tab, and select 'Copy to File'.
6. Click 'Next' in the wizard that opens.
7. Choose 'Base64 encoding' and click 'Next'.

   A PEM file is simply a certificate in BASE64 format

8. Choose a name for each file that is unique to the CA so you don't confuse the files and click 'Next'.
9. For each file that you have, open the file and copy or concatenate its content in the following order. Include or exclude any CA's from the order as applicable.

   Leaf CA2 ' Leaf CA1 ' Root CA
   
   

   Take each certificate from the diagram above starting with the most subordinate CA, cut and paste into one text file with the following format and in order from highest first to root last. Once finished it will appear as in the example below. When finished rename the certificate to .PEM

   -----BEGIN CERTIFICATE-----
   RootCA
   -----END CERTIFICATE-----
   -----BEGIN CERTIFICATE-----
   Leaf CA1
   -----END CERTIFICATE-----
   -----BEGIN CERTIFICATE-----
   Leaf CA2
   -----END CERTIFICATE-----
   

After exporting certificates and creating a PEM file, copy or move the file to the Notification Server computer. Make sure that you secure it as it is an exported version of your certificates.

To allow the Altiris Console to use the certificate you just exported:

1. From the Notification Server, open the Altiris Console.
2. Click 'Configuration'.
3. Click Solution Settings > Real Time Console Infrastructure > Configuration.
4. On the right side of the page, click Intel AMT Connection Settings.
5. Enter your connection password and custom user name if any.
6. Browse to the location of the certificate you are using and select it
7. Add any needed trusted domain suffixes. This will include the domain that your AMT computer is configured for.

Additional details may be required once the installations have taken place and configuration is required. Check the Admin or Reference guide for additional information. Configuration guides will also become available as time permits.

Small Business Mode

This topic will only be covered briefly as it is not recommended due to lower security.

Reference the following diagram:

To setup this model use the following general steps:

1. Prep the Application Server according to previously covered specifications
2. Install SQL on the same or separate Server according to the previously covered specifications
3. Install Notification Server, Out of Band Management with the Intel SCS Component, which includes:
   • Notification Server infrastructure
   • Applicable Solutions (OOBM, RTSM, Network Discovery)
   • Intel SCS service and web service
   • Altiris and IntelAMT databases
4. Manually enable and set the credentials on all managed Intel AMT systems > Note! This is one weakness of Small Business Mode. No USB provisioning can take place. There is no 'provisioning' and the security is simply set as a username and password.

Enterprise Mode with or without TLS

For the next two security models reference the following diagram:

Setup for Enterprise mode should be systematic, with the following general steps. Simply leave out the Certificate Authority segments if you are not using TLS:

1. Prep the Application Server to be used for the Notification Server as previously outlined
2. Prep the SQL Server (if separate from the NS) as previously outlined including installation
3. Install Notification Server and Solutions on the Application Server, which includes:
   • Notification Server infrastructure
   • Applicable Solutions (OOBM, RTSM, Network Discovery)
   • Intel SCS service and web service
   • Altiris and IntelAMT databases
4. Setup a Microsoft Certificate Authority as previously outlined
5. Have DHCP up and running in your environment (usually this is a given)
6. Create a CNAME of the value 'ProvisionServer' and link it to the Application Server where Notification Server and Intel SCS Component are installed
7. Import Users or Groups into the Notification Server security model, the Out of Band console Users section, and manually add users to the Intel AMT users section.
8. Export the CA certificate for use in the environment.
9. Begin the process of Provisioning the Intel AMT computers.

Conclusion

This article may require changes as more experience in setting up this system is gained. If you note any erroneous items in this article, please post a comment so that it can be reviewed and updated as necessary.