Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Four Insights to OOB Site Service Installation and Usage

Created: 17 Nov 2009 • Updated: 17 Nov 2009 | 1 comment
Language Translations
Terry Cutler's picture
+1 1 Vote
Login to vote

In recent weeks, a number of customer inquiries and training opportunities have focused on the OOB Site service, maintaining vPro configurations, and so forth.   Those inquiries caused some searching in the Symantec Management Console.   I stumbled across a few Job and Task Samples for the OOB Site Service that might be of interest.   This article highlights four quick insights.
 

Insight #1: TaskServer Sample Jobs for Remote Management

The Out-of-Band Management solution with OOB Site Service will need to be installed, and these screens can be accessed by select Manage > Jobs and Tasks.

In the screen below, a few pre-defined jobs provide insight to the improvements made.   For example - if the FQDN of a configured client system must be updated, prior to Symantec Management Platform the answer is posted at http://www.symantec.com/connect/articles/handling-vpro-amt-fqdn-issues-out-band-management-solution and required some database scripting.   Now, the functionality is included in a sample job "FQDN Synchronization"

Another job which caused some interest is "Send Intel AMT Hello Message".   This appears to have similar functionality to the vPro Activator tool referenced at http://www.symantec.com/connect/articles/provisioning-intel-vpro-technology-part-5-intel-vpro-activator-utility - the ability to initiate when and to what server the hello messages should be sent.

TaskServer-samples-SCS.gif

Other sample jobs help in installing the OOB Site Service, and so forth.
 

Insight #2: OOB Site Service Installation of Intel SCS Fails

Are you having problem getting OOB Site Service to install - specifically the Intel SCS with AMTconfig windows service?

Take a closer look at the screen below for Site Management.   The default setting for the IntelAMT database, which is used by OOB Site service, requires Windows Authentication.  

OOB-Site-Service-SQL-settin.gif

One approach to correcting this installation error is by setting the database authentication to Mixed Mode - where both SQL Server and Windows Authentication are allowed.   The image below shows the database setting using SQL Server Management Studio Express.

SQL-Server-security.gif

A successful installation of the OOB Site Service with Intel SCS should show a screen similar to below.

OOB-Site-service-installed.gif

Insight #3: Filters of Intel AMT Systems

An item that caught my attention is the use of Filters instead of Dynamic Collections.   Filters provide a database view of systems that meet specific criteria.   In previous postings, references to OOB Discovery and Dynamic Collections in Altiris 6 were referenced (see http://www.symantec.com/connect/blogs/do-i-have-intel-vpro-my-environment and http://www.symantec.com/connect/articles/provisioning-intel-vpro-technology-part-2-determining-what-systems-are-intel-amt-and-remote)

The OOB Discovery package is enabled as shown below, after accessing Settings > Agent/Plugs-in > All Agents/Plugs-ins, expanding Remote Management, expanding Out of Band Management, and select OOB Discovery

OOB-Discovery-NS7.gif

The OOB Discovery process populates the necessary database fields, to help identify what systems are Intel AMT Capable, Configured Intel AMT systems, systems that support remote configuration, and so forth.   To access the screen below, select Home > Remote Management > Out of Band Management and expanding the Filters menu.   Another approach to access is by selecting Manage > Filters and expanding Out of Band Management.

Filters-for-collections.gif

If a filter shows no members or fewer members than expected, click Update Membership to run the SQL query associated to the filter.

Using the predefined filter, an administrator is able to quickly assess how many Intel AMT capable systems are present, which ones are configured by the local OOB Site Service, and so forth.
 

Insight #4: Placement of the Remote Configuration Certificate

More than a year ago, an article was posted on obtaining and applying a VeriSign remote configuration certificate (see http://www.symantec.com/connect/articles/obtaining-and-applying-verisign-remote-configuration-certificate).   Supporting materials on a remote configuration selection tool and whitepaper were also posted online (see http://communities.intel.com/docs/DOC-2432)

A few key differences in how the remote configuration certificates are placed:

  • The Loadcert utility is no longer required
  • More than one certificate can be applied (up to 50)
  • The certificate(s) MUST be in the "My Certificate Store" of the AMTconfig logon account

First, is the Remote Configuration certificate installed and accessible to the OOB Site Service - primarily the Intel SCS v5 software.   The following screen from Out of Band Management provides a clear indicate that no remote configuration certificate was found. missing-RCFG.gif
It is important to know what the logon account is for AMTconfig.  This is done by opening the windows services, right clicking on AMTconfig, and selecting the Logon tab.   If AMTconfig is not installed, refer to Insight #2 above.

The screenshot below shows the AMTconfig service logon uses a domain account.

AMTconfig-logon-acct.gif

Since the domain account is not the same as the logged on user, accessing the "My Certificate Store" will require a few extra steps.  

The certificate store is accessible without logging off.  As shown in the following screen,  use the "runas" windows command to open MMC in the context of the logon account for AMTconfig.   A prompt will appear for the user's password.

runas.gif

Once the MMC is started in the correct user context, add the certificate snap-in for "My User Account" which is the logged on users certificate store.   This is the certificate store where the Intel SCS (i.e. AMTconfig) will look for remote configuration certificates.  
mmc-cert.gif

Certificates should be imported with the operating system automatically handling where they are placed - all issued certificates will be located in the "Personal" folder.  

Concluding Thoughts:

This article provides 4 quick insights intended for those familiar with the Intel vPro technology, configuring and deploying the technology in Altiris 6 environment, and looking for key insights for Altiris 7 environments (aka Symantec Management Platform).

If you have a specific request for additional information - please indicate.

The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries.

Comments 1 CommentJump to latest comment

ziggy's picture

Nice wirte up Terry.  Thanks for all your help!  I sure appreciate it.

I would like to point out to all OOB readers, that if you are planning to install the OOB service on a non-SMP server, then read this article:

http://www.symantec.com/business/support/index?page=content&id=TECH170672

It was crafted as a result much trail and tribulation.

I assumed that most people, like I, would have thier OOB implementation managed via a site server. If for no other reason, to be able to off-load that from the SMP.  It may not be very 'heavy', but it is still a concern.  I mean, after all, you can install the OOB service on a site server, so why should you not be able to expect that the SSL certificate you install on the OOB server would be picked up by the NS.  Especially once you configure the "Alternate URL" on the Service Location page for OOB Configuration Service Settings.

For now, you will simply see a 'No required certificate installed' message in the General page under the Configuration Service Settings for Remote Management.  But if you did everything else correctly, it will still work as can be verified by viewing the Settings | Remote Managment | Out of Band Managment | Logs | Log page in the 7.1 console.

Feel free to message me if you have any questions, or post them here.

0
Login to vote