Video Screencast Help

Setting Up and Using KVM Remote Control

Created: 13 Jul 2010 | 2 comments
Language Translations
Terry Cutler's picture
+3 3 Votes
Login to vote

Take a look at the picture below - do you realize what you're seeing?

Full KVM (Keyboard Video Mouse) access via the Real-Time System Manager. This is something pcAnywhere or other traditional remote console solutions for clients simple cannot do.

This capability is made possible via the 2010 Intel vPro Technology Platform with Symantec Management Platform. Within the 2010 Intel vPro platform is a RealVNC server providing KVM access such as what you may see in a datacenter or via a special add-in card. In this case - the capability is local to the hardware. (Note: You will need a platform with Intel Integrate graphics- Intel Core i5 vPro processor models 540M, 520M, 520UM, 540UM, 650, 660, 670, 680; Intel Core i7 vPro processor models 620M, 640LM, 620LM, 640UM, 660UM and 620UM)

Back at Symantec Vision Las Vegas, a preview of the solution was demonstrated at the Intel booth and by Sean Wadell. See the video at http://www.youtube.com/watch?v=ivehBsfe3WQ

The focus of this article is what steps are needed to take advantage of the solution.

First - Obtain a 2010 Intel vPro Platform that supports the KVM Remote Control capability

The capability was introduced with Intel AMT 6. The good news is that the latest version of RTSM will detect whether a platform supports the capability or not, plus at the time of configuration the Intel AMT version is recorded in the CMDB. (In a future posting, I will put together more information on how to build a custom inventory to quickly determine what systems are KVM remote control capable).

For a best case scenario - have the Altiris NS agent installed and registered on the client, along with OOB Discovery at a minimum. The Intel AMT provisioning process must be completed for KVM remote control to work (see fourth step below)

Second- Download and install the latest updates for Client Management Suite

Look specifically for MR1 (Maintenance Release 1). This will update the Out-of-band Manager (OOBM), Real-Time Systems Manager (RTSM), among other components. The solution will require Microsoft Silverlight.

The screenshot comes from my test environment used when writing this article

Third - Determine whether user consent will be required to establish a KVM session

To better under what "user consent" refers to, see the following image. I used an enterprise KVM solution to see the screens of both my management console and the target client. On the left, the administrator is prompted to enter a 6 digit code that was randomly generated by the client. Shown on the right is the "Sprite" interface - a graphics overlay that will appear regardless of the operating system state. Inside the Sprite interface is a randomly generated 6-digit code. In a production environment, the user would read the 6 digits to the helpdesk technician. This establishes user consent.

What if in your environment the user consent is not required? For example - you need to see the remote client during a operating system deployment or possibly to troubleshoot a situation when network drivers did not load.

If that is the preferred direction for your company, the user consent is configurable when Intel AMT is provisioned. Should you change from the default setting (user consent required) and disable - this change will need to be pushed out to the target clients (i.e. reprovision or re-configured event). The good news here - the default settings of the OOBM module will automatically apply configuration profile changes to the list of configured client.

The latest updates includes a change to the Intel Setup and Configuration Service (SCS) which is included in the OOBM - this is also called the OOB Site Service. If you check for the AMTconfig windows service, the version will be 5.3.0.22.

Within the Altiris console, the enable\disable setting for user consent is found as follows: (see the upper left options in the Network tab of the configuration profile)

Fourth - Apply the Configuration to the Target Client

The full details and explanation of configuration process are outside the scope of this article. The article is meant for those who already have a foundational understanding. If you are new to platform and would like to obtain that foundation understanding, see the recording training download available at http://www.vproexpert.com/E24VZ/Altiris7Trng/Altiris7Trng.zip (right click link and click "save target as"). It's about 157MB in size. Once you download - extract to directory and open index.html via browser. You should be presented with a Camtasia Studio 6 recording with navigation on the left and bottom.

There are a host of other articles and insights in this community (Symantec Connect) and on Intel vPro Expert Center (http://www.intel.com/go/vproexpert)

Fifth - Enable and Define the WSMAN Profile Credentials

Communications for KVM remote control requires WebServer for Management (WSMAN) credentials to be defined. In the screenshot below, I used the predefined "Runtime DASH Credentials"

This is possible since my configuration profile randomizes the Intel AMT admin password as shown below. This is good from a security and usability perspective.

If you directly specify an Intel AMT admin password, or a specific user in the Access Control List settings of the configuration profile, this is the user\password combination needed for the WSMAN Connection Profile settings.

Sixth- Start a Remote Control Session

Open a Real-Time Management window for the target client. Ensure both the AMT and WSMAN protocols are "OK". You may have other protocols enabled and communicating in the platform - but these two will be needed for the operations to be successful. See the following screenshot

Notice in the previous screenshot the 3 item under Management Operations - Remote Control. Select this option followed by selecting the "Remote Control" button

A new window will open for the KVM remote control session. If user consent is enabled - which is the default setting - you will be prompted to enter a 6 digit code shown on the target client system. This was mentioned above.

Once the code is entered - you now have full KVM remote control!! Try a windows shutdown\reboot sequence. Boot from the optical drive with utilities like Backup System Recovery (BESR) or Symantec Endpoint Recovery Tool (SERT). Some customers are using the KVM remote control capability with Microsoft's DaRT (Disaster Recovery Tool).

Quick side note - I have been asked what the "Redirection Options" refers to in the screen shown above. This allows you to redirect a DVD\CD image or drive to the target client - whether or not that DVD\CD is bootable. Imagine if you need to install a network driver or VPN solution to the remote client.... this could be one way of doing that without physically touching the system.

Conclusion

I look forward to hearing how you are using KVM remote control within your environment. Since I first saw this capability in the labs over a year ago, I have been anxious for the day customers could actively use it. The capability was introduced into the hardware earlier in 2010, standalone tools like RealVNC Viewer Plus were introduced about a month later... but this is one of the first console integrated solutions to take advantage of KVM remote control.

The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries.

Comments 2 CommentsJump to latest comment

Terry Cutler's picture

If you are actively using this feature in your environment - Please send me a note (respond to this or private message via Symantec Connect community).

Very interested to hear how this has benefitted your environment....

The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries

+1
Login to vote
Terry Cutler's picture

The Secure Port number is 664 in the WS-MAN Credential Manager settings.   This is shown in a screenshot above, with the number grayed out.

Hopefully this will answer an oft repeated question by customers wink

The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries

0
Login to vote