Video Screencast Help

Utilizing Intel vPro AMT Technology with Task Server - Part 6: Using Network Filtering with Task Server

Created: 16 Oct 2007 • Updated: 20 May 2009
Language Translations
Joel Smith's picture
+1 1 Vote
Login to vote

Part 5 of this series introduced the System Defense technology. In this part, we discuss the one-to-many aspect of System Defense when used with Task Server. The standard filter configuration does not account for the ports that standard Task Server items utilize. Use this article in conjunction with Part 5 to utilize the standard functions of Task Server.

Introduction

In part 5 of this series System Defense network filtering was covered on how to create and use a network filtering task, including how to configure what traffic is allowed through the wall. In this article we cover how to open the ports to allow the core Task Server functionality through. Use the Task Server's Scripting, Power control, Service control, and Task client functionality to pass through the network filter of System Defense.

Network Filtering Configuration File

The default file for use with Real Time System Manager and Real Time Console Infrastructure is named CBFilters.xml, and is located at install path \Program Files \Altiris \RTSM \UIData. This file is the default filtering policy that only allows communication via the Real-time tab. This also allows all Task Server – Server Tasks to be executed down to the target system. This does not, however, allow standard Task Server client-side functionality. Because of this, the default Network Filtering policy will only be useful in a job that only contains direct Server Tasks for AMT.

The Task Server Task type is installed via Real Time System Manager and Real Time Console Infrastructure. Most other AMT Task types are installed via Out of Band Management Solution.

Please see Part 5 in this series on how to add the ability to create and edit network filter configuration files. If you do not see the node for Editing the filter file than you have not installed this functionality.

Note! The user interface for this editor has a serious oversight. If you edit the file in any way, whether editing existing, adding, or removing filters, if you do not click the 'SAVE' icon your changes will not be saved, and no prompt will be made. See the screenshot for how to save it. Save often!

Creating and Editing

The file name does not matter, but there are two options when approaching editing of the XML file containing the configuration for the network filter.

  1. Edit the existing file – If you choose this option and simply overwrite the standard file, it is highly recommended you back the file up by copying it for backup in case you make a mistake with the file. After editing the file, simply save it as is to overwrite the file.
  2. Create a new file – If you don't want to reenter the standard ports used by AMT and RTSM, it is recommended to copy out and rename the default file first before you edit it. Once you have made all the changes you need, you can use the Export button directly to the left of the Save button. Give it a file name and save it.

Using Custom Files

In Task Server you can choose to use a specific filter file when creating the Task, either as a single Task or as part of a job. Use the screenshot below and the following steps to setup a Task using a custom network filter configuration file:

  1. Either create a new Task or Job, and add the Task type of Network Filter.
  2. Name the Task appropriately.
  3. From the available options, choose 'Filter network traffic other than to and from the Notification Server.
  4. Choose Import Network filtering settings from the custom XML File.
  5. Click the browse button and browse to the custom file.
  6. Click Apply to save the Task.
  7. Note! Make sure you have a subsequent Task that uses the third radial option 'Allow all network traffic' to take the filter off when completed. The filter will remain in place until this type of action is taken against AMT.

Configuring for Task Server

The concept can be explained that the default file only allows communication for the ports used by AMT and by RTSM. Task Server's client ability (client tasks or jobs) are conducted by the Task Server Agents as follows:

  • Altiris Client Task Agent – Required for any client-side actions with Task Server
  • Altiris Power Management Task Agent – Required for non-AMT power functions (WMI)
  • Altiris Script Task Agent – Required for running scripts locally
  • Altiris Service Control Task Agent – Required for service manipulation

To enable these agents and their inherent functionality when a network filter is in place, the Agents have to be installed on the target systems, and the subagents above need to be installed (not all need be if only select functionality is being utilized).

The following diagram shows this concept:

Manual Steps

The following steps detail how to manually edit the file to allow Task Server client-side functionality. The process is detailed here both to show how to manually configure the file and to be used as a use case when configuring the System Defense network filter configuration file. Note that the filter descriptions are after the instructions.

Filter 1

  1. In the Altiris Console (6.5 version) browse under View > Solutions > Real Time Console Infrastructure > Configuration > and click on 'Edit Network Filters' (if this node does not exist, see Part 5 for instructions on how to add the editor).
  2. Click the blue plus icon to add a filter. This will launch the wizard. Click 'Next' on the introduction screen.
  3. Choose the options TCP and Incoming, and click 'Next'.
  4. Select the option Address of the Altiris Notification Server, and make the address Source. Click Next.
  5. Choose Range of ports and click 'Next'.
  6. Choose the option Manually type in the lower/upper boundary of the port range and enter in 50120 for lower, and 50124 for upper. Treat the range as Source, and click 'Next' to continue.
  7. Provide a filter name and click 'Finish'.

Filter 2

  1. Click the blue plus icon to add a filter. This will launch the wizard. Click 'Next' on the introduction screen.
  2. Choose the options TCP and Outgoing, and click 'Next'.
  3. Select the option Address of the Altiris Notification Server, and make the address Destination. Click Next.
  4. Choose Range of ports and click 'Next'.
  5. Choose the option Manually type in the lower/upper boundary of the port range and enter in 50120 for lower, and 50124 for upper. Treat the range as Destination, and click 'Next' to continue.
  6. Provide a filter name and click 'Finish'.

Filter 3

  1. Click the blue plus icon to add a filter. This will launch the wizard. Click 'Next' on the introduction screen.
  2. Choose the options TCP and Incoming, and click 'Next'.
  3. Select the option Address of the Altiris Notification Server, and make the address Source. Click Next.
  4. Choose Range of ports and click 'Next'.
  5. Choose the option Manually type in the lower/upper boundary of the port range and enter in 50120 for lower, and 50124 for upper. Treat the range as Destination, and click 'Next' to continue.
  6. Provide a filter name and click 'Finish'.

Filter 4

  1. Click the blue plus icon to add a filter. This will launch the wizard. Click 'Next' on the introduction screen.
  2. Choose the options TCP and Outgoing, and click 'Next'.
  3. Select the option Address of the Altiris Notification Server, and make the address Destination. Click Next.
  4. Choose Range of ports and click 'Next'.
  5. Choose the option Manually type in the lower/upper boundary of the port range and enter in 50120 for lower, and 50124 for upper. Treat the range as Source, and click 'Next' to continue.
  6. Provide a filter name and click 'Finish'.

See the following explanations on what each filter is doing:

  1. Filter 1 – This is communication using the ports defined as the sending ports from the Notification Server to the client system.
  2. Filter 2 – This is communication using the ports defined as the sending ports from the client system to the Notification Server.
  3. Filter 3 – This is communication using the ports defined as the receiving ports from the Notification Server to the client system.
  4. Filter 4 – This is communication using the ports defined as the receiving ports from the client system to the Notification Server.

Also attached to this article is a default filter with the above changes made for convenience, though it is recommended you look at how the filters are configured to understand how it works.

Conclusion

This will allow all standard task server functions conducted by the subagents detailed above. This includes scripting, WMI power control, and service control within a Task Server job that has a network filter applied. Note that this does not include the necessary ports to allow the Software Delivery Solution for Task Server Plug-in to function. This will be covered in a separate article that details this component in conjunction with System Defense and Task Server.

This should open more abilities for remediation when a System Defense network filter is required, and allow a system to be remotely 'corrected' before the filter is removed.

Utilizing Intel vPro AMT Technology with Task Server – Part 5: System Defense Tasks


Utilizing Intel® vPro AMT Technology with Task Server - Part 7: Using System Defense with Software Delivery