Did you know that vPro has the capability to give you remote GUI access out-of-band (OOB) using the serial-over-LAN (SoL) interface? It's true.
Normally we think of SoL as a solution for remotely accessing BIOS or as a tool for running text based remote diagnostic utilities as part of an IDE redirection (IDR-R) session. SoL is capable of doing more than console redirection. If you look in the device manager on a vPro client and expand the Ports (COM & LPT) you will see an entry for the SoL interface:
This port allows the local operating system to interact with AMT's out-of-band connection to a management console. You can try this yourself with the following steps:
Open up a SoL session to your vPro client using your management console. (you can use the Manageability DTK if you do not currently have access to a management console)
Open up a command prompt on the vPro client you are connected to via SoL.
Enter the following command:
echo hello>com3
Note: the actual COM port number for your SoL interface may be different, check device manager to see what it is.
Look at your SoL session on your management console. You should see the word "hello" appear in your console window.
So what does this all mean? It means that if you have some software monitoring the SoL port that you can send and receive data to your OS OOB.
A great example of how to leverage the SoL interface can be found in the Manageability DTK. The DTK gives you the ability to redirect TCP traffic over the SoL interface by utilizing an agent, the Manageability Outpost, on the vPro client. There is corresponding functionality available in the Manageability Commander tool and Manageability Director tools. This allows you to map a TCP port on your vPro client back to a TCP port on your management console and tunnel TCP traffic between your management console and vPro clients over the SoL connection.
If you combine TCP redirection with remote control software, like Remote Desktop, VNC and similar tools, you can enable OOB access to a full GUI on a remote machine.
I've put together a video that demonstrates how you can use this ability to remotely manage a client with a full GUI, including the ability to transfer files, using vPro's OOB management capabilities.
Totally awesome!!
Imagine a client system with a bad network connection - if the AMT OOB connection is open, you can see and repair the error without blindly guiding and user (and hoping they are following every step)
Plus - since AMT can be configured to negotiate 802.1x, NAC, and other network security items - if the "in-band" network connection (the OS NIC) isn't configured correctly - an IT administrator or support person can fix it. As shown in this demo - their fix could include software download\install using the IDE-R along with SoL
One more thought - with the latest Intel vPro systems a feature called CIRA (Client initiated remote connection) or also "Fast Connect" allows AMT to negotiate from a public or foreign network into a corporate network (i.e. connection initiated through NAT and so forth). Imagine a "road warrior" user that is experiencing VPN configuration challenges - with the combination of items available, their IT support team could help them Imagine a leased PC system sitting in a small business office managed by an IT outsourcer - they could connect and remediate a situation as long as a physical connection can be established! (i.e. AMT is able to communicate, yet the host OS and associated configurations won't allow "in-band" communications)
So what's missing in this picture? The Intel AMT DTK provides the reference software on how this can be accomplished. However, how many major client management solutions have actually implemented?