Home > Intel Communities > Open Port IT Community > Intel® vPro™ Expert Center > Blog > Authors > Tal Elgar
Up to Blog Posts in Intel® vPro™ Expert Center

Intel vPro Expert Center Blog

11 Posts authored by: Tal Elgar
Tal Elgar
0

If you're reading this blog posting, hopefully you've read my blog post on CIRA last week -

http://communities.intel.com/community/openportit/vproexpert/blog/2009/11/10/cira-and-fast-call-for-help--what-is-it-where-can-i-find-it

 

Firstly, I wanted to share with you that over the past week we have actually worked through an entire end to end setup with a real-world customer (i.e. not just inside Intel labs) and now we have CIRA and AMT functionality over CIRA working successfully!

 

If you're wondering which of the management consoles and MPS/vPro Gateways were used - it was LANDesk 8.8 SP3 in this case (remember that LANDesk bundle their own MPS/vPro Gateway offering). If you're looking to get this to work in your environment (CIRA with LANDesk specifically) please do get in touch and I can share some specific current LANDesk pointers with you (that are not mentioned in this blog posting).

 

Some of the things we came across last week which are good pointers to pay attention to:

  1. There are 4 ports that get configured with the MPS which are fully configurable (i.e. they are not restricted to being a specific port number) - however, you cannot re-use the same port number, you need to have 4 distinct port numbers (sounds trivial, but it happens).
  2. You can use port 16993 as one of the port numbers, even though that is the port that is used for https connections in AMT (there is no conflict)
  3. In the httpd.conf file - instead of havinga deny all and allow specific IP addresses, you might want to change to allow all
  4. CIRA relies on the DHCP option 15 that is allocated where the vPro client is to be different than what it was pre-configured with - that is how the system knows it is outside the corporate environment. If DHCP option 15 happens to be blank where your vPro clients connect from - that is good enough. Blank is considered different and CIRA works fine.
  5. Currently, you should install the LANDesk agent after provisioning is completed
  6. Check through selecting the 'vPro Status' operation on a provisioned vPro client to ensure all the LANDesk NED settings have been deposited properly on the vPro client prior to taking it out of the corporate environment.

 

Btw, the CIRA connection is established through a user click at the OS-level using the IMSS utility.

 

So the bottom line is we now have close to 100 systems that are confirmed to be have full AMT functionality working over a CIRA connection in a real live environment - it works! (

 

The 2nd part of the blog can be considered a more 'advanced topic' and is devoted to what happens if your management console of choice doesn't currently support CIRA...

One Management Console for example that is currently not supporting CIRA is Microsoft SCCM (even with SP2).

 

The options as I see them, are:

  1. Contact your software vendor and ask them whether they support Intel - Intel works with multiple software vendors on incorporating support for various Intel vPro features (CIRA amongst others) - they can hear it from us, but it is much better if they hear it from you.
  2. Your software vendor might have plans to introduce support for CIRA, however it is further down the line - so it is just a question of time.  
  3. Try and engineer something yourself to have CIRA work in the environment you have setup

 

At least for testing your environment for what CIRA would look like, you could leverage the WebUI tool. You would need to have an MPS installed and configured first of all. Thereafter, all that you need to do is configure the proxy settings in the web-browser you are using to the IP address/FQDN of where you have your MPS installed and also enter the default http proxy port of 8080 - that will be sufficient for getting your WebUI to work over a CIRA connection.

untitled.bmp

 

If you use Microsoft Internet Explorer you are limited only to the http proxy portion which will allow several of the AMT operations to work over a CIRA connection, but not SOL/IDER for example.

If you are using Mozilla Fire Fox for example, you can configure a SOCKS proxy as well, which can handle routing SOL/IDER traffic as well.

 

If we take the example of Microsoft SCCM, what you can do is to use the scripting framework that has been used successfully for something like: providing out of band 802.1x in Microsoft SCCM SP1 (it is natively supported now in SP2) - http://communities.intel.com/message/10877

You can configure the correct settings for the vPro client to be able to contact the MPS Proxy Server and establish a CIRA connection between the MPS Server and the vPro client, however you will still need your management console to integrate and be aware of this CIRA connection to be able to do something useful.

What you could do at this point is to configure a 'transparent proxy' - what that would typically entail is to configure the MPS IP address/FQDN as a proxy routing that will be inserted in the headers of packets that go through the router to which the Server that is hosting the management software. You can use something like Cisco WCCP (Web Cache Control Protocol) to set this up. At this point, Microsoft SCCM will not be aware that the packets it is sending are actually being re-routed through the MPS to the vPro clients (which is aware of the remote vPro client) and that is why this is called a transparent proxy.

 

A caveat/disclaimer I would add though is that albeit technically feasible you would need to put together the full working solution yourselves and support it yourselves.

 

0 Comments Permalink Tags: mps, tal_elgar, landesk, sccm, fast_call_for_help, cira
Tal Elgar
1

If you are one of the many organisations that is planning on adopting Windows 7 and are wondering whether there are any implications for your vPro systems, then this blog is for you...

The implications of Windows 7 on vPro can be summarised as relating to at least one or more of the following areas:

  • 1. Management console
  • 2. AMT Drivers
  • 3. AMT Firmware

    • Let's start with the Management Console...

    If you are using Microsoft SMS, for example, as your management console then you should be aware that Microsoft officially doesn't support Windows 7 clients with SMS and therefore if you wish to manage your Windows 7 clients you will need to transition to Microsoft SCCM. Therefore, when planning your vPro migration to Windows 7 you need to actually to migrate to SCCM before hand.

    For those that do migrate to SCCM there are some additional implications which are indirect for the Windows 7 migration, but are part of the SCCM with vPro package. As this is not a posting on SCCM, I'll only mention briefly that you need to be prepared to have an Enterprise Certificate Authority, potentially have to make use of the WS-MAN translator (if you have any AMT Firmware that is prior to 3.2.1), you will need to upgrade to latest AMT Firmware versions and you will be integrated with Active Directory.

    Regarding AMT Drivers (namely HECI/MEI and LMS/SOL)...

    As the drivers are installed at the OS level, it doesn't come as a surprise that there might be a requirement for drivers to be able to install on a new operating system.

    1. AMT 2.x based systems - currently no planned official AMT Windows 7 drivers (use compatability mode)
    2. AMT 3.x based systems - official AMT Windows 7 drivers will be available by OEMs in Q1 of 2010 (for now use compatability mode)
    3. AMT 4.x based systems - you will require drivers version number 4.2 (otherwise you could use compatability mode)
    4. AMT 5.x based systems - you will require drivers version number 5.2 (otherwise you could use compatability mode)

    If you are not familiar with compatability mode, here is how you do it:

    1.      Right click on the driver installation file à Properties à Compatibility tab  (per sample screen shot below):

    untitled.bmp

    2.      Select the mode (I guess either Windows Vista or Windows XP SP2 or SP3)

    3.      Click Apply/OK

    4.      Right click installation file and run as Administrator and install the drivers (or alternatively prior to step 3 tick the box of run as administrator)

    Btw, the exact same process can be used for AMT 4.x and AMT 5.x drivers – i.e. take existing not 4.2/5.2 level drivers and install them in compatibility mode.

    It is useful to know that the 4.2 and 5.2 level drivers are actually available for download fromt the OEM sites; take Dell for example: http://support.dell.com/support/downloads/driverslist.aspx?c=us&l=en&s=gen&ServiceTag=&SystemID=LAT_E6400&os=WLH&osl=en&catid=&impid=

    untitled2.bmp

    and

    http://support.dell.com/support/downloads/driverslist.aspx?c=us&l=en&s=gen&os=WLH&osl=en&catid=&impid=&SystemID=PLX_960

    untitled3.bmp

    Lastly, we have the AMT Firmware...

    Strictly technically speaking, Windows 7 doesn't require a different kind of AMT Firmware, since the firmware sits underneath the operating system anyway. What is required though is the latest AMT Firmware (4.2 and 5.2) so that it can interoperate with Microsoft SCCM in the best and most stable manner. Therefore what might initially seemed as no need to upgrade AMT firmware to work with Windows 7 actually becomes a recommendation to do so.

    Hopefully this has provided some clarity on the technical requirements around vPro and Windows 7. There are some particular compelling points for having vPro systems and leveraging them for a Windows 7 migration deployment, however this is covered by other blogs and materials out there, such as: http://communities.intel.com/docs/DOC-3096

    1 Comments Permalink Tags: amt_firmware, 5.2, amt_drivers, tal_elgar, sms, sccm, windows_7, 4.2
    Tal Elgar
    0

    What is it?

    When vPro and more specifically AMT was initially designed and engineered it was architected to work on an internal corporate network which allowed for the Server to client communications model. The problem was that many organisations have client PCs that are actually situated outside the corporate environment and were excluded from the reach of the vPro benefits available to systems residing within the corporate network. The reason for this is that client PCs that are not on the corporate environment would be sitting behind a home router and would actually posses a private local IP address that is not publicly addressable - i.e. it is not unique and the Management Console has no way of reaching that remote client. The solution to this situation is what is called CIRA - Client Initiated Remote Access.

     

    The term Fast Call for Helpis what we refer to the use case that is enabled by CIRA (which is a means to an end, but not a use case on its own). It specifically addresses a help desk type scenario where the PC is broken and it is being fixed from remote by an administrator or technician.


    How does it work?

    It works on the principle that as with any usage of a PC behind a NAT'd router, once the client initiates a request (say for a web page) and the information returned comes back to the router, the router knows locally which PC to forward the information back to. The important distinction from the analogy used is that this connection is created Out of Band and does not rely on the operating system or some local software client agent being available or in a healthy state.

     

    The connection that is initiated by the client arrives at the vPro Enabled Gateway which needs to be 'publicly reachable' - so it would typically reside in a DMZ and by protected by an external firewall which might have some port forwarding.

     

    The management console has a listner for incoming CIRA connections and once such a connection arrives it can perform AMT commands on the remote vPro client.

     

    The high level flow is as follows (with a graphical representation below):

    1. The user of the remote vPro client initiates the connection to a component that acts as a proxy Server and is called the vPro Enabled Gateway (aka MPS - manageability presence server).
    2. The connection can either be initiated manually by a user in an OS level utility or pre-OS level with a key combination
    3. Alternatively, the connection can be scheduled to automatically be initiated according to a pre-determined time frequency
    4. Once the connection reaches the Gateway, a secure encrypted tunnel is established back to the vPro client
    5. At this point the Management Console which is sitting inside the corporate environment is notified of the incoming connection from the vPro client
    6. The administrator/technician which is using the Management Console can now initiate any AMT command to the remote vPro client

    CIRA.bmp

    What components are required for getting CIRA and Fast Call for Help to work?

    1. vPro systems
    2. Management software that has built in support for Fast Call for Help
    3. vPro Enabled Gateway

     

    In addition, you should also be aware that there are configuration files that need to be edited for the vPro Enabled Gateway, some configurable ports need to be open and that AMT provisioning (with CIRA profiles) are a pre-requisite.

    Which vPro Hardware do I need to take advantage of Fast Call for Help?

    Any vPro system that has AMT Firmware 4.0 and above supports Fast Call for Help. That means any 4.x, 5.x and now the up and coming 6th generation of vPro which is being released in the 1st quarter of 2010. The new capability which is being introduced in 2010 is that this CIRA connection can be initiated over a wireless network interface as well, whereas today it is limited to being initiated over a wired network connection.

    Which manageability software is available today for implementing a utilise CIRA capabilities?

    1. Symantec Management Suite version 7 (formerly Altiris Management Console and aka CMS7) Beta II
    2. LANDesk Management Suite 8.8 SP3
    3. Setup and Configuration Service (SCS) 5.x and above (including the Intel DTK) also support CIRA

     

    Which vPro Enabled Gateway products are available today for setting up a CIRA capable infrastructure?

    1. Checkpoint Secure Gateway (interoperable with the Symantec Management Console, but not with the LANDesk console)
    2. LANDesk Gateway which is embedded inside the LANDesk Management Console (however does require to run specific installer for MPS)

     

    Why am I blogging about this now?

    CIRA and Fast Call for Help were actually supported in Intel Firmware from version 4.0 which was released about 1.5 years ago. Unfortunately all the components required to make Fast Call for Help work were either unavailable or had stability issues. However, today the components exist and are validated to work successfully (with a few known issues that are being addressed). Therefore, if this is of interest to you then you are in a position to implement Fast Call for Help in your environment today. We would welcome anyone out there that is interested in trying to implementing this

     

    Is this everything I need to know?

    There are more technical details required for a successful implementation, however this should provide a good introduction and starting point. If you have any questions, please don't hesitate to contact me.

    0 Comments Permalink Tags: tal_elgar, fast_call_for_help, cira, symantec, landesk, vpro_enabled_gateway, mps, amt_4.0, amt_4
    Tal Elgar
    1

    For those of you out there that are  using the SMS Addon the following might be of interest, if seeing close to 100% success rates is your thing...

     

    If you've been using the SMS Addon together with Microsoft SMS as your vPro enabled management console of choice then you might have experienced less than 100% success rates when you're trying to perform AMT operations on collections of machines. The following details I will be providing have been devised specifically in the context of using the AMT wake-up feature for a Power Management Use Case, however you can extrapolate the essence and apply elsewhere if you're using some of the other features in the SMS Addon...

     

    Ok enough of an introduction.

     

    If you're implementing the power management use case, then before you'll be using the AMT wake-up feature, you'll be putting machines to sleep according to a certain policy you've put together (user initiated, SMS job executed shutdown.exe or some other shutdown scripts). However, you want to be sure that the machines you have put to sleep can be woken up on demand - mandatory advertisement triggered wake-up, scheduled wake-up or console initiated wake-up. Finding out you can't wake some machines up that you've put to sleep is far from being ideal - effectively you're reducing the success rate of your use case and you're putting machines in a state where you're benefiting from power savings, but you've compromised on your ability to get access to that machine from remote.

     

    What might interest you then is a deterministic way to ensure that every machine you put to sleep as part of your power management use case, you can wake up. Well... we've done just that.

    Here is the trick - you create your SMS collection for machines that you want to put to sleep and then wake-up, with a simple SQL statement of:

    ' Select * where iAMTStatus = 1'  - the key here is this field iAMTStatus = 1 which is a return value that confirms the SMS Addon can communicate successfully with the vPro machine. Therefore you now have a deterministic way of knowing that a machine that you've put to sleep can be woken up using SMS Addon and the AMT wake-up feature.

     

    An improvement on that is to run an AMT discovery daily (or some other frequency) to dynamically update the collection based on the ability of the SMS Addon to get to machines successfully. This will cater for if there are any changes in your environment, which there might or might not be. Currently the only way to run an AMT Discovery repeatedly on machines that have already been discovered in the past is to manually right click on a collection in the SMS Console and select AMT Discovery. We might have a more automated way of doing this soon... so watch this space.

     

    Hopefully you find this useful.

     

    - a caveat/disclaimer I should perhaps mention is that his method does not mean you will have 100% success rate for ALL your machines. Undoubtedly you will have some machines that do not have iAMTStatus = 1. Effectively what you're doing here is defining the scope.

    1 Comments Permalink Tags: microsoft_sms, sms_add_on, success_rates, tal_elgar, amt_wake-up, intel_expert, sms, amt_wakeup, power_management, power_management_use_case
    Tal Elgar
    1

    If you have experienced WMI related issues with the SMS Addon or are worried about potential WMI related issues you might want to read this...

    The SMS Addon relies on calls to the WMI service for interacting with SMS and it calls the WMI service more than you might think. For some customers it has been observed that the default frequencies of these calls coupled with the amount of data/entries (such as number of advertisements, number of collections etc.) causes a very high load on the WMI service and a subsequent crash of the service that requires a full reboot of the entire Server (not just the service). Obviously that is not an acceptable situation for a production customer, however there are 8 specific instances where the SMS Addon makes calls to the WMI service which can be tweaked to provide a potential resolution.

    You won't see these 8 registry keys in the registry as the SMS Addon uses default values inside the SMS Addon code. You would need to generate these keys yourselves and provide values in order to override the defaults used. The list of these keys and the what they are for are as follows:

     

    All registry keys need to be created in: HKLM\SOFTWARE\Intel\Intel(R) AMT Add-on\GEN\ folder and Dword values need to be entered in minutes. Any value but 0 is legal. There is no disable value and hence 'disabling' is achieved by setting a very high value such as 5 (2,628,000 minutes) or 10 years (5,256,000 minutes).

     

    These is the list of the scheduled WMI related operations:

     

    1. NewSysScanInterval used to identify new systems in SMS (discovered by SMS discovery methods like AD discovery) – by default runs every 60 minutes – not needed if no systems are managed by SMS Site (such as Central SMS Site).

    1. DeletedSysScanIntervalused to remove information about systems removed from SMS – by default runs every 60 minutes – not needed if no systems are managed by SMS Site (such as Central SMS Site).
    2. SCSSystemScanIntervalused to find new machines in SCS – by default runs every 60 minutes – not needed if no systems are managed by SMS Site (such as Central SMS Site) and also this doesn’t apply if add-on isn’t integrated with SCS.
    3. SystemChangeMembershipScanIntervalused to identify systems membership in groups (for system defense settings) – by default runs every 60 minutes – not needed if no systems are managed by SMS Site (such as Central SMS Site) or if system defense isn't being used.
    4. OffLineSystemScanInterval – used to run commands on machines that were offline (used for system defense and event registration) – by default runs every 5 minutes – not needed if no systems are managed by SMS Site (such as Central SMS Site) or if system defense or event registration aren't being used.
    5. SCSrequestScanInterval – used for tracking requests from add-on to SCS (unprovision, reprovision) – by default runs every 5 minutes – not needed if no systems are managed by SMS Site (such as Central SMS Site) or no un/reprovision commands are run from the add-on; also this doesn’t apply if add-on isn’t integrated with SCS.
    6. UpdatedAdvertisementsScanIntervalused for reading advertisement definitions – by default runs every 2 minutes – not needed if no systems are managed by SMS Site (such as Central SMS Site) or if advertisement wakeup or system defense aren't being used. Runs frequently to pick up any changes to advertisement settings.
    7. AdvertisementChangeScanInterval used for identifying status of systems with system defense settings on advertisements – by default runs every 5 minutes – not needed if no systems are managed by SMS Site (such as Central SMS Site) or that don’t run system defense on advertisement.

    Tal

    1 Comments Permalink Tags: tweak, wmi, sms_addon, sms, sms_add_on, tal_elgar, advertisement, system_defense
    Tal Elgar
    0

    If you are using Intel SCS 5.x, after you've installed it you will need to decide whether you want to configure the scs service to either get configuration parameters from a script or from the DB. This seemingly innocuous decision has some technical implications, so here's the background..

     

    Choice A - get configuration parameters from the DB

     

    Let us first define what are the configuration parameters - they are the fields of a vPro system - such as: FQDN, AD OU, Profile - the important ones that are required for completing provisioning - and the remaining informative attributes, such as AMT firmware version etc. Therefore the configuration parameters that are necessary to have are FQDN (or hostname) AD OU path (if you are integrating with Active Directory) and the SCS provisioning profile being assigned to the vPro system. Where will the information for these 3 fields come from?

     

    The wording of this option might be slightly misleading as you might (wrongfully) assume that the configuration parameters to get your vPro systems provisioned smoothly are sitting and waiting in the DB for you and will provide you an extra smooth provisioning experience over above the other method (using a script). This is however not the case; the configuration parameters are empty to begin with and only after going through a (successful or unsuccessful) provisioning process for each vPro machine, it will in turn have these configuration parameters populated in the DB, so that subsequent provisioning attempts will in fact be able to rely on these now populated configuration parameters in the DB.

     

    Let us consider the flow of events...

     

    A vPro system needs to initiate the provisioning process and let the SCS know about its existence - this is commonly known as the 'hello packet'. The hello packet contains a UUID (unique identifier), certificate hash or PID, MAC Address and ip address. Purely technically speaking, this will manifest itself by a new entry appearing in the AMTS table in the SCS DB. At that point you are missing the FQDN, AD OU path and profile ID. Once a new entry makes it into the AMTS table, it will also appear in the SCS Console as an unconfigured system with the UUID field populated, but the rest being blank.

     

    You now have an option to manually double click on the row in the SCS Console and enter these 3 fields. Once you've done that, the information will now be sitting also in the UUID_MAPS table which is also know as the configuration parameters. This is typically not a scalable method and therefore the current BKM is to rely on a client side utility to send more than just the UUID, pre-provisioning information (cert hash or PID) and IP address, but also the FQDN, AD OU path and a profile ID.

     

    The utility that has been designed to do this is the Activator utility which comes bundled when you download the SCS application (this blog posting won't go into the details of how to use the Activator Utility and what options you have and will assume you have an understanding of how to do this). Therefore instead of manually (and quite error prone) populating the fields, you can now have a utility that effectively pushes all the information required for provisioning into the UUID_MAPS table as well.

     

    Another last option is to create a list mapping UUIDs and pre-assigning them FQDNs and uploading it into the UUID_MAPS table. This is more difficult as it relies on the OEM providing you with an accurate list of all the UUIDs prior to receiving the systems. This is technically feasible but logistically more difficult and as such is a rarer implementation.

     

    Choice B - get configuration parameters from the script

     

    This method might be less popular, as it is a bit more complex and should be used only when the circumstances necessesitate it. The script would typically be a VBscript for which a sample script is provided when you install the SCS service. What the server script does in essence is set the AD OU path and profile ID. The FQDN still needs to be provided by the vPro machine itself and for that it will rely on either the activator utility (as mentioned above) or client side vbscript - either of which will typically rely on a WMI query.

     

    Purely technically speaking, the script takes the different parameters available to it and constructs an XML file (map.xml) that is formulated in a manner that is recognised and can be consumed by the SCS application. If there aren't enough permissions for the script to run locally, any necessary parameters are missing, or if the XML is not formulated properly then the SCS will complain about a missing XML file.

     

    Using the server side script provides you the flexibitliy of making changes to the AD OU path and profile ID further down the line as opposed to the client side only method, which would have required you to pre-package the parameters to invoke the client utility and any changes would involve deploying a new package to all machines.

     

    The server side script also allows you to overcome any permissions related issues and security concerns, as the client side only method typically requires administrator priveleges and involves letting each client right into the main DB (which for some security experts is an opportunity for malicious behaviour). Therefore a 2-tiered approach is possible where the client side (script or activator) send information into an interim DB and the server script reads the information from the interim DB. The trigger for the server script to run, is for a new entry to appear in the AMTS table but not have an entry in the UUID_MAPS table - i.e. a hello packet has arrived and there are no present configuration parameters.

     

    Finally, the server script is essential if any further manipulations are required in order to accommodate a particular environment. Such is the case when the FQDN queried on the vPro client has a domain suffix of an Active Directory domain, but there is a separate non-AD integrated network domain and any queries to DNS will return the network domain FQDN. This requires provisioning the vPro system with the network domain, which could either be hard coded as a constant (like the AD OU path and profile ID) if there is only one, or it will need to be dynamic and poll DNS (though something like nslookup on IP address) to replace the AD FQDN with a network FQDN. Provisioning will succeed regardless, but the problem will be later on when trying to manage the vPro machine if you will be using AD integration and therefore will need to conform to the Kerberos protocol.

     

    A situation can arise where you have configured SCS to use the script, however the the configuration parameters have already been populated due to a previous provisioning attempt - be it fully successful or not, since the parameters are in the DB already, the trigger for the server script to run will be missing and therefore it won't execute again. This scenario is typically come across in testing when the same machine is re-used. There are some 'real-world' scenarios such as machine has broken, is re-imaged and fixed by IT department, the client side provisioniong components (activator) kick-in on startup (typically) but the configuration parameters are already in the SCS DB and therefore the script will not run and provisioning won't succeed. Unfortunately SCS does not automatically remove the configuration parameters for machines that are partially or even fully unprovisioned. It can only be done manually when a system is deleted from the SCS Console and the 'delete configuration parameters' must explicitly be selected.

     

    This turned out to be a longer posting than originally intended... but if you've made this far, hopefully you've picked up a few useful nuggets of information...

     

    Tal

    0 Comments Permalink Tags: tal_elgar, scs, scs_5.0, provisioning, setup_configuration, script, scs_5.1, server_script, provisioning_script, scs_settings, scs_db, activator_utility, configuration
    Tal Elgar
    1

    If you are deploying vPro have you thought about what might happen if you are running virtual machines on your vPro clients? The virtual machine will have its own virtual IP address which will be different from the actual host IP address which is the one we want when using vPro. What was happening was that the vPro machine was getting provisioned with SCS, but then when discovery was attempted with the SMS Addon, the provisioned vPro system could never be discovered and sub sequentially managed because the systems showed up as 'Outside Site Boundaries'. It seems that the SMS Addon had a 'flaw' in that it assumed that a machine will only have a single IP address. I cannot say based on my experience whether sometimes the host IP address will be picked up and the problem won't manifest itself or whether it will always be the virtual IP address that will be picked up.

     

    I emphasize that I have experienced this situation when using the SMS Addon and not with any other management consoles. That doesn't mean the problem won't manifest with them as well or whether the design of those products caters for this. If anyone has come across virtual machines on vPro clients and this has or has not caused issues I would be interested in your feedback.

     

    At a high level, the nature of the fix will be that the SMS Addon will not assume there is a single IP address and will loop through the IP addresses. If an IP address comes up as outside the site boundaries the sms addon will loop onto the next available IP address. This process will continue until it has exhausted all the IP addresses available on that local vPro machine and only at that point 'give up'.

     

    The fix within the SMS Addon will be incorporated into an official hotfix which will be published soon; I'll provide an update once it has been released.

    1 Comments Permalink Tags: sms_addon, virtual_machine, site_boundaries, sms_site_boundaries, discovery, amt_addon, ip_address, outside_site_boundaries, sms, tal_elgar
    Tal Elgar
    1

    Some customers might have an environment where there is a network domain that is different to their Active Directory domain. This typically arises when there is a Microsoft Active Directory structure, yet there is a legacy non Microsoft DHCP and DNS infrastructure that uses a different (network) domain. This can cause a bit of an issue for vPro management if you are integrating with Active Directory (and also if you are using certificates for encrypting communication.) The reason for this is that typically a machine will be provisioned with the AD FQDN as all provisioning methods which rely on the Activator Utility or a management console's client agent will query locally using WMI and will pick up the FQDN that resides at the OS level. This will be OK for provisioning and will not be flagged as an issue. However, when the machine will be accessed for OOB management , the Kerberos protocol that dictates how the AD Objects for your provisioned vPro machines is accessed, will prevent access. This is because when the AD Object is interogated it will get a request from the management console that relies on a DNS resolution. That resolution will provide a different FQDN than the AD OS FQDN.

     

    In the past, the paradigm has been to circumvent this situation for the purposes of vPro provisioning and management by using hostname only provisioning, assuming that the hostname was unique. This was possible as long as you were using SCS 3.x. If you are using SCS 5.0 and above this approach will no longer work. Even though my direct personal experience on this matter has been directly with SCS and SMS I see no reason why this won't also apply to Microsoft SCCM or Altiris with its underlying SCS (when is supports SCS 5.x).

     

     

    The Solution: you will need to provision your vPro machines with the network resolvable FQDN. The manner that we have implemented it is by having a server script that performs an nslookup dynamically and plugs that into the SCS DB instead of the AD FQDN as part of the provisioning flow. The other thing that caught us out for a while, is that we had to add the network domain into the Server TCP/IP advanced network settings as a secondary domain suffix. As you will most probably have a new Server setup for hosting SCS then this configuration step most probably hasn't been performed for you and therefore you will need to remember to do it!

     

     

    Hopefully this helps prevent some headaches for some of you...

     

     

    Tal

     

     

    1 Comments Permalink Tags: domains, scs_5.0, scs, tal_elgar, provisioning, hostname, network, active_directory, integration, fqdn
    Tal Elgar
    0

    Some of you might find that you need to provision your vPro systems with hostname only as opposed to the generally recommended and accepted fully qualified domain name - FQDN. The typical reason for using hostname only would be because the FQDN that appears at the OS level of a client will not match what will appear in the DNS forward and reverse lookup zones.

     

    You might ask - how can that be? An example from one of my customers is that they have a network domain that is appended to entries in DNS via DHCP option 15. However, their DNS/DHCP is not integrated with their Active Directory and a different AD domain exists. Therefore when using the activator tool to extract the FQDN of the system and write it into the SCS DB as part of the provisioning process, it will conflict with the FQDN that appears in DNS. This will not cause a problem for provisioning per se, but for trying to access the machine later on using a management tool/interface it probably will.

     

    Note: if you are using TLS certificates (server or mutual authentication) then hostname only provisioning will probably not be a viable option for you in any case because of the scrutiny of certificate exchanges that check whether domain suffices match.

     

    So what does all this have to do with SCS 5.0? In 3.x versions of SCS there wasn't anything special you needed to do to allow hostname only provisioning, but with SCS 5.0 there is. When you construct your provisioning profile, in the optional settings you will need to select domains and make sure you select the checkbox of ‘Allow configuration when platform has no domain name'.

     

    What if you are doing AD Integration?

    If you are opting for AD Integration (as many will), you will have a problem with SCS 5.0. The reason for this is that the Kerberos protocol will insist that the request ticket will rely on DNS for your FQDN entry, whereas your object within the AMT OU in Active Directory will have a service principle name field (SPN) that will not match that FQDN - the SPN will have hostname and the request ticket will be whatever it is in DNS and at that point the kerberos negotiation will fail. It is important to stress that provisioning will work fine and you will see no hint to these issues, however once you try and access the machines via WebUI or any management console, you will have a problem.

     

     

    The fix for (for now) will be to edit the SPN field for each provisioned machine's object in AD to what will appear in DNS. The SPN field has an entry for each port number that could potentially be used for AMT purposes (16992,16993,16994,16995,623,664) but if you are not using SOL/IDER and are not using certificates (you won't if you've opted for hostname only in any case) then the only field you should need to change is for the 16992 port. You can edit this field manually using ADSIedit. A more scalable solution will require a script to run as a post provisioning step to edit the SPN. A solution within SCS 5.0 is not available at present.

     

     

    Ta

     

    0 Comments Permalink Tags: provisioning, scs_5.0, scs, hostname, tal_elgar, ad, active_directory, active_directory_integration, spn
    Tal Elgar
    0

    As many of you might know or have experienced, relying fully on the default provisioning window where the Management Engine sends 'Hello Packets' to the SCS server is problematic. Problems start arising in the following instances:

     

    1. The network has multiple domain suffices being allocated as connection specific DNS suffices depending on location and this could potentially lead to a mismatch between the SCS domain suffix and the client domain suffix.

    2. DHCP option 15 upon which the default process relies on might need be in use for one reason or another

    3. The provisioning window (24 hours for RCFG and 6 hours for PID/PPS by default) has closed before the infrastructure has been put in place to do something useful with these hello messages.

     

    In the past there was a solution based on sample vbscripts provided by Intel- either Server side only or a combination of client and server side scripts that would be used in conjunction with SCS. This has now evolved to the Activator Utility which is considered the best known method, however there are some subtleties where using the Activator isn't as straight forward, such as:

     

    1. The Activator utility will typically run under the context of the Local System Account - to allow each Local System Account to write information to the SCS DB requires delegating control all the Computer Objects. This is seen as a significant security risk by some organisations.

    2. The syntax for running the Activator utility necessitates the specification of a profile ID. The number of the profile ID can't be pre-determined with absolute certainty and the SCS API only accept the profile ID and not the profile name. A situation can ensue that the wrong profile ID has been hardcoded on the clients.

    3. Some operations like /a cannot work under the Local System Account context to begin with

     

    Together with the hetrogeneous states of vPro machines (some provisioned, some not, some needing to be re-provisioned) some further logic needs to be put in place to provide a robust end to end solution. This has lead to the implementation (in a nutshell) of the following solution at a large scale enterprise customer (it assumes knowledge of the activator utility and it's switches):

     

    1. A scriptable interface needs to be able to determine whether a system is provisioned or not - this is achieved by running MEInfo and parsing the contents of the output and writing some information into registry keys.

    2. A script always checks the registry keys to know whether to run the Activator utility

    3. The script is run at every boot-up of the system to make sure any previous failed attempts or if the system has been unprovisioned since the last boot is covered

    4. Once a script (which runs under the context of the Local System Account) determines it needs to execute - i.e. the machine is unprovisioned but has PID/PPS loaded it runs the Activator Utility with the //s h /d PID but not /o and /p

    5. At this point you might ask yourself, if I am using the client side vbscript, why should I use the Activator tool as well? The answer is that the Activator tool provides you the ability to send an in-band 'hello message' to kick-off the provisioning process. That is why we make use of the /h and /d PID parameters. If you wouldn't use the Activator tool, the out of band 'hello messages' would have easily timed-out a long time ago and you wouldn't be able to commence their resending unless you pulled the power cable out and back in - i.e. restart the Management Engine.

    6. The PID is predetermined per machine type and can be inserted into XML file that sits in client - if the PID was unique per each machine this would have broken the whole solution - hence a clear recommendation to have the same PID/PPS across all machines or at least across all machines of the same model

    7. At this point the information is written into an Interim DB using SQL account permissions

    8. Note that no permissions need to have been delegated for all Local System Accounts

    9. On the server side the script uses the same or different SQL account permissions to access to the interim DB

    10. On the server side the script contains the /p and /o parameters - this is crucial as this is a single point where the /p and /o parameters can be changed thus providing flexibility

    11. In addition since the customer has opted to not use certificates and because there is a difference between the connection specific and Active Directory domain suffices, provisioning is take place with hostname only - typically this would have involved using the /a switch, however there is a known issue that won't work under the context of the Local System Account. Therefore the FQDN is stripped of it's domain the server script and the hostname is derived.

    12. The server script creates an XML file with the appropriate content to plug into the Configuration Parameters table in the main SCS DB, as the SCS service can parse the contents of this XML file and check that it is valid content.

     

    The overall benefit of this solution is you avoid the security risk of delegating access rights for all Local System accounts, cover the different scenarios when the Activator Utility should be run, avoid the problems of mismatching domain suffices and maintain the flexibility of a single point of changing parameters for the variable Activator Utility syntax.

     

    The same logic will apply if you are using RCFG - simply ignore point #6 above regarding PID.

     

    Hope some of you find this useful.

     

    Thanks, Tal

    0 Comments Permalink Tags: provision, provisioning, scripting, pid, pps, activation, activator_utility
    Tal Elgar
    1

    SCS 5.0 is the latest version of the Intel Setup and Configuration Service. This new version boasts a number of fundamental and exciting additions to the world of vPro:

     

    1. You can enjoy the benefits of Active Directory Integration without the need to extend the Active Directory Schema!

    2. You can use Windows Authentication to communicate with the SCS Database

    3. The SCS Console version 5.0 has a much nicer and professional looking user interface

    4. The performance, stability and logging capabilities of the application have notably improved

    5. You have the ability to dynamically create collectoins of AMT Systems based on different filter conditions

    6. This is still early days for AMT Firmware versions 4 and 5 and the use of CIRA (Client Initiated Remote Access) and MPS (Management Presence Server) but it supports them

     

    Note: If you are using SMS as your Management Software you will need to use the Intel (R) Client Manageability Addon version 5.0 which is available for download from the following url: http://downloadcenter.intel.com/Filter_Results.aspx?strOSs=All&strTypes=All&ProductID=2609&lang=eng&OSFullName=All%20Operating%20Systems

     

    To emphasize the point - you will not be able to use SMS Addon version 3.3 with SCS 5.0. SCS version 5.0 will be bundled already for you with the Addon version 5.0.

     

    Some potentially useful technical insights that I have gathered through my experience of being an early adopter of SCS 5.0 through trying to deploy it at a large-scale enterprise customer:

     

     

    1. If you opt for having windows authentication (as opposed to the dummy SQL account which was part of the design up until SCS 3.3) you will need to opt for the custom installation path. In there you will be prompted to specify twice the user for running the AMTSCS and AMTSCS_RCFG virtual directories in IIS. You will need to specify the same username and password of the accounts that are running your IIS services where your SCS is being installed. Pay attention to this step - if you specify any user other than the user that is running the IIS services: this could a local account for example and not a domain account, then you will not be able to log into SCS via the SCS console.

    2. When you opt for the windows authentication to DB you wil not be able to use the default website on IIS. If you are creating a new website and you are going to opt for https connection, make sure your new website is setup with the server ssl certificate. You will also need to remember to stop the default website and have your new website running.

    3. You will need to remember to delegate permissions to the account that is running the SCS service on the AD OU for AMT objects, but this time it will be for objects of type 'Computer Objects'. There will not be a conflict with the Host OS level computer objects as these AMT Computer Objects are seen as user objects.

    4. You have the option to create the DB separately using an SQL Standalone DB script (i.e. not as part of the install wizard) however even if you are opting for windows authentication to your SCS DB, you can achieve this by only running the wizard (the custom install path). If you have created the DB prior to SCS install, you can point the SCS service to this DB instance during the install wizard.

    5. A general point to note that would apply to any provisioning with SCS (not just SCS 5.0) - when you are creating a profile

    6. Another point to mention is that the profile ID number is not fully deterministic if you don't run through the config of a new profile without pressing cancel at any point. For example, if you have the default profile as profile ID #1 then when you try and create an additional profile and at some point click cancel and then try and create a new profile it can eventually have a profile ID of #5 for example. This can start becoming a problem if you rely on the profile ID number as part of your provisioning process using the Activator Utility for example, as you can only pass the profile ID as far as the SCS API is concerned, yet if you've hardcoded the profile ID in some file on the vPro client where your Activator Utility will run then you cannot know for sure until your profile has been created in SCS what its profile ID will be. If you are editing an existing profile, its ID number won't change. You also cannot go into the DB and change that value manually as it is a primary key and is auto generated as part of an indexing mechanism in the SCS code. - this one might be a bit tricky, so contact me if you need me to clarify.

    7. I don't know whether you've noticed any sluggishness in the past when trying to install 3.x versions of SCS - for example with one of my large customers it would take 1.5 hours to install SCS because of looking up users in a rather large Active Directory; whereas with SCS 5.0 it takes 5 minutes at most.

    8. Whilst I haven't taken advantage of the capability to create collectoins of AMT systems I wanted to point out one of the main benefits of this feature. I have been faced in the past with situations where I need to perform an operation through SCS on many machines, but not all machines. Therefore the global operations in SCS 3.x versions only gave me the possibility of running the command on a single or all machines. Now I can tailor which machines I want to perform operations on.

     

    My overall recommendation to you is to give SCS 5.0 a go. It is easily the best SCS version that has been released. I have blogged about it as part of my first hand experiences - I have had nothing to do with its development and I am speaking out of the objective view of a user. Hope you find this useful.

     

    Ta

     

     

    1 Comments Permalink Tags: scs_5.0, scs, scs, tal_elgar, schema_extension, windows_authentication, activation, provision, provisioning

    Popular Blog Posts