Formerly known as Web Admin for Windows, Real-Time System Manager provides a powerful set of functions for IT specialists. In part 5 of this article series we covered the main points for Real-Time Console Infrastructure troubleshooting. As a natural extension of RTCI, Real-Time System Manager troubleshooting is covered in this article as part 6. With an emphasis on credentials and connection methods, this article provides information to overcome the most common issues seen when using the Real-Time tab for direct, one-to-one computer interaction.

Introduction

Real-Time System Manager provides a powerful tool for directly connecting to a system agentlessly with functionality available through WMI and Intel AMT. This article covers the issues associated with general functions seen with both technologies but with emphasis on the AMT functions. The following sections cover areas of troubleshooting:

• Connection Issues

• Authentication Issues

• IDE Redirect (IDER)

• Network Filtering

Connection Issues

Under the current architecture the FQDN is the primary method for connecting and authenticating to AMT on remote systems. If the FQDN the Real-Time tab is using does not resolve in DNS, then AMT connectivity and thus functionality will not be available. FQDN connectivity issues are the number one issues we see with RTSM connections to AMT.

Invalid FQDN

To view what FQDN the Real-Time is using, use the ‘Hardware Management' node in the RTSM tree. The following screenshot shows what AMT is using:

In this example my system is in a workgroup and reported only the hostname as the FQDN, which DNS had no trouble resolving. If this fqdn is not reachable via DNS, we won't be able to connect to the AMT functionality.

NOTE: We use several methods, including IP address, for WMI. WMI functionality may show correctly when AMT is absent in this situation

Use these steps to see the FQDN is the issue:

1. Open the Real-Time tab for the AMT system you are managing.

2. Once the tree loads, open the Real-Time System manager folder, open Administrative Tasks, and click on ‘Hardware Management'.

3. Once the page loads, if AMT is missing as an available technology, take note of the name displayed as in the screenshot above.

4. Go to Start, Run, type in cmd, and click OK.

5. Type in nslookup <name displayed>. In the above example it would read:

1. Nslookup dellvpro

6. Can DNS resolve this address? If no, we'll need to fix the issue in one of the following ways.

7. FIX DNS and/or the Altiris record: If DNS can be fixed, this is the preferred method. The difficulty is finding out why the Altiris Agent reported the incorrect record. Once DNS is fixed, have the Altiris Agent run Basic Inventory. The table location we pull this out of for management in RTSM is Inv_AeX_AC_Location, column: Fully Qualified Domain Name.

8. Use the ‘Manage' node available in RTSM (see the below screenshot): By putting in the IP address of the system, we'll use the IP to lookup the FQDN and not make any assumptions.
   !Manageshortcut.JPG!

9. Update the Servers HOSTS or LMHOSTS files to contain the mapping to the invalid name. For example find the LMHOSTS file, edit it and add a line <IP ADDRESS> <FQDN>, as in this example:

1. 10.10.10.1 Dellvpro

Real-Time unable to connect

If WMI and AMT functions are unavailable, you'll get a message when you click on the Real-Time tab indicating that the functionality isn't available. See the following screenshot:

Note: If you use another product such as Dell or HP's plug-ins to this tab, you'll simply not have the ‘Real-Time System Manager' node underneath Real-Time Consoles.

The number one reason this occurs is due to a firewall being engaged. Firewalls need to allow AMT traffic through. If a firewall is enabled, use the following details to resolve the AMT issue:

1. Create an inclusion in the firewall properties.

2. Allow the following ports, based off your environment:

1. 16992 - For non-TLS encrypted traffic - if you are not using TLS this is the port that will be used for communication

2. 16993 - For TLS-enabled, encrypted AMT traffic - If https is required for communication with AMT, this port will be used

3. 16994 - For a note, AMT provisioning uses this port for sending out the ‘hello' packet during the configuration process - this will be used if you initiate a reprovision from RTSM

3. Another options is to disable the firewall when you need to manage the system via RTSM.

4. Unfortunately WMI has a known issue with the Windows firewall where the dynamic ports WMI uses after initiation will be blocked. It's a bug in WMI that has been addressed in Vista. Previous Operating Systems do not have a resolution at this time.

The other issue we've seen is where the system is simply unavailable for one reason or another. AMT is available if the system is off but still connected to the network, but WMI or if the system is unplugged from power or off the network RTSM obviously cannot function. Verify that the system is available if nothing resolves this issue.

Authentication Issues

Another common issue concerns authentication to the system via the Real-Time tab. First, let me discuss the methods RTSM uses to authenticate to a target system.

Authentication Methods

Runtime Profile - The Runtime profile contains he following information:

• All known good credentials used to connect via RTSM to a system

• The Intel SCS AMT password sent to systems when provisioning occurs

• Previously successfully used credentials from past RTSM sessions

User-defined Profiles - Profiles can be created that specifically provide credentials for the four types of technologies:

• WMI digest or Domain account

• AMT digest or Kerberos-authenticated user

• ASF digest or Domain account

• SNMP community strings

Manually entered credentials - When RTSM tries to connect, if the default profile set in the RTCI configuration fails to authenticate, the left-hand tree will still load but each node will prompt the user for credentials. A user can put in an AMT account, Domain user, or digest user that has rights on the target system. When authentication succeeds, these credentials are then stored in the Runtime Profile for the target system.

Troubleshooting Authentication

The following method will help identify issues and offer ways to work-around and solutions. These have been compiled through experience when troubleshooting issues with failed authentication with RTSM.

1. In the Altiris Console browse to View > Solutions > Real-Time Console Infrastructure > Configuration > select Manage Credentials Profiles.

2. Where does the green checkmark fall? This is the default profile that will be used when connecting via the Real-Time tab.

3. Create a new profile by clicking the blue + on the icon bar in the right-hand pane.

4. Under the Intel® AMT tab check the box ‘Enable this technology in the profile'.

5. Supply the admin user credentials set when the managed vPro systems were provisioned.

6. Under the WMI tab also check the box as above and provide a user that has admin privileges to the target system.

7. Give the profile a name and then save it.

8. Back at the main screen check the box under the ‘Default' column until the green check-mark uses your new Profile.

9. Test to see if this new profile is successful. Note that you'll need to launch IE fresh to use the new settings.

10. If it is not, try entering credentials in manually when you hit the system under the Real-Time tab. See the screenshot below for the connection icon to switch between WMI and AMT authentication. If two show in this area, both technologies are available but not authenticated.
    !RTSMconnectiontype.jpg!

11. In one case we supplied only AMT credentials in the Profile which allowed it to authenticate to AMT while a multiple protocol authentication profile failed.

12. Check the collection you are launching Resource Explorer from. Sometimes the identity of the system is incorrect. For AMT you can launch RTSM from the Provisioned collections populated with the Resource Synchronization.

IDE Redirect (IDER)

IDE Redirect allows a system to be remotely booted to a file, drive, or virtual disc. There are a number of potential issues to be aware of when working with IDER in a vPro environment. The below items include well-known issues and their resolutions.

Redirection Invalid Parameter

When initiating an IDER (IDE Redirect) session to an external source such as an .iso file, the following error appears in the console:

Power management operation failed.

Redirection session start has failed. See logs for more details.

The Notification Server log shows the following error:

Log File Name: C:\Program Files\Altiris\Notification Server\Logs\a.log

Priority: 2

Date: 3/9/2007 2:51:05 PM

Tick Count: 10617218

Host Name: <>

Process: w3wp.exe (2436)

Thread ID: 5412

Module: AltirisNativeHelper.dll

Source: RTCI.Trace

Description: RedirectionProvider::StartIDER - RedirectionProvider::StartIDER - IMR_IDEROpenTCPSession: IMR_RES_INVALID_PARAMETER

This is caused by Intel's redirection library requiring a correct floppy device to initiate an IDER session (either floppy image or real removable device). Real-Time System Manager 6.2 can work around this. If you put floppy.img file into Program Files\Altiris\RTSM\UIData folder, then the issue will not occur.

IDER or SOL Disabled

In some instances Intel vPro systems are arriving from the OEM with IDER and SOL disabled in the BIOS. When disabled, neither of these functions work from any management engine, including RTSM. Correcting this oversight is not easy, especially if the OEMs do not offer a solution by a firmware or BIOS update. Use the following method to resolve the issue:

1. Go to the Support site for the OEM for the systems.

2. Browse to the drivers and downloads section for the exact model (note that sometimes the model will differ based on possessing or not possessing vPro technology).

3. Check the firmware updates for a new BIOS.

4. Check the documentation for any new BIOS versions that include vPro to see if they've corrected this.

5. Contact your OEM if they have not and request a status!

6. The only other recourse is to develop an update yourself or manually update the settings by visiting the system.

Conclusion

This should account for the most common issues we've seen, and allow you to successfully use RTSM with AMT technology, avoiding those issues.

The ability to provide access to the Real-Time tab of Resource Manager will enable administrators to provide this valuable tool to IT specialists or Helpdesk workers. Furthermore the ability to configure access to certain functions within the console will allow administrators to grant or restrict what users can do with Real-Time System Manager. This includes WMI functionality as well as powerful AMT functionality.

Introduction

Your environment will likely have a unique set of requirements on who can access what in Real-Time System Manager. It can be as simple as two levels of workers, from an administrator to an IT Specialist, to a complex system of access rights in a multi-tiered environment tightly controlled. No matter the environment, this article provides the details to customize access to the Real-Time tab, including WMI and AMT access rights.

RTSM contains limited functionality to configure access via WMI. AMT, on the other hand, can be configured at a function-granular level. Whether you're simply trying to give users full access to RTSM, or to provide access to only certain functions, this document assists to achieve this.

NS Role Security

The first item that must be enabled is creating a role or modifying an existing role to have rights to Real-Time System Manager at the general level. Without assignment to such a role, a user cannot gain access to RTSM.

Overview

Briefly I'll explain how NS Role and Scope security work together in Notification Server. Roles give feature access rights. For example in Software Delivery Solution there's a role object labeled ‘Item Tasks - Software Delivery Wizard'. The two options allow use of the Simple or Advanced Software Delivery Wizard. Without this right, the user cannot launch the Software Delivery Wizard, regardless if they have scope rights to the Wizard and Status node in the console.

Scope security is much like the Windows File-System security model. In the Altiris Console the left-hand tree can be accessed like the file system, applying security to folders or to nodes, as opposed to folders and files. Inherence allows security to be inherited from the containing folder, on up the chain until the root node is reached.

Role Configuration

The following steps show how to create a user with RTSM permissions.

1. In the Altiris Console, browse to View > Configuration > Server Settings > Notification Server Settings > Security Roles.

2. Select an existing Role or Right-click on the Security Roles folder and choose to create a new Role.

3. Under Privileges, find the following categories and check the indicated option. After the screenshot the items are details with description of the option:
   

1. Altiris System Privileges - Use Real-Time System Management - This is the ability to use the product at the most basic and general level.

2. Altiris Console Privileges - View Resources Tab - For this example I'm providing the user the ability to see collections so he or she can launch Resource Manager and use the Real-Time tab.

3. Altiris Console Privileges - View Tasks Tab - Access to the ‘Manage' node allowing launch of Resource Manager requires this privilege.

4. Item Tasks - Real-Time System Manager - Manage - This is access to the main tree for RTSM. Most functions are covered by this option.

5. Item Tasks - Real-Time System Manager - Password Reset - Because of the nature of this function, it has been separated out as a single security role object in Notification Server but belongs to the Real-Time tree.

6. Item Tasks - Real-Time System Manager - Port Check - The Port Check feature is normally accessed as a separate contextual item in the right-click menu, or launch from an icon under the Real-Time tab.

7. Item Tasks - Real-Time System Manager - Trace Route - This is treated in the same way as Port Check.

8. Item Tasks - Real-Time System Manager - Hardware Management - This is one of the objects in the tree that provides basic hardware function, which is greatly extended if the system is Intel vPro capable and Provisioned.

4. Click the Membership tab.

5. Use the blue + icon to add users and/or groups to the Role. These can be digest users or local computer groups, or Domain users or groups.

6. Click Apply to save the Role.

Note: The users will not have access yet to the Altiris Console as the scope-level security has not been set for the new Role. Complete the below NS Scope Security section to give access to the Altiris Console

NS Scope Security

Altiris Console

For Altiris Console access, scope security must be configured before a Role can access or login to the console. The security window is the same for any node, be it a folder or otherwise. The two screenshots below show the security window and the permission selection screens:

Note: Depending on the object type, the available permissions may differ

To allow access to the ‘Manage' Real-Time Console Infrastructure Task, follow these steps:

1. In the Altiris Console, browse under View > Tasks > Incident Resolution > Tools.

2. Right-click on the node ‘Manage' and choose Properties.

3. Click on the Security tab.

4. Click the ‘Add' button.

5. Select from the list Role name of your role (ie: Role RTSM Workers) and click the ‘Select' button.

6. Check the option for ‘Full Control' and click ‘Select'.
   Note: Full Control does not give the user the ability to delete or otherwise manipulate the Manage node. This node can only be accessed for the function alone.

7. Click ‘Apply' to save the security changes made.

To access Collections so the users of the role can view collections so they can use the RTSM right-click contextual menu options for a listed resource, follow these steps:

1. In the Altiris Console, browse to View > Resources > Collections.

2. Depending on what collections you want to give the user access to, browse to a containing folder or an individual collection.

3. Right-click on the folder or collection and choose Properties.

4. Click on the Security tab.

5. Click the ‘Add' button.

6. Select from the list Role name of your role (ie: Role RTSM Workers) and click the ‘Select' button.

7. Check the following options:

1. Altiris System Permissions - Read

2. Altiris Resource Management Permissions - Read Resource Data

3. Altiris Resource Management Permissions - Read Resource Association

8. Click Select, and then click Apply on the permissions window.

Now we have allowed the user access to certain parts of the Altiris Console so they can execute Real-Time System Manager on managed systems. To restrict access to certain parts of the RTSM console, see the previous Role section for what options are available to you.

AMT Permissions

RTSM takes advantage of powerful functionality available in Intel vPro, AMT technology. Once a user has access to RTSM, their user account, if permitted, is used to connect to the remote system by WMI. An AMT connection can either use Kerberos integration or an inputted digest user when prompted. The credentials must be specified in the destination system's AMT Profile, otherwise authentication will fail.

To configure who has rights to AMT, follow these steps:

1. In the Altiris Console, browse to View > Solutions > Out of Band Management > Configuration > Provisioning > Configuration Service Settings > Provision Profiles.

2. Double-click on an existing profile, or create a new one.

3. Click on the ACL tab.

4. Click Add to add either a digest user or to use Domain users and groups with Kerberos integration.

5. Once a user is inputted, the ‘Realms' section allows or disallows access to different AMT functions. The boxes that are of importance to RTSM are:

1. Circuit Breaker - Now known as System Defense, or Network Filtering

2. Hardware Asset - For power management capabilities

3. Redirection - To allow IDE Redirection

4. Remote Control - Allows Serial Over LAN (SOL) remote connection

5. Event Manager - Allows viewing of AMT logs

6. General Info - Allows viewing of AMT data on the system

6. The ‘Access Permission' dropdown should be used to select either Network Access or Any. The Local Access option gives that user rights to log into the Intel ME locally when the system boots and isn't needed for RTSM function, however if you wish to allow the user to have access to both, choose ‘Any'.
   

7. Click OK to save the changes.

To apply the updated or new profile to an AMT system Provisioning must occurred. If the system was already provisioned with this same profile previously, a reprovision will update the profile.

This will not limit access to see the functions available in the Real-Time tab for AMT, but will throw a not authorized message if an applicable function is attempted with a user who does not have the rights to execute it.

Conclusion

The Real-Time tab, a one-to-one solution for system access, data gathering, or troubleshooting, provides a powerful tool to IT administrators and IT professionals alike. Providing this ability to users you do not want to have full access to Altiris is essential for any secure environment. With the additional ability to configure granular AMT rights for vPro capable and configured systems, an administrator has the ability to get very specific on what users or groups of what rights.

While at ManageFusion, we had Symantec Director of Strategic Alliances Kevin Unbedacht discuss how Intel vPro Technology enhances the Symantec Altiris Client Management Suite. The videos below include demonstrations around power management with secure power-on, remote diagnosis and repair of troubled PCs, isolation and repair of infected PCs, and discovery of PC assets.

• Hardware-assisted Power Management with Secure Power-On

]]>

• Hardware-assisted Diagnosis and Repair of PCs Remotely (by getting into PC's BIOS settings):

]]>

• Hardware-assisted Diagnosis and Repair of PCs Remotely (by remote booting PC to fix-it image on the network):

]]>

]]>

• Hardware-assisted Isolation and Recovery of Infected PCs:

]]>

• Hardware-assisted Discovery of PC Assets

]]>

Click here to learn more about the combination of Symantec products with Intel vPro technology: http://www.earlyroi.com/

At ManageFusion, we had the Intel vPro technology Challenge at the event - a competition where teams of two competed to find and fix a troubled PC. Each team had an opportunity to interact with Intel vPro technology based PCs from the Symantec Altiris Client Management Suite, and most had fun in the process! Check out the highlights from the Challenge.

]]>

While at ManageFusion, Intel had an opportunity to talk with four leading Symantec Service Integrators who have started deploying and activating PCs with Intel vPro technology within their customers' environment.

In the video below, listen to their thoughts on:

• When to activate Intel vPro technology

• How Intel vPro technology seamlessly compliments the Symantec Altiris Client Management Suite

• How Intel vPro technology delivers on the promise of Wake-On-Lan by being both much more secure and more reliable

• Thoughts on increased customer service levels and return on investment with Intel vPro technology

]]>

Have you seen this? if you have I bet your wondering why.. This error can be seen during a SOL session with Altiris when there is a BIOS password set on the notebook.

Recently out on a visit we found this error & were checking between a known good system.

We did a little research and saw that default for Terminal Emulation Mode was set to VT100 through the BIOS, instead of using the tool that HP has for windows. After we returned to the plant we used the tool to snap these pixs of the BIOS.

After changing the Terminal Emulation Mode to ANSI we were able to achieve this..

of course after the change the new option was selected "ANSI"..

This is the right result you should see..

Success!! give this a shot if you are using a BIOS Password on a HP 2510P with Altiris..

There were two sessions at ManageFusion 2008 in saving energy on clients in the corporate environment. Almost all hands when up when the question was asked "How many of you have a corporate initiative for green IT?"

HP is pursuing a "top down" power management tool from Verdiem Surveyor for the corporate environment as well as a "bottoms up" tool (HP Power Manager" for installation on clients that lets employees see the actual $ impact of their energy savings using a simple slider bar. I will post the HP link for the client tool on my BLOG when it becomes available

Gartner says PCs consume 40% of the power, servers are 22% even though most enterprises think it's the servers

"It's really neat that HP and others are offering tools to shut down systems to save power, but I want my users to be able to use their system as soon as they come to work without waiting for patches..." and the answer from the presenter was "...what you need is Intel AMT... it can wake systems for patching and put them back to sleep..." The audience had not heard of this...

The hard drive password issue that many companies are facing doing wakeup&patch can be solved by Danbury and a good ISV console

The Altiris Backup Exec Recovery solution using WinPE looks very promising

On April 8th, Intel Vice-President Gregory Bryant was part of the opening ManageFusion keynote led by Symantec's Steve Morton.

In the first part of the keynote, Steve talked about his travels to Intel to learn more about Intel vPro technology. Then Gregory talked about about how customers are realizing value today with Intel vPro technology through better remote management, better power management and better security policies - essentially allowing IT administrators to "levitate." View the first part of the keynote below:

Then, Gregory (along with Steve) introduced Ted Wilkinson, an IT Vice-President at Bank of NY-Mellon. He talked about his infrastructure of 47,000 PCs after the integration of Bank of NY with Mellon Bank, and how Intel vPro technology helps his new infrastructure with enhanced remote power control and remote remediation - which eliminates costs within his new infrastructure.

Also, Gregory discussed future Intel vPro technology directions - including:

• The dynamic virtual client - which blends the manageability of thin clients with the ability to take advantage of the performance of thick clients

• The ability to manage laptops and desktops that are outside of the corporate firewall starting with Intel vPro technology that come out mid 2008

• The integration of hard drive encryption with Intel vPro technology starting in Q3'08 that is easy to manage

View the second part of the keynote with Gregory below: