Home > Intel Communities > Open Port IT Community > Intel® vPro™ Expert Center > Blog > Tags > altiris
Up to Blog Posts in Intel® vPro™ Expert Center
1 2 3 4 Previous Next

Intel vPro Expert Center Blog

50 Posts tagged with the altiris tag
Josh Hilliker
1

On my travel's out of the factory and on the road with vPro users, I was able to see a new tool that I had not seen to date. When the User pulled up resource manager he showed me a new way to fast track to a machine. The Screen looked like this.

 

 

I asked where the tool was and was given this link on Altiris Juice.

 

 

Here is the code you will see in the VBS file.

 

REM Authored by: Benjamin Palmer

REM Company: <Your Company Here>

 

strAnswer = InputBox("Please enter a computer name you would like to view the resource information for:",".oO - Quick View Resource Manager - Oo.")

 

If strAnswer = "" Then

Wscript.Quit

Else

strURL = "http://Deploy1/Altiris/Resource/ResourceManagerConsole.aspx?Name="&strAnswer

Set objShell = CreateObject("Wscript.Shell")

objShell.Run(strURL)

End If

 

I found this a very useful tool for Altiris Users that know the machine and want to fast track to the notebook/desktop. Or you could give this tool to your help desk for them to easily get to a machine vs. navigating through the console.

 

NOTE: please make sure you change out the "DEPLOY1" with your console name.

 

If you have a great tool like this that you use, please share out..

 

Cheers..

1 Comments Permalink Tags: altiris, josh_hilliker, vpro, tools
Matt Primrose
3

The Brand Promise Validation team here at Intel came across an issue in the lab which many customers may also run into when they are trying to deploy AMT. The question was, how do I use two different ISVs to manage different aspects of my Enterprise configured AMT client fleet? Theoretically this isn't neccessarily a tough question. Based on how AMT was designed, so long as you have the same authentication and credentials setup between the different managment software, you should be able to access the AMT features. In practice, however, many management applications attempt to configure AMT in such a way that they have sole access by customizing the provisioning settings and then hide those settings away.

 

However, as I'm about to describe, with a little tweaking, you can force these applications to play nice together.

 

 

The main thing to remember anytime you are setting up AMT in enterprise mode is that the key to accessing AMT is having the correct certificates in place. For access that means having a Web Server based certificate template that will be used for TLS communication between the console and AMT. If you are also using PKI provisioning, you'll have to have a properly configured or purchased provisioning certificate in place (I won't be covering the details of PKI provisioning in this blog, but maybe in a future update). Lastly, for SMS and Altiris you'll also need a .pem certificate. Details on how to create a .pem certificate is included in both the Altiris help and Intel AMT Add-on for SMS documentation. A quick summary of a .PEM file certificate is taking each certificate in the chain starting at the top and concatinating those certificates into a single file. This file is used for secure TLS communication during SOL sessions.

 

 

 

The two management applicaitons we targetted for implementation was Altiris and SMS using the Intel AMT Add-on for SMS. The reason we targetted these apps is that we have inimate knowledge using these applications since they are used in our validation efforts and they both utilize the Intel SCS for provisioning.

 

 

 

Both Altiris and SMS systems should be in the same domain using the same certificate authority and have the same root certificate installed. While it is definately feasible that you could have the the two management applications in different child domains using wildcard certificates for authentication, this article doesn't cover that specific configuration.

 

 

 

I'm not going to go into the details of setting up Altiris and SMS or how to configure SCS for provisioning since it is assumed that if you are attempting to merge these ISVs so that they can manage AMT clients, then you should already know how to get the individual applications to work with AMT.

 

 

 

I started off by getting Altiris setup and configured using the built in SCS included in the OOB Management solution for Altiris. At this point I didn't have to do anything special in order to make sure that the SMS Add-on would work, I just setup Altiris as normal to manage AMT clients. Once setup, I verified that I could provision and manage my AMT clients.

 

 

 

Next step, on a different machine, I setup and configured SMS with the Intel AMT Add-on for SMS. I configured SMS to use it's own SQL server, however, there is no reason that you couldn't have it use the Altiris SQL server (setting up a separate instance) or a stand alone SQL server (again with a separate instance). For ease of configuration, however, I just used a separate SQL install on the same machine as SMS.

 

 

 

Once you have the SMSAMTUser_&lt;sitecode&gt; account created in active directory and have that account as well as whatever user accounts you want to use AMT via SMS added to the Intel(R) AMT groups (there are 3-5 of them depending on the version of the AMT Add-on you are using), you need to add the SMSAMTUser_&lt;sidecode&gt; to the Altiris SCS users list. On the Altiris system go to: View -&gt; Configuration -&gt; Solution Settings -&gt; Platform Administration -&gt; Out of Band Managment -&gt; Provisioning -&gt; Configuration Service Setings -&gt; Users. Click the blue + to add a new user. Click the ... button. Select domain and type in the name query field SMSAMTUser and click Find. Select the SMSAMTUser_&lt;sitecode&gt; that is found in the results field and click OK. Under Role make sure Enterprise Administrator is selected. Click OK. This gives the service account for the Intel(r) AMT Add-on for SMS rights to view and modify the Altiris SCS.

 

 

 

On the SMS system, open up the Intel Add-on Settings dialogue box and configure it to use the Altiris Setup and Configuration Server. In order to find the URL that Altiris uses to connect to the SCS, On the Altiris machine, go to:

 

 

 

View -&gt; Configuration -&gt; Solution Settings -&gt; Platform Administration -&gt; Out of Band Managment -&gt; Provisioning -&gt; Configuration Service Setings -&gt; Service Location.

 

 

 

 

 

If you have the Default URL set, you should have something like /&lt;fqdn/AMTSCS. If you are using an alternative URL, copy that down. On the SMS machine, open up the Intel Add-on Settings and go to the Setup and Configuration tab. Select the Integrated Setup and Configuration radio button and type in the URL you copied down into the SCS Service URL box. Click the Set Profiles box and the AMT profiles that are setup in Altiris should pop up in a new window. Select the profiles you want to use in SMS (select all of them if you want all profiles to be able to be managed in SMS) and click OK. The list of supported profiles should now be populated with the profiles that are setup in Altiris.

 

 

 

Next step is to setup the .PEM certificate file that was used in Altiris for the Intel AMT Add-on for SMS. Copy the .PEM file used in Altiris to the SMS system. If you don't know where you .PEM file is located in Altiris, go to:

 

 

 

View -&gt; Configuration -&gt; Solution Settings -&gt; Real-Time Console Infrastructure -&gt; Configuration.

 

 

 

Click on the Intel(r) AMT Connection Settings tab. Under Redirection Security you should see a box next to the Trusted CA certifcate location. That box should have the path to the .PEM file. Once you have copied that file to your SMS system (doesn't matter where you put the .PEM file on your SMS box, so long as you remember where you put it) open up the Intel Add-on Settings dialogue and click on the Security tab. Check the Enable Intel(r) AMT secure Connection (TLS) box. In the CA Certificate Path put in the path to the location of the .PEM file that was copied onto the SMS system. Click Apply.

 

 

 

That is the basicis of what needs to be done. Once you have discovered the AMT clients in SMS and they are populated in the collection, right click on All Systems and go to All Tasks -&gt; Intel(r) AMT Tasks -&gt; Discover Systems. Now when you right click on an AMT system and go to All Tasks -&gt; Intel(r) AMT Tasks you should see the list of AMT functions you can perform such as Asset Identification Information, Power Control Operations, etc.

 

 

 

In order to get SOL/IDE-R to work and System Defense to work, you'll need to go into the Intel(r) Add-on Settings in SMS again and setup the location of the ISO images that will be used for IDE-R and the System Defense file that will be used to filter packets using Circuit Breaker. Creating the System Defense file is covered in the Intel(r) AMT Add-on for SMS documentation and will not be explained in detail here. The repository for the ISO images needs to be a network share and can either reside locally on the SMS system (still mapped to the network share location) or can reside in a central repository. If you want both Altiris and SMS to use the same set of images just use the same network path to the ISO images for both applications.

 

 

 

That's it. In my environment I'm able to manage AMT machines with either management application. The only slight gotcha (and this is more a security feature of AMT) is that if one management application is currently managing a client (ex. using SoL) then the other is unable to break in and use the client. The gotcha part of this is that neither management application gives a clear indication that the system is currently in use by another management application, the attempt to manage just fails with an authentication error.

 

 

3 Comments 0 References Permalink Tags: amt, sms, altiris, scs, vpro, add-on, provision
Joel Smith
0

Installing Multiple Intel SCS components for a large Notification Server environment

Some Notification Servers carry huge loads of managed systems. I've seen Notification Servers managing 10,000, 15,000, and even 20,000 plus systems. For Out of Band Management with the Intel SCS Component, a multiple-service install may be required to handle large loads of provisioning or maintenance requests into the Intel SCS Component. This article covers how to setup such an environment.

 

Introduction

Normally in a simple Notification Server environment when the install for Out of Band Management is initiated, all the necessary pieces, including the Intel SCS Component, install automatically and silently. In more complex environments the automatic install of the SCS Component often throws an exception and provides a message indicating the install should be conducted manually. This manual process is what will be used when installing the components on the subordinate servers who will share the load for the Intel SCS Component.

 

Installing Out of Band Management

The first step is to install Out of Band Management and the primary Intel SCS Component on the Notification Server. This will setup the IntelAMT database that will be used with every install of the Intel SCS Component. The following process details the install methods for Out of Band and the Intel SCS Component.

 

Simple NS environment

For a simple NS environment where the Application Identity for Notification Server has full rights to both the Notification Server system and SQL Server, the initial install is simple. Note that this process should be used for Simple and Complex environments to lay down the essential components on the NS.

 

  1. In the Altiris Console, browse View &gt; Configuration &gt; Install/Upgrade additional solutions.

  2. Under available solutions, click the ‘Segments' button.

  3. Expand the Partner Solutions section and locate the Altiris Manageability Toolkit for Intel vPro Technology.
    !SolCtrvPro.jpg!

  4. Click the link to launch the install.

  5. NOTE: This will install the following primary components, all of which tie into aspects of Out of Band Management and Real-Time System Manager:

    1. Task Server and supporting installs

    2. Real-Time System Manager

    3. Real-Time Console Infrastructure

    4. Out of Band Management Solution

    5. Our of Band Setup and Configuration (AKA the Intel SCS Component)

    6. Network Discovery

  6. The install will commence. Note that if the Intel SCS Component is unable to be successfully installed you will receive a message indicating it needs to be installed manually. If this is the case, see the next section entitled ‘Complex NS Environment'.

  7. If no errors are shown, the Intel SCS Component with the IntelAMT database should have been installed and created successfully.

Complex NS Environment

Despite the name of this section, sometimes the steps here need because of a minor security issue when the automatic install was attempted. The following steps detail the process of install the Intel SCS Component manually.

 

  1. Run through the install as detailed under the ‘Simple NS Environment' section above. This will put all the typical components in place, and likely the automatic install of Intel SCS will fail, requiring the next series of steps to be completed.

  2. It's recommended to log into the Notification Server as the Application Identity user.

  3. Browse to the following path on the NS: install_path\Program Files\Altiris\Notification Server\NSCap\Bin\Win32\X86\OOB\IntelSCS\

  4. Launch the EXE AMTConfServer.exe.

  5. Click ‘Next' on the Welcome screen and accept the license agreement and click ‘Next'.

  6. Choose ‘Complete' as the type of setup and click ‘Next'.

  7. In the User name and Password fields put in the Application Identity for the NS.

  8. Check the Web details.

  9. Leave ‘Force Secure Connections (HTTPS)' checked if you will use TLS to encrypt AMT traffic, or uncheck it if you will not be using TLS. Click ‘Next'.

  10. Under ‘Database Server' select the database name and instance (if applicable) to use. It is recommended to use Windows Authentication, but if the SQL setup requires a SQL account, choose that option. Click ‘Next'.

  11. The next details should be left as is. Click ‘Next'.

  12. Click the ‘Install' button to proceed with the install using the parameters set.

  13. At the Complete screen, leave the ‘Start Intel® AMT Config Service' checked and click ‘Finish'.

Subsequent SCS Installs

Now that NS has all the required components, and the IntelAMT database has been created, the following details cover how to install a subordinate install of the Intel SCS Component. Note the following prerequisites for this type of install:

 

  • Windows 2000 Server, Windows 2003 Server

  • Internet Information Services (IIS)

  • Microsoft .NET 2.0

 

Run through the following steps to install Intel SCS.

 

  1. Log onto the system as the Application Identity user for Notification Server.

  2. Browse to the following path on the NS:
    &lt;NS_Name&gt;\NSCap\Bin\Win32\X86\OOB\IntelSCS\

  3. Launch the EXE AMTConfServer.exe.

  4. Click ‘Next' on the Welcome screen and accept the license agreement and click ‘Next'.

  5. Choose ‘Complete' as the type of setup and click ‘Next'.

  6. In the User name and Password fields put in the Application Identity for the NS. If this is not possible the user should have full access to the SQL Server. This will also be the user set on the Service AMTConfig.

  7. Check the Web details.

  8. Leave ‘Force Secure Connections (HTTPS)' checked if you will use TLS to encrypt AMT traffic, or uncheck it if you will not be using TLS. Click ‘Next'.

  9. Under ‘Database Server' select the database name and instance (if applicable) to use. This should be the SQL Server used to install the IntelAMT database in previous steps.

  10. The database details . Click ‘Next'.

  11. Click the ‘Install' button to proceed with the install using the parameters set.

  12. You'll receive a notice saying that the database IntelAMT already exists. Make sure to click ‘Yes' so it uses the existing one.

  13. At the Complete screen, leave the ‘Start Intel® AMT Config Service' checked and click ‘Finish'

  14. From the Notification Server, at this location: , copy the file oobprov.exe to the same path on the subordinate install (default will be C:\Program Files\Altiris\OOBSC\).

  15. NOTE! You must use the same path that it used on the Notification Server, this is a limitation of this implementation.

  16. Copy to the same folder the attached file Interop.AeXClient.dll.
    !RemoteSCS.JPG!

  17. Normally the script (oobprov.exe) is properly registered to the correct path, but if it is not, we must manually change it.

  18. Open SQL Query Analyzer or SQL Enterprise Manager. Run the following query:

    1. USE IntelAMT
      SELECT Props_script_path, use_props_script
      FROM csti_Configuration

  19. Check the path and make sure it matches the remote and local Intel SCS install. Also verify that the use_props_script is set to 1, which means ‘True' (0 means ‘False'). Now run the following query if they need to be updated, but take note to change the path to match your environment:

    1. UPDATE csti_configuration
      SET props_script_path = ‘C:\Program Files\Altiris\OOBSC\oobprov.exe'
      SET use_props_script = 1
      WHERE configuration_id = 1

  20. Everything should now be in place for both the primary and secondary Intel SCS install to work with systems being Provisioned, including subsequent maintenance or reconfiguration functions, sharing the load.

Confirm Registration

The next step is to confirm that the install has successfully registered in the IntelAMT database and is running. Use the following steps to make the checks:

 

  1. First, let's check that the Secondary SCS Server has properly registered in the IntelAMT database. On the SQL Server where the IntelAMT database is housed, open SQL Query Analyzer or SQL Enterprise Manager. Run the following query:

    1. USE IntelAMT
      SELECT * FROM csto_servers

  2. You should have one entry for every Intel SCS install you've completed.

  3. On the secondary Intel SCS Server, go to Start &gt; Administrative Tools &gt; and click on ‘Services'.

  4. Locate the Service ‘AMTConfig'. Ensure the following settings:

    • Status = Started

    • Startup Type = Automatic

    • Log On As = NS Application ID

Adjust Queue Settings

The last part is to adjust the general settings to account for the added resources.

 

  1. In the Altiris Console browse to View &gt; Solutions &gt; Out of Band Management &gt; Configuration &gt; Provisioning &gt; and click on ‘General'.

  2. Look under the ‘Service Maintenance' section. See the screenshot, followed by the recommended settings:
    !OOBGenSettings.jpg!

    • Max queue size: 2000 for one instance, add 1000 per secondary server

    • Worker threads: 10 for one instance, add 5 per secondary server. Same for the Slow worker threads

  3. The above values are recommendations. Since thorough testing has not been performed, it is recommended to change these in small increments if performance is a problem.

  4. Make sure to ‘Apply' the changes once they've been made. This should allow the SCS infrastructure to handle larger loads of incoming requests.

Conclusion

The subordinate Intel SCS install process should be repeated for each Intel SCS install desired in the environment. This will help distribute the load of incoming requests from Intel AMT vPro systems. Moving forward Symantec and Intel will be testing this scenario further. In the interim this article can be used to increase the resource power of the SCS infrastructure.

0 Comments 9 References Permalink Tags: intel_vpro, out_of_band_management, altiris, symantec, provisioning, intel_scs
Joel Smith
0

 

The big question after successfully provisioning a vPro/Symantec-Altiris environment comes in the simple form of "Now what"? The article series: Utilizing Intel® vPro AMT Technology with Task Server covers a lot of the functionality directly (LINK: http://juice.altiris.com/book-page/2201/utilizing-intel-vpro-amt-technology-with-task-server). This article series takes it a few steps further, with real-world examples and use cases for taking advantage of Intel® vPro technology through Symantec/Altiris Notification Server.

 

Introduction

 

There are two components for directly interfacing the AMT vPro technology. The first is Real-Time System Manager, the second Task Server. Both components utilize much of the same functionality, however RTSM provides a one to one interface, while Task Server allows a one to many task or job to execute against a group of vPro systems.

 

 

To understand how all the components work together, this Introduction walks through the basics of the components that will be used throughout the use cases. The list of solutions, or applications, that utilize Intel vPro technology is listed here along with a description:

 

  • Real-Time Console Infrastructure - This component is generally invisible when working directly with vPro AMT Systems. The Configuration of how to connect to systems and what credentials will be used can be found in the configuration pages for this product. It supports both the Real-Time tab and the Task Server vPro AMT tasks available.

  • Real-Time System Manager - The Real-Time tab functionality that directly interfaces with vPro AMT on a system per system basis provides a live tool for directly invoking vPro AMT functions as part of troubleshooting or maintaining a system directly. This is useful for troubleshooting problems with a specific system.

  • Out of Band Management - Out of Band Management will only lightly be covered in this article series. For the most part this solution is part of the setup and configuration of Intel vPro AMT systems so that vPro AMT functionality can be used. There are some maintenance and profile items that can be used as part of ongoing use of vPro AMT.

  • Task Server - Task Server is the engine used for a one to many task or job where specific vPro AMT functions, along with functions from a myriad of other Solutions, can be executed or scheduled to execute against a collection or list of systems. This is the integration framework that allows AMT to become part of a much larger Altiris functionality portfolio.

 

See the following diagram for a representation of how the two main functional engines work:

 

 

 

 

This series will focus on these two pieces (RTSM and Task Server) since they are the delivery mechanism for the vPro AMT functionality. Other Symantec Solutions can and will be used through the use cases.

 

Real-Time Console Infrastructure

 

Consider this the core underlining infrastructure for the Symantec use of Intel vPro AMT. All solutions that make use of this component will install it if it is not already installed. The primary products are Out of Band Management and Real-Time System Manager. Other Notification Server Partner solutions, such as HPCM and Dell Openview, will need RTCI installed in order to make use of the vPro AMT functions. The console pages available for this solution center around the configuration of the vPro AMT functions.

 

 

The configuration page for RTCI is found in the Altiris Console. In the Altiris Console 6.5, browse under View &gt; Solutions &gt; Real Time Console Infrastructure. Under the Configuration folder, the following nodes are available:

 

  1. Configuration - Includes settings for vPro AMT Connections, such as Transport Level Security, Redirection Security, and other settings such as the connection timeout value. It also includes a page to configure where SNMP vPro AMT alerts are sent, and allows a default configuration for the System Defense filter (default is to ‘Allow all network traffic').

  2. Edit Network Filters - This page is only available if the ENF utility has been installed (see article http://juice.altiris.com/article/2645/hold-mf-utilizing-intel-vpro-amt-technology-task-server-part-5-system-defense-tasks for more information). If you do not have this node, install it so that you can configure what is allowed through the System Defense filter.

  3. Manage Credentials Profiles - This node is vital for setting up connection profiles when using RTSM. It includes credentials for WMI and vPro AMT. Users who do not have rights to vPro AMT will need to use a profile that has a user configured with rights. This also includes the Run-Time profiles which is used by both Task Server and RTSM to use known good credentials when functioning against specific vPro AMT systems.

  4. Manage Views - Views are

  5. Purge Policy - This page is used to configure how often and how much residual data RTCI purges. For large environments this will help keep the database size down to improve performance.

 

The Reports, Resources, and Tasks section contain the typical items for Altiris Solutions. Tasks include all the vPro tasks available through Task Server. See the subsequent Task Server section for more details.

 

 

The Tools folder is also found under the Real-Time System Manager section (it ties into the same data so the duplication is only visual). For vPro AMT, the two applicable nodes are:

 

  1. Activity Log - This logs all functions executed while in a Real-Time session. This is useful to look at what operations have been run, one which computers, by whom, and utilizing what technology (WMI versus vPro AMT).

  2. Manage - This node allows an IP address to be entered in directly for a launch of the Real-Time tab. This is especially useful for systems that are not in the Altiris database. This also allows a host-name to be entered, but keep in mind that if there is a DNS issue this may fail.

 

 

Real-Time System Manager

 

To simplify things, we'll simply define this product as ‘The Real-Time tab within Resource Manager'. There are Partner Solutions for HP, Dell, and others that will add items to the left-hand tree, but the Real-Time System Manager node provides all functionality including all vPro AMT functionality available. See the following screenshot for details:

 

 

 

 

NOTE: Only the vPro AMT functions are shown above as my Symantec Client Firewall is enabled! Since vPro AMT is a trusted technology my Symantec firewall does not block vPro AMT traffic.

 

 

The console is a direct connection to the machine listed under ‘Managing Resource'. As such this is a one to one implementation and is useful when troubleshooting a specific vPro AMT system. In the Use Cases where the use defines the target as one machine, often RTSM will be utilized.

 

Out of Band Management

 

Since Out of Band is primarily a Provisioning Solution, only a few of its functions will be used in the use-cases provided in this article series. The functions that apply are:

 

  • Maintenance - For security purposes, OOBM can be setup to run maintenance tasks against managed vPro AMT systems. The vPro AMT administrator password for a particular machine can be randomly changed. A re-provision, which reassigns the profile assign to it, will help keep vPro AMT systems up to date with profile settings and password information.

  • Profiles - In the profile setup while configuring an vPro AMT system users can be defined for having certain vPro AMT rights. This allows administrators to limit what type of worker can execute what vPro AMT functions.

Task Server

 

Task Server is a sequencing engine, and RTCI provides vPro AMT targeted tasks that can be employed singly or jobs that can run a large variety of tasks or actions against a target collection of machines. In the preface to this article a link provided access to a series focusing on how vPro tasks can be utilized into Task Server, with articles covering additional Altiris/Symantec Solutions for further integration. Before walking through the Use Cases, it will help a great deal to understand how we're integrating the functionality and how Task Server functions in general.

 

 

The vPro AMT tasks themselves are provided by RTCI, including the engine that connects and executes functions against a vPro capable system. Task Server handles all the rest, including integrating other Solution functionality within Jobs.

 

 

Most automated processes to be executed against one or more vPro AMT systems will fall under Task Server. Task Server Jobs can be scheduled, or executed on demand. Notification Server Collections or individually picked vPro AMT systems can be targeted per Task or Job, allowing a large number of systems to execute at a time (Note: for large environments multiple Task Servers are recommended).

 

Conclusion

 

Before any of the Use Cases can be tested, all target AMT systems must be provisioned in one of the provisioning modes: Small Business (Low security), Enterprise Mode, Enterprise Mode with TLS. Once provisioned, Symantec, via RTSM and Task Server, can then work directly with the machines via vPro AMT.

 

 

I hope to cover common scenarios in this article series that can be of use to many environments. Most of the testing will be against a limited lab environment so results may vary and additional configuration may be required, all depending on the complexity and configuration of the environment. Since the hardware and software worlds introduce many levels of complexity and configuration, additional steps may be required to create workable jobs and functions. Having said that, hopefully these provide enough information to move forward.

 

 

0 Comments 0 References Permalink Tags: vpro, amt, altiris, symantec, notification_server, task_server, out_of_band_management, rtsm, rtci
Joel Smith
1

Sometimes the methods for dealing with hostile or infected systems on the network are drastic, resulting in lost productivity, time, and energy. In one example the IT staff would physically shut down the user's main network port, sealing off all production systems, test systems, etc, until the hostile machine could be dealt with. Phone calls results, requiring the user to deal personally with the affected system. Now take Intel AMT's System Defense. Remotely quarantine a hostile system and use Altiris to remediate it. System Defense, it puts the power in the hands of the administrator remotely.

 

Introduction

System Defense (formerly known as Circuit Breaker) allows network filtering at the level of AMT. Systems that have been compromised and are a threat to the network can be remotely quarantined, with certain ports and IP addresses available for remediation. For example the entire network can be filtered out except to the NS, and only those ports required for the Notification Server to remediate the client (install anti-virus, patches, remove harmful software, etc).

 

Note that testing is vital when using a mechanism that can potentially cut off a system from the network. The ease of remediating compromised systems remotely while quarantining from the main network will remain as long as the filters are properly configured. If not, the system may require a desk-side visit to bring back on the network.

System Defense

System Defense shows as Circuit Breaker in some versions of the Altiris Manageability Toolkit for Intel® vPro Technology. This feature allows a network filter to be placed at the hardware level via AMT. AMT will hijack the operating system's hold on the network connection and apply a secure filter based on a configuration file provided by the administrator.

 

See the following diagram for a representation of how System Defense (Network filtering) works:

 

 

This filter becomes a complete block that disallows any network communication in OR out, save those sources that are configured. Note that the parameters for allowing network communication are those of Sending IP Address and Port. This means that not only to systems have to be explicitly defined to be allowed through, but the ports they are using as well.

 

 

Use Cases

The following use cases will find real value with System Defense network filtering:

 

  • Virus attack from an infected vPro client - This cuts off the ability of that virus to send packets out on the network

  • Vulnerable vPro clients without anti-virus - Close off the ability of a virus from getting through to the vulnerable system

  • Vulnerable vPro clients without critical patches or updates - Quarantine systems, but allow NS to remediate to bring the system up to corporate security standards

  • Unauthorized Network use - plug a system that is found participating in unauthorized network use, whether it be unauthorized content, gross use of bandwidth for non-approved purposes, etc...

  • For fun - Drive a fellow administrator crazy by applying and removing filters randomly from his computer (Just kidding, don't try this at home, or at work for that matter)

Task Server Integration

As of Real Time Console Infrastructure release 6.3 the Task Server now has a Task type of Network Filter. This exclusively uses Intel AMT System Defense to apply a comprehensive filter that only allows strict communication to and from the NIC. Because of Task Server's sequencing engine and collection targeting, jobs using this can be setup to do a large number of things, including patching, critical application install such as anti-virus, and other critical computer maintenance items required by the organization.

 

Task Server Jobs

As a primer for details in this article, see the following article series on Altiris Juice: http://juice.altiris.com/article/2088/utilizing-intel-vpro-amt-technology-with-task-server-introduction.

 

See the Introduction for more information on jobs. There are two major types of a Network Filtering job:

  1. Apply a System Defense network filter, either the default filter allowing communication to the NS for remediation or a custom filter allowing access to necessary resources

  2. Remove a System Defense network filter to open back up general network communication

 

See the following screenshot for the option when this Task type is created:

 

  • The first radial button allows the application of a filter, either a custom or the default, with the added option of enabling anti-spoofing filter

  • The second radial button simply applies a PING filter to the target systems

  • The third and final radial button removes any filters previous applied to the system

Job Targeting

Because of the significance of System Defense and what it does to client computers, I'm going to cover how Task Server Jobs target systems. With a Task Server job you can add individual systems or whole collections of computers. Collections are either manually or dynamically defined and can have few or many systems therein. Multiple systems and collections can be attached to the running of a job, either on demand or by a schedule.

 

Since System Defense is essentially quarantining vPro Systems, any Task or Job should be tested in a lab environment to ensure workability. If a custom filter is used, the potential to decapitate vPro systems from the network becomes a very real, very severe consequence of improper filters. Take the scenario of having a custom filter that does not allow proper communication back to the Notification Server or another critical resource (like Task Server) in the remediation process. Once the trigger is pulled and the System Defense network filter has been applied, those systems now have insufficient network access to remediate, which may mean that a remote Task to remove the filter is unavailable. IF the job contained half the computers in the environment, the impact is huge.

 

I say again: Test every filter within every job to ensure everything works properly!

 

Filter Configuration

Real-Time System Manager allows you to create your own filter configuration files to use with a System Defense Task. In some instances it may be required to open additional ports or destination IPs for full remediation to occur. If you use Package Servers to deliver software you may need to allow communication to these systems.

 

Edit Network Filters Utility

A utility is provided to create, edit, or otherwise revise any filter file to be used by a System Defense Task. This filter is provided via the Altiris Knowledgebase.

 

Installation The ENF Utility

See the following article for both the guide in using the utility and to download the utility directly:

 

https://kb.altiris.com/article.asp?article=34891&p=1

 

The attached file is a zip. The file included Altiris_ENF_6_2.exe will install the utility on the computer it is executed on. The prerequisites for this utility include:

 

  1. Windows 2000 Server or Windows 2003 Server

  2. .NET 1.1

  3. Notification Server 6.0 Sp3

  4. At least Real-Time Console Infrastructure 6.2

Using the ENF Utility

Once the installation has run, the Altiris Console can now be used to edit the filters. It's found in the Altiris Console under View &gt; Solutions &gt; Real Time Console Infrastructure &gt; Configuration &gt; and click on ‘Edit Network Filters'. The console provided a spreadsheet of the current filters for the default filter file, as shown:

 

 

When you click the Edit pencil icon, a subsequent window will appear. This wizard will walk through editing of the filters. This same wizard is used to add new filters to the list. This wizard is robust and allows minute tuning of what ports are allowed, both for sending and receiving from the NS and from the host AMT computer. The wizard appears as follows:

 

 

 

The default file is called CBFilters.xml and is found at \Program Files\Altiris\RTSM\UIData\. Other files can be created and used in the System Defense Filtering Tasks. It is configurable per Task or Job instance.

 

 

NOTE: If you plan on making changes to the default filter file, it is recommended to browsing to the file and making a copy of it. The copy will be a backup to use in case the default file becomes corrupt through editing or for related recovery options.

 

 

The best way to know how to open which ports to enable the access you require is to consult the documentation for the application or mechanism you are trying to work with. For example the Task Server uses ports 50120 through 50124, and these ports need to be opened between the Task Server to be used and the client computer.

 

 

Conclusion

As previously indicated, make sure you test every system defense task and job you plan to use out in your environment. It's one thing to test against one or two systems where you can manually resolve any unforeseen problems, but if a targeted collection contains many systems and the job or task as an unforeseen issue, this can cut off all these systems from the necessary access to restore network functionality. So test, test, test, and test again before deploying large jobs using System Defense network filtering.

 

When used properly, this tool enables administrators to remotely deal with vulnerable or infected systems remotely, and stop unauthorized network use. With System Defense enable your administrators to more quickly deal with threats, and remediate in much less time.

1 Comments Permalink Tags: task_server, amt, system_defense, altiris, symantec, intel, vpro
1 2 3 4 Previous Next

Popular Blog Posts