Welcome and Future Topics

This blog posting is being created to discuss/highlight the key areas you should be aware of when implementing and activating vPro and Centrino Pro Technology within your environment. To start we will focus on Infrastructure, Requirements and Dependencies, and The Setup and Configuration Server.

If you have any additional topics you would like to see that fall under implementation and activation, please let me know.

Infrastructure:

In general an enterprise looking to deploy Intel® Active Management Technology will require at a minimum three servers in addition to your existing management framework to take full advantage of these capabilities. It is also recommended that for a fully functional enterprise that these servers be redundant as appropriate for their service to provide for high availability. Most, if not all enterprises require the robustness of service that can only be attained via high availability configurations. The three additional servers are as follows:

1. One to host the Microsoft Certificate Authority

2. One to host the Intel® AMT Setup & Configuration Server (depending on your ISV of choice)

3. One to host the Microsoft SQL® Server Database

If an enterprise already has a SQL Server database or database farm in place, it could possibly be utilized eliminating the need to standup a separate service. Similarly, if an enterprise has an existing PKI in place, it could possibly be utilized for the Intel® AMT deployment. However, in this case it is likely that a successful startup of a pilot within an enterprise would be bolstered by implementing the PKI in standalone mode and then migrating to the existing PKI.

Another option for the enterprise that has a fully supported virtualization environment is to place the Microsoft Certificate Authority and the Intel® AMT Setup & Configuration Server in within that environment. The caveat is that the environment must be supported just like standard physical server environment. Process and procedures should account for standard server support in the virtual environment. Note: Virtualization of the SQL Server database cluster is not recommended.

It is assumed that a fully functional Windows networking infrastructure is in place prior to the deployment of Intel® AMT management capabilities. These assumptions include the highly available configurations most common to enterprise deployments of Windows Active Directory, Domain Name Servers, DHCP servers, and your Manageability Software that was support for Intel® vPro Technology.

Windows Server 2003 Active Directory (AD)

Microsoft Active Directory is assumed to be part of the overall network infrastructure supporting the existing Windows network environment. This architecture requires AD as the authentication mechanism allowing the Intel® Setup & Configuration Server, vPro ISV enabled Software, and potential web clients to logon to Intel® AMT hosts. AD should inherently be designed in a high availability configuration as prescribed by the existing environment and geographic requirements as well as best practices for AD in general.

Domain Name Server (DNS)

A domain name server is used to supply the name to IP resolution for the Intel® AMT hosts as well as resolving the Setup & Configuration server IP address for provisioning purposes. The name and IP address of each Intel® AMT host will be automatically registered in the DNS by the DHCP server.

Each Intel® AMT host will try to resolve the static name "ProvisionServer" during the initial activation process. ProvisionServer will be manually registered in the DNS and assigned to the Setup & Configuration Server IP address.

DNS is expected to be integral to the existing Windows network infrastructure. DNS should inherently be designed in a high availability configuration as prescribed by the existing environment and geographic requirements as well as best practices for DNS in general.

Dynamic Host Configuration Protocol (DHCP) Server

DHCP services must be in place to properly register Intel® AMT hosts within the enterprise. The hosts require that the DHCP server register their fully qualified domain name (FQDN) with the DNS. If the Microsoft DHCP server is employed it should be configured to automatically register the hosts in the DNS. Standard DHCP option 81 should be used to accomplish the task of registering the Intel® AMT hosts in the DNS as the FQDN is required as part of the PKI certificate generated for the device. The DNS is queried by the configuration server or add-on to compare against the certificate received in order to properly accept the TLS encryption with the Intel® AMT host.

Microsoft Certificate Authority (CA)

At a minimum a stand-alone PKI certificate authority would need to be in place to enable encrypted and secure communication with the Intel® AMT hosts. The Microsoft certificate authority (CA) is required to properly interoperate with the Intel® Setup & Configuration Server. The CA is required to issue certificates to the Intel® AMT hosts, the Setup & Configuration Server, and in the case of Mutual Transport Layer Security (MTLS) the vPro enabled ISV software (that using the Intel SCS). These certificates allow for SSL encryption and Transport Layer Security (TLS) and MTLS.

A certificate can be purchased from an outside vendor such as Verisign®. This enables easier provisioning (Remote Configuration) of the Intel® AMT 3.0 hosts as the Verisign root certificate hash is already defined in the host. This will be covered in later when we focus on Intel® AMT 3.0 devices.

These servers may be considered for virtual hosting environments. It is a requirement that the virtual hosting environment be fully supported within the environment through standard operating procedures. It is expected that if these servers are virtually hosted they will receive equivalent operational support as if they were hosted in a physical environment.