Home > Intel Communities > Open Port IT Community > Intel® vPro™ Expert Center > Blog > Tags > fast_call_for_help
Up to Blog Posts in Intel® vPro™ Expert Center

Intel vPro Expert Center Blog

5 Posts tagged with the fast_call_for_help tag
Tal Elgar
0

If you're reading this blog posting, hopefully you've read my blog post on CIRA last week -

http://communities.intel.com/community/openportit/vproexpert/blog/2009/11/10/cira-and-fast-call-for-help--what-is-it-where-can-i-find-it

 

Firstly, I wanted to share with you that over the past week we have actually worked through an entire end to end setup with a real-world customer (i.e. not just inside Intel labs) and now we have CIRA and AMT functionality over CIRA working successfully!

 

If you're wondering which of the management consoles and MPS/vPro Gateways were used - it was LANDesk 8.8 SP3 in this case (remember that LANDesk bundle their own MPS/vPro Gateway offering). If you're looking to get this to work in your environment (CIRA with LANDesk specifically) please do get in touch and I can share some specific current LANDesk pointers with you (that are not mentioned in this blog posting).

 

Some of the things we came across last week which are good pointers to pay attention to:

  1. There are 4 ports that get configured with the MPS which are fully configurable (i.e. they are not restricted to being a specific port number) - however, you cannot re-use the same port number, you need to have 4 distinct port numbers (sounds trivial, but it happens).
  2. You can use port 16993 as one of the port numbers, even though that is the port that is used for https connections in AMT (there is no conflict)
  3. In the httpd.conf file - instead of havinga deny all and allow specific IP addresses, you might want to change to allow all
  4. CIRA relies on the DHCP option 15 that is allocated where the vPro client is to be different than what it was pre-configured with - that is how the system knows it is outside the corporate environment. If DHCP option 15 happens to be blank where your vPro clients connect from - that is good enough. Blank is considered different and CIRA works fine.
  5. Currently, you should install the LANDesk agent after provisioning is completed
  6. Check through selecting the 'vPro Status' operation on a provisioned vPro client to ensure all the LANDesk NED settings have been deposited properly on the vPro client prior to taking it out of the corporate environment.

 

Btw, the CIRA connection is established through a user click at the OS-level using the IMSS utility.

 

So the bottom line is we now have close to 100 systems that are confirmed to be have full AMT functionality working over a CIRA connection in a real live environment - it works! (

 

The 2nd part of the blog can be considered a more 'advanced topic' and is devoted to what happens if your management console of choice doesn't currently support CIRA...

One Management Console for example that is currently not supporting CIRA is Microsoft SCCM (even with SP2).

 

The options as I see them, are:

  1. Contact your software vendor and ask them whether they support Intel - Intel works with multiple software vendors on incorporating support for various Intel vPro features (CIRA amongst others) - they can hear it from us, but it is much better if they hear it from you.
  2. Your software vendor might have plans to introduce support for CIRA, however it is further down the line - so it is just a question of time.  
  3. Try and engineer something yourself to have CIRA work in the environment you have setup

 

At least for testing your environment for what CIRA would look like, you could leverage the WebUI tool. You would need to have an MPS installed and configured first of all. Thereafter, all that you need to do is configure the proxy settings in the web-browser you are using to the IP address/FQDN of where you have your MPS installed and also enter the default http proxy port of 8080 - that will be sufficient for getting your WebUI to work over a CIRA connection.

untitled.bmp

 

If you use Microsoft Internet Explorer you are limited only to the http proxy portion which will allow several of the AMT operations to work over a CIRA connection, but not SOL/IDER for example.

If you are using Mozilla Fire Fox for example, you can configure a SOCKS proxy as well, which can handle routing SOL/IDER traffic as well.

 

If we take the example of Microsoft SCCM, what you can do is to use the scripting framework that has been used successfully for something like: providing out of band 802.1x in Microsoft SCCM SP1 (it is natively supported now in SP2) - http://communities.intel.com/message/10877

You can configure the correct settings for the vPro client to be able to contact the MPS Proxy Server and establish a CIRA connection between the MPS Server and the vPro client, however you will still need your management console to integrate and be aware of this CIRA connection to be able to do something useful.

What you could do at this point is to configure a 'transparent proxy' - what that would typically entail is to configure the MPS IP address/FQDN as a proxy routing that will be inserted in the headers of packets that go through the router to which the Server that is hosting the management software. You can use something like Cisco WCCP (Web Cache Control Protocol) to set this up. At this point, Microsoft SCCM will not be aware that the packets it is sending are actually being re-routed through the MPS to the vPro clients (which is aware of the remote vPro client) and that is why this is called a transparent proxy.

 

A caveat/disclaimer I would add though is that albeit technically feasible you would need to put together the full working solution yourselves and support it yourselves.

 

0 Comments Permalink Tags: mps, tal_elgar, landesk, sccm, fast_call_for_help, cira
Tal Elgar
0

What is it?

When vPro and more specifically AMT was initially designed and engineered it was architected to work on an internal corporate network which allowed for the Server to client communications model. The problem was that many organisations have client PCs that are actually situated outside the corporate environment and were excluded from the reach of the vPro benefits available to systems residing within the corporate network. The reason for this is that client PCs that are not on the corporate environment would be sitting behind a home router and would actually posses a private local IP address that is not publicly addressable - i.e. it is not unique and the Management Console has no way of reaching that remote client. The solution to this situation is what is called CIRA - Client Initiated Remote Access.

 

The term Fast Call for Helpis what we refer to the use case that is enabled by CIRA (which is a means to an end, but not a use case on its own). It specifically addresses a help desk type scenario where the PC is broken and it is being fixed from remote by an administrator or technician.


How does it work?

It works on the principle that as with any usage of a PC behind a NAT'd router, once the client initiates a request (say for a web page) and the information returned comes back to the router, the router knows locally which PC to forward the information back to. The important distinction from the analogy used is that this connection is created Out of Band and does not rely on the operating system or some local software client agent being available or in a healthy state.

 

The connection that is initiated by the client arrives at the vPro Enabled Gateway which needs to be 'publicly reachable' - so it would typically reside in a DMZ and by protected by an external firewall which might have some port forwarding.

 

The management console has a listner for incoming CIRA connections and once such a connection arrives it can perform AMT commands on the remote vPro client.

 

The high level flow is as follows (with a graphical representation below):

  1. The user of the remote vPro client initiates the connection to a component that acts as a proxy Server and is called the vPro Enabled Gateway (aka MPS - manageability presence server).
  2. The connection can either be initiated manually by a user in an OS level utility or pre-OS level with a key combination
  3. Alternatively, the connection can be scheduled to automatically be initiated according to a pre-determined time frequency
  4. Once the connection reaches the Gateway, a secure encrypted tunnel is established back to the vPro client
  5. At this point the Management Console which is sitting inside the corporate environment is notified of the incoming connection from the vPro client
  6. The administrator/technician which is using the Management Console can now initiate any AMT command to the remote vPro client

CIRA.bmp

What components are required for getting CIRA and Fast Call for Help to work?

  1. vPro systems
  2. Management software that has built in support for Fast Call for Help
  3. vPro Enabled Gateway

 

In addition, you should also be aware that there are configuration files that need to be edited for the vPro Enabled Gateway, some configurable ports need to be open and that AMT provisioning (with CIRA profiles) are a pre-requisite.

Which vPro Hardware do I need to take advantage of Fast Call for Help?

Any vPro system that has AMT Firmware 4.0 and above supports Fast Call for Help. That means any 4.x, 5.x and now the up and coming 6th generation of vPro which is being released in the 1st quarter of 2010. The new capability which is being introduced in 2010 is that this CIRA connection can be initiated over a wireless network interface as well, whereas today it is limited to being initiated over a wired network connection.

Which manageability software is available today for implementing a utilise CIRA capabilities?

  1. Symantec Management Suite version 7 (formerly Altiris Management Console and aka CMS7) Beta II
  2. LANDesk Management Suite 8.8 SP3
  3. Setup and Configuration Service (SCS) 5.x and above (including the Intel DTK) also support CIRA

 

Which vPro Enabled Gateway products are available today for setting up a CIRA capable infrastructure?

  1. Checkpoint Secure Gateway (interoperable with the Symantec Management Console, but not with the LANDesk console)
  2. LANDesk Gateway which is embedded inside the LANDesk Management Console (however does require to run specific installer for MPS)

 

Why am I blogging about this now?

CIRA and Fast Call for Help were actually supported in Intel Firmware from version 4.0 which was released about 1.5 years ago. Unfortunately all the components required to make Fast Call for Help work were either unavailable or had stability issues. However, today the components exist and are validated to work successfully (with a few known issues that are being addressed). Therefore, if this is of interest to you then you are in a position to implement Fast Call for Help in your environment today. We would welcome anyone out there that is interested in trying to implementing this

 

Is this everything I need to know?

There are more technical details required for a successful implementation, however this should provide a good introduction and starting point. If you have any questions, please don't hesitate to contact me.

0 Comments Permalink Tags: tal_elgar, fast_call_for_help, cira, symantec, landesk, vpro_enabled_gateway, mps, amt_4.0, amt_4
Michele Gartner
0

Click the thumbnails to see more detail. To download the presentation, visit http://www.intel.com/go/idfsessions.

 

Roadmap - Intel vPro Technology

 

2010 vpro technology #vPEC #IDF09 - Here's the real deal for ... on Twitpic

 

KVM remote control

 

Visual remote access - adds another layer on top of things like CIRA.

 

Architecture overview - remote management console makes secure connection to machine- Yasser shows how chipset/graphics communications to the remote machine.

 

KVM Architecture Overview #idf09 #vpec on Twitpic

 

Out of Office Connectivity

 

Fast call for help and remote pc assist technology

 

Remote pc assist - for end users who don't have corporate IT - small businesses, home users

 

Wireless without running OS - works both in band or out of band

 

Out of Office Connectivity - fast call for help & remote pc a... on Twitpic

 

Remote Encryption Management

Supports software full disk encryption, TCG OPAL, and Seagate DriveTrust.

 

Remote Encryption Management on Twitpic

0 Comments Permalink Tags: vpro, remote_encryption, kvm, idf09, fast_call_for_help
Michele Gartner
0

Hi everyone -

 

If you missed our webinar "Beyond the Firewall: Using Fast Call for Help to Manage PCs with Intel® vPro™ Technology," then you can now watch the recording. The PowerPoint slides are also available; they are attached to this blog posting.

 

Click to view the recording.

0 Comments Permalink Tags: vpro, fast_call_for_help, webinar
Michele Gartner
0

Beyond the Firewall: Using Fast Call for Help to Manage PCs with Intel vPro technology

Wednesday, September 16, 2009

8:00 AM - 9:30 AM PDT

 

This webinar  introduces Intel vPro Technology's 'Fast Call For Help' (FCFH) capability, which allows you to manage your systems that are outside your firewall. Intel and Checkpoint will demonstrate how you can run Asset Discovery, Remote Power Management and Remote Diagnostic and Repair, even when the systems are outside your firewall.

 

Register here: https://www2.gotomeeting.com/register/314239651

0 Comments Permalink Tags: checkpoint, webinar, fast_call_for_help, vpro

Popular Blog Posts