Just got back to my office from the BriForum (http://www.brianmadden.com/) show in Chicago. I was there working the Intel/Dell/Citrix booth as well as giving a classroom presentation. I wish I had more time to attend more of the classroom sessions but working the booth kept me rather busy. Here are my thoughts and observations from the show.

-No one size fits all.

-If it is not broke don’t fix it.

-The end user experience is important.

-IT shops will engage in desktop virtualization implementations for security, manageability and faster rollout of Apps, not so much just for cost savings.

-Interest in type 1 hypervisors is growing.

-VDI still being looked at first, before any other delivery model, but no widespread adoption yet.

-Desktop virtualization is far different than server virtualization.

 

During my presentation I had about 115 people in the room. I asked how many either had a POC in progress or were in production with vdi. 30-40% of the people raised their hand. Then I asked how many people had vdi in production with over 500 users. Approximately 6-8 people raised their hand. A lot of people are looking at vdi, but not many large implementations yet of vdi yet. At least, not of the people in my class that day. There was more discussion this year than last around other delivery models besides vdi.  Organizations will likely have a mix of delivery models around desktop virtualization. In addition to vdi, os/app streaming, hosted/virtualized apps, local containers/vm’s are all part of the various delivery models that are available today. No one size fits all. No one delivery model is ubiquitous yet, and may never be.

 

Another comment I heard was, if you are happy with the way you currently manage your desktops, don’t change it just for the sake of change, or changing to some desktop virtualization model, thinking that it will save you money, it will not.  Seems as though the word has gotten out that one needs to look at all the back end costs and software costs associated with implementing a desktop virtualization model, not just the end client costs. Some companies are moving to desktop virtualization models but for other reasons than just cost savings. Those reasons being more centralized management, security, and faster application rollouts.

 

It was interesting to see a small trend towards having the end point perform some of the application processing when possible, rather than having the back end servers perform all the cpu application cycles. Certainly all the type 1 hypervisor offerings perform all the application cycles locally but so now does Red Hat’s offering with the SPICE protocol. The SPICE protocol looks to the endpoint first and the server second to perform the applications.  I think we will see more of this type of balanced approach in the future between the endpoints and servers. With intelligent clients we will be able to let the clients perform the application cpu cycles when conditions permit, and when they do not, the servers will do all the work and just send out the screens.

 

It was brought out many times that Desktop virtualization in not like server virtualization. There are many more things to consider like graphics, usb ports, user personalization, and sleep/hibernate modes that are not found on servers. So desktop virtualization, while not necessarily hard, can be very involved.

 

All in all, I thought it was a good thought provoking show. Brian Madden and his team did another excellent job. If you have never been to a BriForum  show before, you owe it to yourself to go to next year’s show. See some videos of the show here. http://www.brianmadden.com/blogs/videos/archive/2011/07/22/brian-and-gabe-walk-the-floor-at-briforum-chicago-2011.aspx

 

Also some more info on desktop virtualization here. http://www.intel.com/assets/pdf/whitepaper/dv_understanding_desktop_virtualization.pdf

We have updated our management pack for Microsoft System Center Service Manager with some new features.  We have added:

  • Support for the Intel AMT Alarm Clock
  • Support for Fast Call for Help with our KVM Remote Control application

 

The Intel AMT Alarm Clock will let you set up a timer that will automatically wake up the PC, even if it is completely powered off.  This timer can be set either for one-time use, or with a reoccurring schedule.  Once the timer is set, it will work as long as the Intel vPro client has AC power.  It doesn’t even need to be attached to the corporate network.

 

The addition of Fast Call for Help support with KVM Remote Control allows you to point the KVM Remote Control application to your Managed Presence Server (MPS) to route traffic over a Fast Call for Help connection to a remote system.

 

Note: The management pack does not include an Intel vPro Enabled Gateway (aka MPS or Managed Presence Server).  For additional details on the back-end requirements to support Fast Call for Help please take a look at the following links:

 

http://communities.intel.com/community/openportit/vproexpert/blog/2009/11/10/cira-and-fast-call-for-help--what-is-it-where-can-i-find-it

 

You can download the new management pack here:

 

http://software.intel.com/en-us/articles/intel-core-vpro-processor-management-pack-for-system-center-service-manager-2010/

Have you ever wanted to be able to launch a KVM Remote Control session from within SCCM?  Have you ever wanted to make use of the Alarm Clock feature in AMT to wake up or turn on a computer at a specific time?  Now you can with the Intel® Core™ vPro™ processor add-on for System Center Configuration Manager 2007.

 

This add-on for SCCM 2007 brings the same KVM Remote Control capability that was made available last year in our management pack for SCSM 2010.

 

In addition, we have also added in the ability to set the AMT Alarm Clock from within SCCM 2007.  This capability lets you set up a schedule in AMT to power on a system from a powered off or sleep state at a specified time; even if the system is not connected to the network.

 

Once installed, there will be a new sub-menu available when you right-click on systems in the SCCM console that will allow you to launch a KVM Remote Control session, or set the Alarm Clock for the selected system.

 

 

You can download the add-on pack here:

http://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&DwnldID=21835


Download Now


cuer.jpgBritain's Cambridge University Eco Racing (CUER) is a team developing a solar-powered car to compete in the prestigious World Solar Challenge 2011. Founded in 2007, CUER is developing cutting-edge, energy-efficient, and race-winning vehicles to prove the viability of sustainable energy. The cars are powered only by the sun. To speed up the design process, ensure optimal performance, and gather data for future design refinements, CUER collaborated with Intel and made extensive use of Intel® X25-M SATA Solid-State Drives (Intel® X25-M SSDs). 


“On average, we gained an overall 10 times performance increase in terms of computational fluid dynamics (CFD) analysis thanks to the Intel contribution, including the Intel® Solid-State Drives,” said  Oliver Smith, HPC and IT manager for CUER.


To learn more, download our new CUER business success story. As always, you can find this one, and many others, in the Intel.com Reference Room and IT Center.

Download Now


capgemini.jpgOne of the world’s leading consulting, technology, outsourcing, and professional services organizations, Capgemini operates in 40 countries. Capgemini Netherlands decided its customers would benefit from Intel® Active Management Technology (Intel® AMT), a component of the 2nd-generation Intel® Core™ i5 vPro™ processor for remote management of PC fleets. But many of its customers were hesitant to adopt the technology because of provisioning complexities such as the need for tight integration into the customer network.


To show customers the value of Intel AMT and persuade them to engage, Capgemini carried out a proof of concept on a host-based Intel AMT configuration to demonstrate there was no need for complex back-end systems. The proof of concept revealed that a host-based configuration is far easier than traditional provisioning, with the flexibility to easily move from client to full admin control mode providing full Intel AMT functionality. Now Capgemini Netherlands expects the number of customers who request host-based configuration proofs of concepts to climb from 10 to about 40 percent.


“We now believe that this flexible migration path, from client control mode to admin control mode, ensures that Intel AMT host-based configuration will become a valuable option for customers,” said Arnold Verhoeven, senior IT architect for Capgemini Netherlands.


To learn more, read our new Capgemini business success story. As always, you can find this one, and many others, in the Intel.com Reference Room and IT Center.

Beta CIRA support has been added to the 3.1 version of the Intel vPro PowerShell module. All of the Powershell cmdlets transparently communicate to the CIRA connected client through an MPS. First the CIRA proxy and client list must be registered with the Intel vPro PowerShell module. Afterwards, just call your normal scripts.

I did not include native scripts to perform this fucntionality since I are planning that for the next release. Threfore we need some way to test that CIRA works and to explore the usage. To do this I wrote some test scripts and attached them to this blog. The next release of the Intel vPro module will include native CIRA support.

I have three scripts:

get-MPSStatus.ps1

set-MPS.ps1

manage-MPSClient.ps1

First, lets ensure that no proxy is setup: Type

get-MPSStatus

get-mpsstatus no clients.png

Next add the conenction  information for your mps proxy. In my environment the proxy is mps.vprodemo.com. I will add both the http and socks proxy info.

mpsset.png

Finally add your connected CIRA clients using the manage-MPSCLient script:

manage-MPSClient.ps1 -hostname vproClient1 -action ADD

manage-MPSClient.ps1 -hostname vproClient2 -action ADD

manage-MPSClient.ps1 -hostname vproClient3 -action ADD

added clients.png

Now call any Intel vPro PowerShell script.

Important notes -

The MPS information is on a per session basis,

  1. So each time a PowerShell console is opened, the MPS information must be set.
  2. The MPS information is only available to scripts called in that console.

Your feedback is welcome! I am planning on adding native CIRA support into the next Intel vPro Module release.

     There is no doubt that wireless networks are widely used by many companies, and, for some, it’s the only media available (that is, there is no wired connection). Wireless-only work environments are becoming more frequent nowadays for many reason: 1) it’s the cheapest connection technology if compared with traditional wired networks that require switch ports, cables, etc.; 2) office lay-out reconfiguration is much easier without the cables; and 3) wireless networks can be more secure than similar wired networks at least for most enterprise implementations where the IEEE 802.1x protocol is the de facto standard for the wireless networks.

 

     There are several options to configure an 802.1x protected wireless network, however, the most common methods are called EAP-TLS (certificate-based) and EAP-PEAP (computer account based). Intel® vPro™ Technology based clients should be configured to work in an 802.1x environment in order to get out of band access to the corporate network and be remotely managed using Intel Active Management Technology (Intel AMT).

 

     Intel™ vPro™ Technology clients in 802.1x wireless networks require Microsoft* Active Directory integration and a RADIUS server (for example, Microsoft* IAS) that will bridge the authentication from the client to Active Directory through an 802.1x capable switch.

 

SCS_screen_wifi.png

Figure 1 – Intel® SCS 802.1x profile configuration

 

 

     EAP-* protocol requires a cryptographic session to be established in order to send the credentials, and uses the certificate issued to RADIUS server to create a TLS session between client and the RADIUS server. The Intel® vPro™ Technology client receives the Trusted Root Certificates list during setup and configuration and records the certificate into Intel® ME flash memory.  Figure 1 shows the Intel Setup and Configuration Service (Intel SCS) wizard used to select the “Trusted Root Certificate” during setup and configuration stage.

 

     If EAP-TLS is selected, you must also pick the certificate authority that will be used to issue the 802.1x certificates and select the desired template. During the setup and configuration phase, the Intel Remote Configuration Service (Intel RCS) will act as proxy, requesting the certificate in name of Intel® vPro™ Technology client.

 

     In addition to the how-to configuration steps listed above, there are two points that you should consider when planning your Intel® vPro™ Technology configuration that can differ from your regular desktop configuration:

 

    • Certificates
    • Network Speed

 

Certificates


     There are some limitations on certificate length as described in Table 1.

 

Certificate_length.png

Table 1 – Intel® AMT PKI certificate length limitations

 

     The most common issue that I found in the field with certificates is when the root certificate authority uses certificates greater than 2048 bits (i.e. 4096 bits). When the key length is too long, instead of getting a failed provisioning status, the client is shown as “configured” but unable to authenticate against the RADIUS server. If you look into the Intel SCS log, you will see an ERROR shown in Figure 2.

 

SCS_Log_certificate_length.PNG

Figure 02 – Intel® SCS log showing the certificate update error

 

     Unfortunately, there is not an easy workaround for this problem. You can take two different approaches here:

 

  • Reissue the root CA with a smaller certificate length.  In this case, the certificate authority will handle two CRLs, one for previous root CA that will be revoked (for our example, the certificate with the 4096 bit length), and one for new certificate. This is the recommended approach if you use PKI for SMIME of file encryption, because these usage models usually require CRL checking for longer periods.

 

  • Install a second root CA. This approach is intended to be used as part of a migration strategy: instead of administering two CRLs, you can reissue the client certificates using GPO and, after some period, you can just decommission the old CA. This method is not recommended if you use SMIME, file encryption, etc.

 

Network Speed


     Usually, for compatibility reason, you can configure wireless network to allow for speed negotiation, but there are also situations where you don’t want to allow speed negotiation. The main reason to limit speed negotiation is to reduce the wireless coverage range to limit it to a single room or auditorium. If, in this case, you configure the access point to accept only the G or N speed networks, you will have a problem with using Intel® vPro™ Technology, because the the maximum out-of-band speed for the Intel ME is 40 Mbps (which is too slow for the G or N network speeds).

 

What’s Next

 

     In a future post, I’ll discuss about how to manage Intel® vPro™ Technology in a public wireless environment, and behind a NAT using Fast Call for Help (aka. Client Initiated Remote Access or CIRA).

 

Best Regards!

Beta CIRA support has been added to the 3.1 version of the Intel vPro PowerShell module. All of the Powershell cmdlets transparently communicate to the CIRA connected client through an MPS. First the CIRA proxy and client list must be registered with the Intel vPro PowerShell module. Afterwards, just call your normal scripts.

 

I did not include native scripts to perform this fucntionality since I are planning that for the next release. Threfore we need some way to test that CIRA works and to explore the usage. To do this I wrote some test scripts and attached them to this blog. The next release of the Intel vPro module will include native CIRA support.

 

I have three scripts:

 

get-MPSStatus.ps1

set-MPS.ps1

manage-MPSClient.ps1

 

First, lets ensure that no proxy is setup: Type

get-MPSStatus

 

get-mpsstatus no clients.png

 

Next add the conenction  information for your mps proxy. In my environment the proxy is mps.vprodemo.com. I will add both the http and socks proxy info.

mpsset.png

 

Finally add your connected CIRA clients using the manage-MPSCLient script:

manage-MPSClient.ps1 -hostname vproClient1 -action ADD

manage-MPSClient.ps1 -hostname vproClient2 -action ADD

manage-MPSClient.ps1 -hostname vproClient3 -action ADD

 

added clients.png

Now call any Intel vPro PowerShell script.

 

 

Important notes -

The MPS informtaion is on a per session basis,

  1. So each time a PowerShell console is opened, the MPS information must be set.
  2. The MPS information is only available to scripts called in that console.

 

Your feedback is welcome! I am planning on adding native CIRA support into the next Intel vPro Module release.

Filter Blog

By author:
By date:
By tag: