Currently Being Moderated

***************

All Intel-provided code snippets in or attached to this blog are provided under the BSD License unless otherwise specified.

 

Any user submitted code or materials posted on this blog is supplied under license from the submitter, and should be used or downloaded in accordance with any license terms specified. Intel is not responsible for user submitted code nor warrants that it will work correctly.  If no license is provided, you should contact the submitter.

****************

 

     Since Intel vPro launched in 2006, there are lots of questions about how configure a vPro device that is using static IP. I’ll try demystifying and explain how vPro TCP/IP stack works and what you can and can’t do. I’ll also bring to your attention some best practices to make these procedures easier and less susceptible to manual error.

 

     First of all, we need to understand the relationship between Host and Intel Management Engine (aka Intel ME) TCP/IP stack: Before ME 4.0, the OEM had the ability to set a different MAC address to the ME and host. In such a case, they should also use different IPs and this mode was called "dedicated MAC". The consequences of this approach is that usually, in a regular infrastructure you should also use the different names in order to avoid mismatching in DNS and risk having the machine inaccessible while switching NIC ownership between the Host and ME.

 

     However, in "Shared MAC," available since ME 4.0 (where ME dedicated MAC was left “FF"), ME uses the host MAC, hence, in DHCP they must have the same name and in static IP they may still use the same IP address or different, but if using different IP address, must use also different names.

There are several situations where static IP is required such as ATMs, Kiosks, Digital Signage and several embedded devices or even legacy network infrastructure. For those, manual configuration into the MEBx is error susceptible. For some cases, including  PCs with ME 6.2 and beyond, exists Host Base Configuration (aka HBC) in order to accomplish this task without external infrastructure dependencies or requirements to pass a long IP parameter string based on the host operating system. However, HBC configures the machine in Client Control Mode, and it’s mandatory due security reasons. At least for most  embedded devices, such as ATMs, Kiosks and Digital Signage, where we don’t have a regular user that we can send the consent request, it’s a show stopper.

 

     A possible approach to overcome manual entry configuration is to use a USB key created by USBfile.exe that can be found in the Intel AMT SDK or ACUConfig.exe found in Intel Setup and Configuration Service 7.x (aka Intel SCS 7.x), but both tools require that IP parameters (i.e. IP address, network mask, default gateway and DNS servers) be passed by command line and is also error susceptible.

 

     A possible solution for these situations is to use a Visual Basic script that basically captures IP parameters from Windows and creates the USB key previously attached to the machine’s USB interface, and then automatically reboots to configure the ME with the same IP address of host. I developed this script that can be downloaded here (i.e. provisionUSB.vbs).

 

     If you would like to configure a vPro machine using Kerberos (i.e. with Active Directory integration) or issue a TLS certificate (usually required by highly secure environments), you will need to use the Remote Configuration Server (aka RCS) found in Intel SCS 7.x. In this situation, the principle of capturing IP parameters and the USB key is the same as the previous case, but now requires a PSK exchange with RCS that will be used for ME and RCS communication to conclude the configuration.  I just developed a script (called provision.vbs) based on SCS 7.1 (fail with SCS 7.0) that automates these tasks and is demonstrated in this video:

 

 

     At this point, there are some requirements and known issues with these scripts as listed:

 

  • All IP parameters must be present in Windows Host (i.e. IP address, Subnet mask, default gateway, and primary and secondary DNS);
  • ACUConfig.exe, ACU.dll and xerces-c_2_8.dll found in Intel SCS package should be placed in the same script directory;
  • Tested only on ME 7.0
  • You need to define in script which NIC adapter is the ME interface (onboard) to capture the correct IP address parameters, look for this line:

 

("SELECT * FROM Win32_NetworkAdapterConfiguration WHERE Description = 'Intel(R) 82579LM Gigabit Network Connection' and IPEnabled = TRUE")

 

     And replace the Description with description that showed in an ipconfig command line.

 

     For further details, just execute the script in command line instead of windows interface:

 

     C:\>cscript provisionUSB –or- C:\>cscript provision.vbs

 

     Please, let me know if you find any issue or suggestions that are not covered in this version.

 

Best Regards!

Comments

Filter Blog

By author:
By date:
By tag: