The release of the Notification Server 7.0 platform will provide a new design and infrastructure. Out of Band Management will also provide a new release with this platform. First I’ll provide a brief description of what Out of Band Management is used for. This article will also cover the differences between the 6.2 version of Out of Band and version 7.0. The changes include UI improvements, relabeling to be in line with current Intel terms, and the addition of limited Dash support.
Out of Band Management 7.0 allows an administrator or IT Professional to setup and configure several protocol technologies for use in the greater Notification Server infrastructure, or even any other solution that supports the protocols handled by Out of Band Management. The supported technologies are:
- Intel AMT (Active Management Technology) or vPro
- ASF (Alerts Standard Format) primarily from Broadcom
- DASH technology support (open architecture)
The greater focus is on Intel’s AMT technology. Using the provided configuration pieces with Out of Band, systems with the above technologies can be configured to respond to functions called from either the RTSM interface or via Task Server. Once configured, the Notification Server is a trusted entity to the local systems and all available functions are available.
More information can be found by browsing through the articles generated on Out of Band Management 6.x at http://www.symantec.com/community/intel.
It’s important to understand the changes in terminology and labeling so the transition from 6.2 to 7.0 Out of Band Management goes smoothly. This section will also help explain the naming scheme for Out of Band Management. The following list provides the term, and the previous label (if different), and a brief description:
- Configuration, AKA Setup and Configuration – Previous term: Provisioning – Intel has standardized on using Configuration as the term for activating a vPro system. This more aligns with what is occurring and avoids confusion with basic industry understanding of what provisioning means (putting an OS on the system).
NOTE: Since this word is used throughout documentation for 6.x it is important to understand the change!
- TLS – Transport Layer Security can be considered the next generation of SSL (Secure Sockets Layer). It’s used in 2 sections of Configuration: Remote Configuration authentication, and TLS within the Configuration Profile.
- Remote Configuration – This specifically means the process for automatic Configuration via the handshake with a TLS certificate, usually purchased from Verisign, GoDaddy, Comodo.
Out of Band Portal
Out of Band Management now has a Portal page that provides access to most function from a user-friendly UI. It’s accessed in the Symantec Management Console by going to Home > Remote Management > and click on Out of Band Management. The following screenshot shows a view of the portal:
The upper left-hand pane shows a list of setting groups that will enable a user to go through those steps necessary to enable or complete Out of Band setup and configurations. Please note the following items and what they can be used for:
- Configuration Service Settings – This provides all the nodes that are used in the Setup and Configuration process for AMT.
- Basic Configuration (without TLS) – This takes you through the process of setting up Configuration where TLS will not be used in the Configuration Profile (not to be confused with Remote Configuration TLS). See this screenshot for the way the steps are setup:
- Enable Remote Configuration – This walks you through setting up the Notification Server to accept Configuration requests using TLS certificates. Note that 2.6, 3.0+ AMT systems are automatically configured to send out requests using this method.
- Enable Security (TLS) – This walks you through setting up the Notification Server to use TLS when managing AMT systems.
- Intel AMT Tasks – This is a quick area that reveals the Task Server tasks that directly utilize AMT.
- Configure Site Server – This is a link that opens the Site Server Configuration page as part of the Notification Server Platform. This is available here because OOB has a Site Service that can be deployed to Site Servers.
As a note, Site Servers allow distribution of Out of Band functions across the environment, and helps alleviate any problems with large rollouts involving a large amount of Configuration. This brings us closer to having true hierarchy support with Out of Band Management.
Those who are familiar with Out of Band Management 6.2 can use this section to find corresponding functions, configuration pages, and utilities when upgrading to Out of Band 7.0. If you are unfamiliar with this version skip to the next section.
Out of Band Management looks much the same as it did in 6.2, with some notable exceptions. The following items cover the differences between the two. The method used to reach the console area for Out of Band Management is as follows: Browse down through Settings > All Settings > in the left-hand tree browse down through Remote Management > Out of Band Management. The three subfolders are by the same name as they were in 6.2, lacking the fourth folder: Delayed Provisioning.
- *Provisioning > Configuration – I called this out previously in this article but with my experience the double-exposure is necessary. In reference to managing vPro AMT systems, consider the previously used term Provisioning to now be Configuring, or Provision to now be Configuration. If you’re like me and have the word provisioning ingrained in your mind, it will take some getting used to.
- Auxiliary Profiles – Three new nodes have been added to this folder. They are described below:
- Management Presence Server – (MPS) This is the secure gateway CIRA technology will use to connect securely with the network where the NS resides for remote management from anywhere on the Internet.
- Remote Access Policies – In relation to the above MPS, this policy dictates how CIRA connections are handled by the Notification Server.
- Trusted Root Certificates – Also in relation to MPS, these are required to establish so that trust can be formed from the calling AMT system, the MPS, and the Notification Server.
- Configuration Profiles – Formerly known as Provision Profiles. The following items have been added as tabs within the profile configuration. Descriptions of the items are supplied as well:
- Domains – Allows the ability to configure AMT to operate in more than one Domain.
- Remote Access – This ties directly to the Remote Access Policies found under the Auxiliary Profiles node. Edits here will take effect in both places.
- The remaining nodes under the Configuration Service Settings folder are the same between versions 6.2 and 7.0.
- Delayed Setup and Configuration – Formerly known as Delayed Provisioning, this has been renamed to fit the proper naming convention. It also no longer has its own folder, but can be found under the Intel® AMT Systems folder above the Intel AMT Systems node.
- The following screenshot shows the layout of the console:
The component that Out of Band Management plugs into has not changed between versions. Intel SCS (Setup and Configuration Services) is still the backbone of Out of Band, and handles all the transactions between the server and the remote Intel AMT clients during the Configuration process. Please note that management functions of AMT are NOT handled by Intel SCS. SCS stands for only the Configuration process, including maintenance and reconfiguration tasks (for example for profile updates) as part of maintaining the configured state.
Out of Band Management 6.2 used Intel SCS version 3.0 (or 3.2.1 per the Knowledgebase article found at this location: https://kb.altiris.com/article.asp?article=40076&p=1). Intel SCS version 5.0 ships with Out of Band Management. While the UI does not reveal all the additional capabilities, SCS 5.0 comes with a tool called Activator. This utility can handle a number of scenarios that were sticky points in the previous versions of Out of Band and Intel SCS. The abilities include the following:
- FQDN Name Change – The Activator, when run on the local AMT system, can tell AMT to send updated information to Intel SCS on its FQDN. This is especially important if the FQDN has changed in Windows, thus changing the identity of the machine.
- The problems associated with this are the failure of AMT systems to authenticate using TLS due to FQDN sensitivity if enabled, and also the inability of Intel SCS to contact back a system whose FQDN has changed.
- Resending of Hello Packets – While the 3.0 version of Out of Band had the ability to send Hello packets using the Delayed Provisioning (AKA Delayed Configuration) task, it did not have the ability to send PSK (pre shared keys) packets if the 24 hour cycle of the hello packets sequence expires. This functionality was also added to verison 3.2.1 of Intel SCS.
- The problems associated with this are when systems are not configured within that 24-hour cycle they need to be acted upon to get the needed information to the server for configuration.
The above two functions can be utilized by sending Activator down using a Delivery Software job in the Software Management Solution.
Hopefully this introduction will help those familiar with Intel vPro, and especially familiar with Out of Band Management in the Notification Server 6.0 infrastructure, to understand the changes and functions in version 7.0 of Out of Band Management. In depth articles will be generated in the future to cover some of the new features such as the MPS and CIRA functionality.