What is it?
When vPro and more specifically AMT was initially designed and engineered it was architected to work on an internal corporate network which allowed for the Server to client communications model. The problem was that many organisations have client PCs that are actually situated outside the corporate environment and were excluded from the reach of the vPro benefits available to systems residing within the corporate network. The reason for this is that client PCs that are not on the corporate environment would be sitting behind a home router and would actually posses a private local IP address that is not publicly addressable - i.e. it is not unique and the Management Console has no way of reaching that remote client. The solution to this situation is what is called CIRA - Client Initiated Remote Access.
The term Fast Call for Helpis what we refer to the use case that is enabled by CIRA (which is a means to an end, but not a use case on its own). It specifically addresses a help desk type scenario where the PC is broken and it is being fixed from remote by an administrator or technician.
How does it work?
It works on the principle that as with any usage of a PC behind a NAT'd router, once the client initiates a request (say for a web page) and the information returned comes back to the router, the router knows locally which PC to forward the information back to. The important distinction from the analogy used is that this connection is created Out of Band and does not rely on the operating system or some local software client agent being available or in a healthy state.
The connection that is initiated by the client arrives at the vPro Enabled Gateway which needs to be 'publicly reachable' - so it would typically reside in a DMZ and by protected by an external firewall which might have some port forwarding.
The management console has a listner for incoming CIRA connections and once such a connection arrives it can perform AMT commands on the remote vPro client.
The high level flow is as follows (with a graphical representation below):
- The user of the remote vPro client initiates the connection to a component that acts as a proxy Server and is called the vPro Enabled Gateway (aka MPS - manageability presence server).
- The connection can either be initiated manually by a user in an OS level utility or pre-OS level with a key combination
- Alternatively, the connection can be scheduled to automatically be initiated according to a pre-determined time frequency
- Once the connection reaches the Gateway, a secure encrypted tunnel is established back to the vPro client
- At this point the Management Console which is sitting inside the corporate environment is notified of the incoming connection from the vPro client
- The administrator/technician which is using the Management Console can now initiate any AMT command to the remote vPro client
What components are required for getting CIRA and Fast Call for Help to work?
- vPro systems
- Management software that has built in support for Fast Call for Help
- vPro Enabled Gateway
In addition, you should also be aware that there are configuration files that need to be edited for the vPro Enabled Gateway, some configurable ports need to be open and that AMT provisioning (with CIRA profiles) are a pre-requisite.
Which vPro Hardware do I need to take advantage of Fast Call for Help?
Any vPro system that has AMT Firmware 4.0 and above supports Fast Call for Help. That means any 4.x, 5.x and now the up and coming 6th generation of vPro which is being released in the 1st quarter of 2010. The new capability which is being introduced in 2010 is that this CIRA connection can be initiated over a wireless network interface as well, whereas today it is limited to being initiated over a wired network connection.
Which manageability software is available today for implementing a utilise CIRA capabilities?
- Symantec Management Suite version 7 (formerly Altiris Management Console and aka CMS7) Beta II
- LANDesk Management Suite 8.8 SP3
- Setup and Configuration Service (SCS) 5.x and above (including the Intel DTK) also support CIRA
Which vPro Enabled Gateway products are available today for setting up a CIRA capable infrastructure?
- Checkpoint Secure Gateway (interoperable with the Symantec Management Console, but not with the LANDesk console)
- LANDesk Gateway which is embedded inside the LANDesk Management Console (however does require to run specific installer for MPS)
Why am I blogging about this now?
CIRA and Fast Call for Help were actually supported in Intel Firmware from version 4.0 which was released about 1.5 years ago. Unfortunately all the components required to make Fast Call for Help work were either unavailable or had stability issues. However, today the components exist and are validated to work successfully (with a few known issues that are being addressed). Therefore, if this is of interest to you then you are in a position to implement Fast Call for Help in your environment today. We would welcome anyone out there that is interested in trying to implementing this
Is this everything I need to know?
There are more technical details required for a successful implementation, however this should provide a good introduction and starting point. If you have any questions, please don't hesitate to contact me.