1 Reply Latest reply on Sep 12, 2016 4:06 AM by dariusz.wittek@intel.com

    Possible to VNC using intel VPro with NIC disabled in Windows?

    xpro

      I have never had a VPro machine, but I want to know if the following scenario would be possible before I purchase a few VPro machines.

       

      The computers will be used by clients and I do not want them to access the network which is connected to the main network interface, as a result the main NIC will be disabled in windows. All windows users will only have access to the WiFi network.

       

      If the main NIC is disabled for windows,  can I still use it to connect to VNC using VPro/KVM? Just to clarify I do not want to connect using the wireless NIC, but the NIC that is actually disabled in Windows.

        • 1. Re: Possible to VNC using intel VPro with NIC disabled in Windows?
          dariusz.wittek@intel.com

          YES, it will work this way.
          This is how Intel vPro is designed - it works at HW level (Out of Band).

          You can also use System Defense - HW Firewall filters on Wired Interface to further block any access from/to OS over Wired AMT LAN interface in case end users will be allowed to re-enable Wired LAN in OS.\

          (Note - System Defense requires Intel AMT being configured into Admin Control Mode!).

           

           

          Please note that you may need to solve DNS settings as your OS LAN will interface will not register its IP in DNS, Intel AMT LAN will get its dynamic IP from DHCP and may register it with its configured FQDN in DNS but if AMT will share same FQDN with OS - OS WiFi interface may overwrite this pointer entry with WiFi IP.
          You may use hosts file on management console (where VNC viewer runs) to overwrite it.

           

          Note2 - To configure Intel AMT into Admin Control mode you will have to use  Intel AMT Wired LAN being enabled for time and purpose of Intel AMT Configuration in OS or use USB Local Configuration.

           

          Note3 - Free Real* VNC Viewer supports only RFB port (TCP 5900) which you have to enable in AMT Configuration and this port by design is not encrypted and is protected by exactly 8 characters strong password.
          For production deployment (and better security) it is advised to use AMT Redirection port (TCP 16994/16995) that may be encrypted and uses AMT authentication (Digest or/and Kerberos).

           

          I did quick check for you :

          1. configured Intel AMT 10 based platform (Intel NUC) using Host Based Configuration (into Client Control Mode)
          2. Disabled LAN interface in Windows OS and Configured WiFi interface + got it connected to the Internet.
          3. Connected to Intel AMT using Real* VNC Plus (60 day trial license) KVM Viewer and...
          4. Captured PC screen - see attached :

          is it what you want to achieve?

           

          rgds

          Dariusz Wittek
          Intel  EMEA Biz Client Solution Architect