vPro Ports for VPN

idata · ‎01-17-2011

Greetings,

I'm trying to find all of the ports we need to set on VPN to allow WEBUI access to a users computer.

so far, this is what we have set and configured.

80 Standard HTTP Port (Web UI)

443 Standard HTTPS Port (Web UI in SSL mode)

16992 SOAP commands in SMB mode *

16993 SOAP commands in TLS/Enterprise mode **

16994 IDE-Redirection in SMB mode *

16995 IDE-Redirection in TLS/Enterprise mode **

Problem: Able to see the login screen, however, unable to authenticate. I added the reg fix and it works if we open all ports. but once we restrict to the ports listed above, the login screen will not authenticate.

James

idata · ‎01-17-2011

The default port is 5900. This Use Case Reference Design might be helpful: http://communities.intel.com/docs/DOC-4795 http://communities.intel.com/docs/DOC-4795 You can also have encrypted traffic by configuring the KVM listener to use ports 16994/5. Here is part of the Q&A from the Use Case Reference Design guide. Question:Can KVM Remote Control listen on a port other than 5900? Answer: You cannot choose which port KVM Remote Control listens on. However, KVM Remote Control has another mode in which it listens through a tunnel on port 16994/5. This is called the Redirection Listener.

idata · ‎01-17-2011

Thanks for a reply Steve, but I'm not trying KVM. All I want is for my end users to access the WebUI on each of the internal desktops. This way they can turn off, on or reboot their systems.

idata · ‎01-20-2011

We found the answer.

Open Intel vPro technology related network ports on routers and firewalls:
- 80 & 443 – Web Port
- 88 & 464 – Kerberos Port
- 389 (UDP) – LDAP Port
- 445 – Microsoft DS Port
- 2002 – CIRA Port
- 9971 – Provisioning Port
- 16992 through 16995 - OOB Management Ports

Jacob_G_Intel · ‎01-18-2011

Based on your question, I assume you are using a Kerberos credential to log in? If so, my guess is that the firewall is blocking communication between AMT and the active directory server. Unfortunatly, I'm not an expert on how authentication works with Active Directory so I may be wrong, but I think you just need to open the port used (which I don't know ) for that communication. Hope this at least points you in the right direction. If you figure it out, please let me know. In the mean time, I know a few folks who might be more helpful. I'll ask around and post again when I have more info.

BTW - If you really want to "get jiggy" you could use wireshark to sniff the traffic on a working session to find out what ports are used. Then you'll know, exactly, what you can and can't block. The trick is to hook your AMT system to a hub and use a 2nd system, also attached to the hub, to run the wireshark trace. If you can, leave the AMT system off so it's OS is not generating any traffic.

Jacob_G_Intel · ‎01-18-2011

I have another answer before my first one was approved . Anyhow, no one has said "unblock port X". However, folks agree that the Active Directory Kerberos ports need to be unblocked and gave some educated guesses.

http://geekswithblogs.net/TSCustomiser/archive/2007/05/09/112357.aspx http://geekswithblogs.net/TSCustomiser/archive/2007/05/09/112357.aspx. Based on that link, try unblocking 88 + 464 for TCP & UDP. BTW - Based on some info I got from Intel's IT department, it may be that you only need 88, but I am not sure and can not test. So, please give it a shot and let me know what you find.