7 Replies Latest reply on Sep 12, 2012 1:15 AM by

    DQ67SW Need to enable IP-KVM vPro


      Hi guys


      I am new here and to vPro from Intel. I just purchased and built a Sandy bridge i5 2400 plus DQ67SW system and I need to be able to setup KVM/remote management. Would someone please guide me through and share the tools/software I need to install this?


      On the BIOS (F2) I see Intel ME menu but only change password exists and it will not allow me to change it, I don't know what the default password is. I tried admin.


      I need to remotely mount an .iso from my Windows 7 PC so that I can install the OS. Help is appreciated. I don't know how to use this new intel technology, is someone can break down what I need to do then I can dig in further, but for now I need to get the system online asap.



        • 1. Re: DQ67SW Need to enable IP-KVM vPro
          Radu Bogdan

          This is what you need to know 



          Good luck !


          For a complete list of white papers and detailed instructions go here : http://communities.intel.com/community/openportit/vproexpert?view=documents



          1 of 1 people found this helpful
          • 2. Re: DQ67SW Need to enable IP-KVM vPro

            You are on the right track. Once you change the password, save/exit, and re-enter BIOS there will be more options. The default password is admin. When you assign a new one, it has to be at least 8 characters, and have at least 1 upper and 1 lower case letter, 1 number, and 1 special character; e.g. P@ssw0rd.


            If you're unable to set the password, the way to clear back to default is to unplug it and then either remove the CMOS battery or set the BIOS clear jumper. Note: ALLL BIOS SETTINGS will be placed at factory default, so be ready to reconfigure EVERYTHING.


            Once you have the other options, you'll turn on local configuration, give the system a name, and set anything else you're interested in. Let me know if you have Qs here.


            Finally you will configure and then use KVM. Out-of-Box Configuration for KVM Remote Control. It will show you how to configure, and then how to use a standard VNC viewer. Note: it has a section for the BIOS config part, but it looks different as the Intel Motherboard's use a costum UI. As long as you were successfull above, just skip over that part.


            Another, easier method would be to try RealVNC Viewer Plus. It does the config for you and adds other vPro feature like remote power on/off and IDE Redirection. The disadvantage is that it's not free. But, it has a 90 day trial so it's great to get started with.


            There's actually a few tools, but I find the two above the easiest ways to get started. My advice is to understand how everything works, then shop around for a tool that fits your needs and budget .


            Please let us know if you have questions and share your results.


            BTW - a good test to be sure your got AMT running properly is to connect to it's webUI. For a non-TLS configuration (which is what you're doing when you set everything in BIOS) you'd connect to http://<yourIP>:16992/ and login as admin with the password you set in BIOS.

            • 3. Re: DQ67SW Need to enable IP-KVM vPro

              Thank you guys really helpful.


              VNC Viewer Plus works, but when using the Remote .ISO mounted from my Windows 7 machine to the host the connection will timeout after a few minutes if there is no interaction with the AMT screen. This is a pain in the ****, unlike my Lantronix Spider KVM with USB virtual media who drops the media after 1 hour inactivity.


              I emailed VNC about it and they refered me to Intel support, I changed the BIOS AMT Timeout settings to its maximum 65XXX minutes. Still having issues.


              Is there a better management tool than VNC -- should I dare to ask, free?


              Also this technology sounds promising, I usually build Supermicro servers with built-in IPMI - but since Intel AMT Is built-in there is the possibility to save costs by using it... the only problem is I do not know how to secure my AMT network (it does not depend on the operating system or power status of the machine, so I don't know how to prevent other people or networks from sending magic packets and discovering the machines).


              One last point, is there a centralized management center for all vPro AMT machines? I noticed in the BIOS there is Encryption and all that, but in my simple setup Encryption is not enabled. I would like to enable encryption and setup a fake server if possible... any suggestions?



              • 4. Re: DQ67SW Need to enable IP-KVM vPro

                [quote]I emailed VNC about it and they refered me to Intel support, I changed  the BIOS AMT Timeout settings to its maximum 65XXX minutes. Still having  issues.[/quote]

                What a crap. Would have expected AMT 7.0 not to have those issues.


                You might want to try these:

                http://www.radmin.com/products/radmin/intel_amt_features.php the radmin viewer is free and supports amt

                http://software.intel.com/en-us/articles/download-the-latest-version-of-manageability-developer-tool-kit/ includes amt commander / tools for amt. however as i've read it's more supporsed to be a sdk demo, anyway, just try it ;-)


                I have one question for you: Your board comes with vnc viewer pro - I guess it's just a demo or is it the full version that's included with the board? (I yet don't have an Intel system with AMT, just curious)

                • 5. Re: DQ67SW Need to enable IP-KVM vPro

                  The session timeout can be set in the advanced options on VNC Viewer Plus. Click Options. Click Expert Tab (if you don't see it click Advanced... button first). Now, set AmtSessionTimeout. You can set -1 (use AMT default), 0 (never disconnect), or 1 - 255 (number of minutes of inactivity before disconnecting). You can also set this with other tools such as the Manageability Developer's Tool Kit.


                  There are many free and "do-it-yourself" options. Of course, it all depends on what you want to do. Two good resources are the Use Case Reference Designs for Intel vPro Technologyand the Tools and Utilities for Intel® vPro™ Technology.


                  For the KVM Remote Control Feature, any VNC Viewer based on RFB 3.2, 3.7, or 4.0 should work.Out-of-Box Configuration for KVM Remote Controlwill show you how to use RealVNC's Free viewer.


                  For other basic features like turning the system on you can use the WebUI.


                  There are a bunch of free (and sometimes open source) tools with various features: Remote ISO Launcher (RIL)(IDE-r, Reboot, SOL + boot disc scriptability), Manageability Developer's Tool Kit (nearly every AMT feature), RAdmin Viewer (IDE-r, SOL, and Power on/off/reboot), Spiceworks via plugins (sheduled on/off for saving power, SOL, IDEr, KVM and more?), Intel System Defense Utility (ships with Intel Boards), MeshCentral, and Intel Setup and Config Service (for setting up and/or configuration AMT). And, I'm sure there's more that I'm not aware of. There's also loads of "paid for" options. Let me know if you want that list and I'll try to dig it up.


                  And, of course you can write your own scripts using Using AMT Remotley from a Command Line with WinRM, the vPro PowerShell Module, or write application code using the AMT SDK, the High Level API (C#) or the Java Library, and get help from other developers on this forum.


                  OK, onto security. It's (nearly) impossible to make a network resource completly undiscoverable. Otherwise it'd be inaccessbile and therefore useless as a network resource...or am I missing something? However, you can greatly limit the attack surface. I'll try to keep this breif. First, AMT protects itself by requiring user's to authenticate via Digest or Kerberos. This way, only trusted people can use it.


                  Optionally you can enable TLS. This can be used to further authenticate users and to authenticate AMT to the user. It also adds encryption to AMT communications. One way to enable TLS using SCS (link above). You'll also need a CA. TLS can not be enabled purely via BIOS.


                  To lower the attack surface of AMT, you can tell it not to respond to pings and to turn off the WebUI. You can also disable the Redirection and RFB listening services (these are disabled by default). When you want to use these services you'd send a WSMan command to turn them on, then use them, and then turn them back off. Note: many (but not all) management consoles handle the task of turning services on and off automatically. It should be noted that once you turn AMT on, it will always listen for http (WSMan/SOAP) connections on port 16992 (non-TLS) or 16993 (TLS). The only way to stop this is to turn AMT off. As I noted above, if it didn't listen on at least 1 port, you could never connect and use it. Qs?


                  To you're last question, I'm not sure what you mean by a "fake server". Many management consoles (like spiceworks, LANDesk, MS Config Manager, etc) use a centralized database scheme. Most of them are not free. However, you can use the TLS encryption without a centralized database. Also, if you have active directory, you could link all your AMT user accounts to AD users/groups. It's all a matter of what you're trying to accomplish.


                  Here's what I do: I manage a few systems at my home and at family & friends houses. Basically, I use KVM and IDEr to fix problems and use power on to access data from systems that are off. I don't bother with TLS. I randomize the admin password and use KeePassPortable as a database to track passwords. I use DHCP reservations, dyndns, and port forwarding to be able to find and connect to systems from across the internet. I use RealVNC Free viewer, WebUI, and ISO Launcher for AMT tasks.

                  • 6. respond this post
                    Your reply was rejected by a moderator. Please edit your reply and resubmit it for approval.

                    A lot of specialists say that business loans aid a lot of people to live the way they want, because they are able to feel free to buy necessary goods. Furthermore, different banks offer bank loan for young and old people.

                    • 7. Re: DQ67SW Need to enable IP-KVM vPro

                      you have to set a new password, which should at least 8 symbols including upper and low case characters, numbers and symbols like dash for example.

                      Once you set a new password, I will get a new menu, which lead you further.


                      Good luck!

                      • 8. Re: DQ67SW Need to enable IP-KVM vPro

                        All, I need to deploy my ISO image on to Intel server S2600GZ from a remote linux box(RHEL), how can I, since Dell supports VMCLI scripts to do the same, there are any kind of scripts available, Please help me it's Urgent.