For HW KVM, you should create a rule to forward also Port 5900, 16992 is not enough for KVM.
I forwarded port 5900 in the router as you suggested and I am still unable to connect to the vpro computer from the remote computer. Any other suggestions would be appriciated.
I forgot to mention, 5900 for hardware KVM to Network Interface if you are using plain VNC protocol rather than VNC encapsulated within a re-direction protocol. I have this configuration in my lab and it should work.
Actually, you also need to forward 16994 for the KVM to successfully go through your router.
VPro does use ports 16992 - 16995. Since most of the stuff only uses 16992 and 16993, most people, including me , often forget to forward 16994/16995 as well.
I had the same problem and it went away as soon as I forwarde 16994 as well.
Actually, you need to forward 16994 as well. vPro uses ports 16992-16995. Though most stuff works by just forwarding 16992, for KVM to work behind a firewall, you need to actually forward 16994 as well (or 16995 if you are using TLS).
I just had the same problem and forwarding 16994 solved it right away.
So, do I need to forward port 5900 as well as ports 16992-16995 to allow a connection from outside the LAN?
(Not that I have managed to connect from inside the LAN yet..! Is it possible to use the hardware KVM with host-based AMT configuration, or do I need to configure with a USB key+reboot? I'm using Server 2012 with NIC teaming and have LACP enabled on the switch - is this configuration liekly to conflict with AMT/vPro in any way?)
Thanks for any tips - this is proving much harder than I thought it would be...
After lots of experimentation, I have found a few things that might help others in the future. It's all documented in various places, but these are a few stumbling points I came across trying to get this working...
1) I had difficulty using host-based setup, as the tool doesn't allow you to configure a gateway address directly for the AMT IP address. Either choose all the options and then manually edit the networksettings.xml file before applying the configuration, or (much easier if it's possible) use the USB key method, which also allows you to turn user consent off, while host-based config doesn't. This might also have been more difficult than necessary owing to the next point....
2) Unless you know how to make it work (I don't), don't try and team the AMT NIC with any others. I had a switch setup for LACP and the 2 NICs on my DQ77MK teamed under Windows Server 2012 and it really messed up any AMT connections, presumably because the switch only sent half the packets to the right NIC. If anyone knows how to make this work, I'd be glad to hear from them!
3) You only need ports 16992-16995 open on your firewall.
4) If you change the AMT admin username, for some reason Real VNC Viewer Plus will not connect and gives "Internal Error (190)". I had changed the admin username to try and increase security a bit, but this prevented a connection at all. This one probably ought to be fixed, either by Intel or Real VNC.
5) After all that, I couldn't connect from outside my LAN. This turned out to be an ARP firewall issue on my Draytek Router. Resolved by telnetting in and setting it to enable 'illegal Destination ARP addresses': ip arp enable 3 on my particular model 2830n+. Once I'd done that, it all sprang into life.
I couldn't find an FAQ/troubleshooting guide for KVM connection to vPRO. Perhaps someone could start one off and add some of these points to it?
In order to connect from the wide area network (WAN), you have to turn on cloud desktop settings in the bios.
There you can set an access point IP and set it to DHCP or STATIC client IP settings. You also have to specify a port there as well and forward it in your router. Then you can connect from the WAN using vnc plus just fine.