3 Replies Latest reply on May 3, 2012 4:14 PM by gfuestonx

    How to manage vpro clients using MTLS/TLS kerberos based communication

    ferozekhan267oa

      Hi vpro Experts,

       

      I have 100+ vpro clients with a mix of AMT 6 and AMT 7 machines. All of them have already been provisioned using the basic SMB / Manual configuration method and are now part of the corporate domain.

      I now wish to capitalize on the AMT features like KVM, IDER, SOL, FCFH by securely and remotely managing these provisioned vpro systems using MTLS / TLS kerberos based communication with VNC as my management console. My current setup is windows server 2008 with roles of ADS, DNS , DHCP, IIS, ADCS along with SCS 8.0 and VNC Plus. I am able to perform most of the AMT features without TLS using the digest MeBX account, however for security reasons my objective is to integrate kerberos based authentication and MTLS/TLS communication between the Managament console (VNC) and the vpro clients.

       

      Could you help me with a high level breakup on how to achieve the same.

       

      In order to achieve the above objectives please clarify on the following as well:

       

      >Do I need to create / purchase any SSL certificates for this purpose?

      >If yes, What certificate do I need for implementing MTLS communcation for remotely managing the vpro clients for performing jobs like KVM, IDER,SOL, FCFH?

      >How can I create a SSL certificate from our internal root CA using the ADCS running on one of the domain controllers for MTLS?TLS communication?

      >Am I correct to say that the certificate hashes that are already embedded into the MeBX (like GoDaddy, verisign, Comodo etc), are only used for initial provisioning? Which further means that these external SSL certificates are of no use to me since all my vpro clients are already SMB / Manually provisioned as stated above?

       

      Regards

      Mohammed