5 Replies Latest reply on Apr 6, 2009 11:33 AM by Hui

    AMT in-band provisioning on a Branch Office Subnet without DHCP option 15

    Hui

      Hi

       

      I need to provision a couple of machines that are located in branch offices, each with around 5 to 10 computers. These branch offices are connected through a VPN tunnel using ISA Server 2006 and Draytek Vigor routers.

      Each router router supplies it's office with DHCP services. The DNS Servers supplied to the clients are these of the Active Directory located in the Headquarter, so option 06 should be delivered correctly.

       

      But option 15 (the DNS suffix) cannot be supplied to the machines via DHCP. Is there any possibility to provision the machines anyway? Preferrably without physically touching them.

       

      I am using in-band provisioning using Microsoft SCCM 2007 SP1, and provisioning on the headquarter works fine meanwhile.

       

      Thanks,

      Ingo

        • 1. Re: AMT in-band provisioning on a Branch Office Subnet without DHCP option 15
          Trevor.Sullivan

          Hello,

           

          Yes, it's possible, but no, you can't do it without physically touching each machine.

           

          1. Log into MEBx locally

          2. Change password

          3. Manually set domain suffix

          4. Provision device

           

          The FQDN configured in the MEBx overrides DHCP Option 15 for the AMT firmware.

           

          Trevor Sullivan

          Systems Engineer

          OfficeMax Corporation

          • 2. Re: AMT in-band provisioning on a Branch Office Subnet without DHCP option 15
            Hui

            Hi

             

            But configuring the FQDN on the device should be possible by using an USB-Key, right?

             

            Is there any documentation available on how to create/prepare such an USB-Key?

             

            Thanks,

            Ingo

            • 3. Re: AMT in-band provisioning on a Branch Office Subnet without DHCP option 15
              Trevor.Sullivan

              I am not personally aware of any such documentation, but you might want to check out the utilities included with the Intel AMT DTK.

               

              http://www.intel.com/software/amt-dtk/

               

              Trevor Sullivan

              Systems Engineer

              OfficeMax Corporation

              • 4. Re: AMT in-band provisioning on a Branch Office Subnet without DHCP option 15
                wryork

                Ingo,

                Option 15 is used in the provisioning process to validate the Provisioning certificate (e.g. VeriSign).  AMT will look at the FQDN from Option 15 and compare it to the Provisioning Certificate during the provisioning process.  These values must either match or leverage a few of the options available in different versions of AMT and Certificate types (e.g. wildcards, UCC, etc).  Here is a good whitepaper post for more understanding to this point. http://communities.intel.com/docs/DOC-2432

                 

                Can these systems be given any type of Option 15 value?  It does not have to match exactly to that of your SCCM environment as long as the top level roots are the same.  This will make more sense once you review the whitepaper.  If option 15 is completely missing from the equation for these remote systems, a physical touch will be necessary as Trevor describes.  You are correct that you can use a utility (from the Manageability Tool Kit) to generate this value for you and import it into AMT.  The utility is called USBFile (unless it was renamed in the tool kit).  You can use this utility to generate a setup.bin file and copy to a formatted (FAT16) thumb drive (smaller drive the better).  You can use the -dns switch to add your neccessary values to match your Provisioning certificate.  Then simply insert it into the vPro system and it will pull the settings into the MEBx, as defined during the creation of the setup.bin file.

                 

                 

                OUTPUT from Utility and associated switches

                 


                *** Intel(R) AMT USB file writer and viewer sample v2.0***

                syntax:
                USBfile -create <usb output file name> <current MEBx password>
                           <new MEBx password> [-v 1|2] [-amt]
                           [-dns <DNS suffix>] [-fqdn <prov server fqdn>]
                           [-ztc 0|1]
                           [-gen <num of records>]
                           [-xml <xml file name>]
                           [-pid <pid> -pps <pps>]
                           [-hash <cert file name> <friendly name>]
                           [-redir <n>]
                USBfile -view <usb file name>

                -v 1|2: the setup file version, 2 by default
                -amt: this will set the manageability selection value to AMT
                -dns <DNS suffix>: sets the PKI dns suffux name (up to length 255)
                -fqdn <prov server fqdn>: string up to length 255
                -ztc 0|1: enable/disable PKI Configuration
                -xml <xml file name>: if -gen is chosen the PSK records that
                  are created will be dumped to the given file
                -gen <num of records>: create the requested number of consumable records.
                  By default, a single non-consumable record is created.
                  If this option is chosen, a PSK pair will be randomly
                  generated for each record.
                -pid <pid> -pps <pps>: a psk pair - this is ignored if -gen was chosen
                -hash <certificate file name> <friendly name>: to compute and add the
                  hash of the given root certificate file. The file provided
                  must contain the root certificate data only. Up to three
                  certficate hashes may be specified.
                -redir <n>:
                  This is an integer that is calculated as follows:
                   bit 0 : 1 (Enable) or 0 (Disable) -  SOL feature
                   bit 1 : 1 (Enable) or 0 (Disable) -  IDER feature
                   bit 2 : 1 (Enable) or 0 (Disable) -  Username/password
                           authentication type of the SOL/IDER in the ME FW
                Examples:
                USBfile -create setup.bin admin Admin22@  -v 1 -gen 10 -xml setup.xml
                USBfile -create setup.bin admin Admin22@ -pid AAAA-AAAN
                             -pps AAAF-AAAF-AAAF-AAAF-AAAF-AAAF-AAAF-AAAF
                USBfile -view setup.bin

                Notes:
                1. The BIOS requires a binary file with the name "setup.bin"
                2. If version 1 is chosen, the only valid options are -xml as well as
                   either -gen (to generate multiple PSK records) or -pid and -pps (to
                   create a single PSK record). All other optional flags will be ignored.



                • 5. Re: AMT in-band provisioning on a Branch Office Subnet without DHCP option 15
                  Hui

                  Hi William

                   

                  Thanks for your input about the usb-key tool.

                   

                  Unfortunately the branch-offices use a router where I cannot set any DHCP options besides the DNS servers. All I can do about the DNS suffix is setting a group policy option in Active Directory that sets the DNS suffix for the computer, but this doesn't seem to fit for AMT as I already tried this.

                  I might have some other DNS issues there as well, because the PTR-Records are not correctly created for machines located in branch offices (the A records work and update fine though).

                   

                  Ingo