3 Replies Latest reply on Mar 2, 2015 4:23 PM by brunodom

    Beginner questions about Intel AMT (kvm/VNC and web-interface)

    Jonas Camillus Jeppesen

      Hi all

       

      I have an PC based on an DQ87PG motherboard (Intel AMT 9.x) and  i5-4570 CPU and I would like to use the out-of-band VNC/KVM features, and the web control panel to restart and power on/off. I have already succeeded in using both by trail-and-error clicking through the Manageability Developer Tool Kit (MDTK), but I lack some basic understanding which I hope to gain by asking some questions:

       

      # KVM and VNC?

      KVM is keyboard-video-mouse, and VNC is Virtual Network Computing. How are the two linked? VNC already includes all the KVM concepts it seems. Using VNC you can view displays, and keyboard+mouse inputs are transmitted as well. So why not just call it "out-of-band-VNC", or Intel AMT VNC, why have KVM there at all?

       

      # Alternatives to RealVNC?

      Can the out-of-band KVM/VNC features be used with other VNC clients without limitations? I see guides around on the internet for using TightVNC, but they always include setting an "Allow / use port 5900"-setting. Is RealVNC special in any regards - is their product specially made for Intel AMT, or is Intel AMT specially made for RealVNC?

       

      # TLS

      Does configuring TLS help protect the "AMT / KVM setup" from unauthorized use? My scenario is that the machine is placed a remote location on an untrusted network. People might try to access the AMT features. As far as I understand there is always the 8 char password (upper/lower case letters, numbers and special chars) protecting all features (KVM/VNC, using MDTK Director/Commander Tool to reconfigure, maybe even entering the ME part of the BIOS). What additional security does TLS provide here? Using the Manageability Director Tool I can create some certificates, set a security profile with "Intel AMT security" set to "TLS security" instead of "Password security only", and then specify some of the home-made certificates. It provides network encryption, of course, but what does that mean practically? Will it make it harder to abuse the AMT features for an attacker, or will it just keep an attacker from seeing my computer screen?

       

      # Setup of AMT

      Is using the Manageability Developer Tool Kit (MDTK) the way to go when configuring a single machine once in a while (before placing it at some remote location where you would like the option to recover from a crashed OS without driving there)? There is something else, called Intel SCS (Setup and Configuration Software). Will that do all the same things, and is it easier to use?

       

      Thank you for your input!
      JonasCJ

        • 1. Re: Beginner questions about Intel AMT (kvm/VNC and web-interface)
          brunodom

          Hi Jonas,

           

          1. In order to have access to KVM from a remote console, we use VNC protocol, If you would like to remote control an Intel vPro provisioned machine, you can use VNC Viewer Plus that is able to manage the nuances of Intel AMT.

           

          2. In theory, any VNC client can work with AMT, the biggest problem is that to initiate and establish connect that AMT is different from other VNC servers.

           

          3. If your security threat is "unauthorized access", TLS will not significantly increase in this scenario. In order to protect from unauthorized access you may adopt kerberos (with AD integration) that is much stronger than Digest Authentication and also you can adopt Mutual Authentication using TLS.

           

          4. Intel SCS is the on-stop-shop for vPro provisioning, you have tools inside this package that will allow you provision since a single to thousands of machines, e.g. you have ACU Wizard that allow you goes through a wizard to configure a single machine up to a Remote Configuration Server that is installed as service, with DB connection that can make your life easier for thousands machines. BTW: you may also be interested on MeshCentral

           

          Best Regards!

          • 2. Re: Beginner questions about Intel AMT (kvm/VNC and web-interface)
            Jonas Camillus Jeppesen

            First of I have to ask this: Why does new topics (and replies!) need to be approved by a moderator? Is it only for new users, or ? It completely kills the forum feel of this "forum".

             

            Secondly, thank you for replying brunodom.

             

            4. By "Intel SCS" you mean these tools: IntelSCS_10.0.11.35.zip from Intel® Download Center ? Could you give a hint to what I might look for/at if I want to configure a remote system via network, using Intel SCS? The ACUWizard.exe seems to be meant for configuring the local pc.

             

            3. Any hints on where I setup mutual authentication? Is it also using IntelSCS, or is it using the Commander Tool and Director Tool?

             

             

            2. Can I hope to get full VNC functionality using TightVNC (on Linux)?

             

            Thank you again!

            • 3. Re: Beginner questions about Intel AMT (kvm/VNC and web-interface)
              brunodom

              Jonas,

               

              Answering your questions by #.

               

              4. Yes, it is. If you would like to provision/configure machine remotely, there are basically two strategies, both using RCS + ACUConfig.exe utility: Remote Configuration that relies on 3rd party certificate or Host Based Configuration.

               

              3. You can setup mutual authentication in Intel RCS profile and use this profile for provisioning;

               

              2. Full it's a strong word here ... I see several limitation, such as request consent to a user that is no available on a regular VNC client, authentication mechanism that is used by vPro, etc. I strongly recommend you use VNC Viewer Plus - based on my experience with several customers, it looks to be frustration free approach.

               

              My two cents!

              -Bruno Domingues