Symantec ALTIRIS OUT OF BAND MANAGEMENT COMPONENT 7.0 SP3 - V1.0 Implementation Manual Download Page 107 | Manualshive

Page: 107 / 192

background image

To convert the certificate to PEM format

1

From the Notification Server computer, download and install the openssl.exe
utility.

For example, you can download the utility from the following Web site:

http://www.slproweb.com/products/Win32OpenSSL.html

For more information on OpenSSL, visit

http://www.openssl.org/

2

Click Start > Run.

3

In the Open box, type

cmd

, and then click OK.

4

Navigate to the location of the Openssl utility.

For example,

C:\OpenSSL\bin

5

Run the following command:

openssl pkcs12 -in <infile.pfx> -out

<outfile.pem>

where

<infile.pfx>

is the path to the mutual authentication

certificate that you just exported, and

<outfile.pem>

is a name of the new

converted certificate.

Remember the PEM pass phrase for later use.

To configure a connection profile

1

In the Symantec Management Console, on the Settings menu, click All
Settings.

2

In the left pane, click Monitoring and Alerting > Protocol Management >
Connection Profiles > Manage Connection Profiles.

3

Click the connection profile that you want to use to connect to Intel AMT
computers with Real-Time System Manager, and then click the Edit symbol.

4

In the Define Group Settings dialog box, expand the AMT section.

5

Check Secure mode.

6

In the Trusted CA certificate location box, click Browse and browse to the
CA certificate that you exported for TLS.

See

“Exporting the CA Root Certificate for the Altiris Real-Time System

Manager software”

on page 97.

7

In the Notification Server certificate location box, click Browse and browse
to the mutual authentication certificate file that you just converted (.pem
file).

8

Under the Notification Server certificate location box, click the Add symbol.

9

In the Add Credential dialog box, in the Credential type drop-down, click
AMT NS Cert. File Credential.

107

Configuring TLS

Configuring TLS with mutual authentication

«
...
105
106
107
108
109
...
»

Summary of Contents for ALTIRIS OUT OF BAND MANAGEMENT COMPONENT 7.0 SP3 - V1.0

Page 1: ...Altiris Out of Band Management Component from Symantec Implementation Guide Version 7 0 SP3 MR1 ...

Page 2: ...RIMPLIEDCONDITIONS REPRESENTATIONS AND WARRANTIES INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE OR NON INFRINGEMENT ARE DISCLAIMED EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BELEGALLYINVALID SYMANTECCORPORATIONSHALLNOTBELIABLEFORINCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING PERFORMANCE OR USE OF THIS DOCUMENTATION THE INFORMA...

Page 3: ... minute information Upgrade assurance that delivers software upgrades Global support purchased on a regional business hours or 24 hours a day 7 days a week basis Premium service offerings that include Account Management Services For information about Symantec s support offerings you can visit our Web site at the following URL www symantec com business support All support services will be delivered...

Page 4: ...iness support Customer service Customer service information is available at the following URL www symantec com business support Customer Service is available to assist with non technical questions such as the following types of issues Questions regarding product licensing or serialization Product registration updates such as address or name changes General product information features language ava...

Page 5: ...existing support agreement please contact the support agreement administration team for your region as follows customercare_apac symantec com Asia Pacific and Japan semea symantec com Europe Middle East and Africa supportsolutions symantec com North America and Latin America ...

Page 6: ......

Page 7: ...ntel AMT versions and features 17 About Intel AMT configuration modes 18 About Intel AMT security 20 About Intel AMT related credentials 22 About Intel AMT wireless support 24 About ASF 24 About DASH 25 Comparison of Intel AMT ASF and DASH 25 What you can do with Out of Band Management Component 26 About Intel AMT tasks 26 About ASF tasks 27 About DASH tasks 27 Where to get more information 27 Cha...

Page 8: ...er software and hardware requirements 44 Installing the Out of Band Management Component product 45 Upgrading the Out of Band Management Component product 45 Uninstalling Out of Band Management Component 45 Uninstalling the Out of Band Task Agent 46 Uninstalling Out of Band Management Component from Notification Server 47 Chapter 4 Preparing target computers for management 49 Preparing target comp...

Page 9: ...esending Hello messages with the Delayed Configuration policy 89 Resending Hello messages with the Send Intel AMT Hello Message task 90 Configuring Intel AMT computers in small business mode 91 Chapter 7 Configuring TLS 95 About TLS 95 About configuring and enabling TLS 95 Configuring TLS 96 Exporting the CA Root Certificate for the Altiris Real Time System Manager software 97 Configuring the conn...

Page 10: ...ration Properties dialog box 126 Add Certificate Generation Properties dialog box 126 Select Certificate Template dialog box 127 Auxiliary profiles Management Presence Servers page 127 ManagementPresenceServers AddManagementPresenceServer dialog box 127 Auxiliary profiles Remote Access Policies page 128 Remote Access Policies Create Remote Policy dialog box 129 Auxiliary Profiles Wireless Profiles...

Page 11: ... task 160 OOB Site Service page 161 Certificate Enrollment task 164 Firewall Configuration task 164 FQDN Synchronization task 165 Install Intel Setup and Configuration Server task 165 Install OOB Site Service agent task 165 Install Out of Band Management Site Service Agent and Intel Setup and Configuration Server job 165 Intel Setup and Configuration Server Upgrade job 166 Intel Setup and Configur...

Page 12: ...g filters 178 How Resource Synchronization policy works 181 Remote Configuration certificate requirements 182 Remote Configuration certificate differences between releases 182 Intel AMT Release 2 2 183 Intel AMT Release 3 0 183 Intel AMT Release 2 6 183 Glossary 185 Index 189 Contents 12 ...

Page 13: ...ponent software formerly known as Altiris Out of Band Management Solution lets you discover computers with ASF DASH and Intel AMT in your environment and configure the computers for out of band management Out of band management is the ability to manage client computers regardless of the state of their power operating system or management agents You can remotely change the power state of the comput...

Page 14: ... computer is plugged in but is not actively running off standby hibernating The operating system is not loaded software or boot failure The software based management agent is not available Out of band management is the ability to manage computers in these states Computers with Intel AMT ASF DASH or IPMI capabilities can be managed out of band About supported out of band management technologies Out...

Page 15: ... information that is stored in the NVRAM of the Intel AMT device Boot a computer from a remote disk or an image on a server and run the operating system repair or reinstall Start a remote control session from the Symantec Management Console and access BIOS to view and change settings Intel AMT only What s new in Out of Band Management Component In the 7 0 SP3 release of Out of Band Management Comp...

Page 16: ...ou can perform administration tasks from wherever you are The console lets you set security that is specific to each console user You specify which areas of the console a user has access to and the rights that a user has to perform specific actions For example one user can run reports while another user can only view reports that have already been run You can start the console remotely by typing t...

Page 17: ...n Service Intel SCS provides you with the tools to set up and configure Intel AMT devices Intel SCS is automatically installed on the OOB site server computer by default the Notification Server computer See About OOB site servers on page 118 Intel SCS installation creates a new database on the SQL server This database stores configuration parameters and administrative connection credentials for ea...

Page 18: ...modes Small business mode See About Intel AMT small business mode on page 18 Enterprise mode See About Intel AMT enterprise mode on page 19 See Comparison of Intel AMT small business and enterprise mode on page 19 About Intel AMT small business mode Intel AMT small business configuration mode is easy to set up and is recommended when you have a few Intel AMT computers You can also use this mode if...

Page 19: ...infrastructure services it can provide automated one touch or remote configuration for Intel AMT devices This mode also supports the configuration of wireless features on the Intel AMT device and integration with Microsoft Active Directory This mode supports multiple security options an Intel AMT access control list and the option to encrypt communications through the use of Transport Layer Securi...

Page 20: ...ted Remote setup and configuration TLS encryption through use of Microsoft certification authority Not supported Encrypted communications Supported Not supported Microsoft Active Directory integration Supported Not supported Wireless management support Supported Not supported Network subnet support Supported Not supported Access control list for accessing Intel AMT Centrally managed passwords thro...

Page 21: ...have a user name and password for user identification When Microsoft Active Directory is used user identities are imported from Active Directory otherwise user identities are added manually Access Control List Enterprise mode only A pair of keys that are used to ensure a secure connection when the configuration server configures an Intel AMT device After a device is configured these keys are no lo...

Page 22: ...ve credentials control remote access to the Intel AMT settings for example when you run an out of band task from the Symantec Management Console or access the Intel AMT Web UI When you access the MEBx for the first time you must supply the default administrator credentials and then you are prompted to change the password This change modifies not only the MEBx admin account password but also the In...

Page 23: ...agement tasks Intel AMT Used to access Intel SCS that is running on the OOB site server computer by default the Notification Server computer At the time of Out of Band Management Component installation all users in the Symantec Administrators group are added to the list of the Intel SCS users See Users page on page 148 Intel SCS Users A list of users that can remotely access Intel AMT settings and...

Page 24: ...t Wi Fi Protected Access WPA Robust Secure Network RSN key management schemes are supported Encryption algorithm Temporal Key Integrity Protocol TKIP and Counter Mode CBC Mac Protocol CCMP are supported Authentication A pass phrase or 802 1x profile can be used to ensure that only authorized users can establish a connection with the Intel AMT device About ASF ASF Alert Standard Format is an indust...

Page 25: ...ndmanagement onpage111 See About DASH tasks on page 27 Comparison of Intel AMT ASF and DASH Out of Band Management Component supports Intel AMT ASF and DASH out of band management technologies See About Intel AMT on page 16 See About ASF on page 24 See About DASH on page 25 Table 1 5 Intel AMT ASF and DASH comparison DASH ASF Intel AMT Feature Supports the networks that include subnets Does not su...

Page 26: ...AMT tasks on page 26 See About ASF tasks on page 27 See About DASH tasks on page 27 About Intel AMT tasks Out of Band Management Component lets you perform the following Intel AMT tasks Discover Intel AMT capable computers Set up and configure computers with Intel AMT so that they can be managed out of band by other Altiris solutions Define service configuration parameters for Intel SCS Create the...

Page 27: ...te power control settings on client computers with ASF Configure the ASF alerts that can help you be more proactive in responding to memory faults temperature issues hard drive warnings chassis intrusion and so forth These alerts help you fix issues before they become destructive See ConfiguringASF DASHcomputersforout of bandmanagement onpage111 About DASH tasks Out of Band Management Component le...

Page 28: ...ou open your product s support page look for the Documentation link on the right side of the page Information about how to use this product including detailed technical information and instructions for performing common tasks This information is available in PDF format User Guide The Documentation Library which is available in the Symantec Management Console on the Help menu Context sensitive help...

Page 29: ...out Altiris products Knowledge base http www symantec com connect endpoint management virtualization An online magazine that contains best practices tips tricks forums and articles for users of this product Symantec Connect formerly Altiris Juice 29 Introducing Out of Band Management Component Where to get more information ...

Page 30: ...Introducing Out of Band Management Component Where to get more information 30 ...

Page 31: ...icrosoft Active Directory About installing Microsoft IIS Installing and configuring CA About installing NET Framework on an OOB site server About planning OOB site servers hierarchy Configuring a firewall to allow Intel SCS and SQL server connections About ports used by Intel AMT About installing Out of Band Management Component in a lab environment About managing Intel AMT computers without the A...

Page 32: ...igure ASF and DASH capable computers for out of band management Manually set up and configure Intel AMT capable computers for out of band management without the use of Intel AMT security features However if you plan to use more Intel AMT features for example TLS Remote Configuration Kerberos users 802 1x profiles more conditions must be met You can prepare the environment before or after you insta...

Page 33: ...AMT computers send their Hello packets to this host name If the OOB site server computer already has a name other than ProvisionServer add a CNAME canonical name record to the DNS To do this with a Microsoft DNS server open the MMC DNS branch open the Forward Lookup Zones branch right click the entry for the Notification Server computer and click New Alias Then type ProvisionServer as the alias na...

Page 34: ...k and then configure Out of Band Management Component settings For instructions see Out of Band Management Component Release Notes Microsoft SQL Server must be configured in mixed authentication mode Windows Authentication and SQL Server Authentication OutofBandManagementComponentusestwoSQLdatabases NotificationServer s database Symantec_CMDB and Intel SCS Symantec_CMDB_IntelAMT If you want to ins...

Page 35: ...Access Control List Kerberos users are users in the form of DOMAIN username Integration with AD is also required when you want to use 802 1x authentication The Intel AMT data that is stored in AD is used in certificate requests for that Intel AMT computer When AD integration is enabled during setup and configuration of an Intel AMT device Intel SCS creates a directory entry that is based on the In...

Page 36: ...ority Installing and configuring CA To use certain Intel AMT features you must install and configure the certification authority CA Table 2 3 Intel AMT features and the CA they require CA to install Intel AMT feature If you do not have Active Directory install a Stand alone CA If you have Active Directory you can install either a Stand alone or an Enterprise CA TLS Install an Enterprise CA TLS wit...

Page 37: ...ndows Components Wizard page check Certificate Services A warning is displayed indicating that the computer name or the domain membership of the computer cannot be changed while it acts as a certificate server Click Yes 3 Click Details Make sure that both Certificate Services CA and Certificate Services Web Enrollment Support are checked and then click OK 4 Click Next 5 On the CA Type page select ...

Page 38: ...the computer that you want to use as OOB site server See About OOB site servers on page 118 You can download and install the NET Framework 2 0 from the Microsoft Web site http www microsoft com downloads details aspx FamilyID 0856eacb 4362 4b0d 8edd aab15c5e04f5 In the case of a default OOB site server installation on the Notification Server computer you don t have to install NET Framework 2 0 add...

Page 39: ...ctions You must configure a firewall on the OOB site server computer by default the Notification Server computer to allow incoming traffic to Intel SCS On the computer with Microsoft SQL Server installed you must configure the firewall to allow incoming traffic to the SQL server Configuring firewall software on the client Intel AMT computers is not necessary because Intel AMT management is perform...

Page 40: ...rewall exceptions list About ports used by Intel AMT By default Intel SCS a component of the OOB site server listens on port 9971 Intel AMT devices send their Hello packets to this port Intel SCS and Altiris solutions that support out of band management communicate with Intel AMT devices using the following ports In non secure mode Intel AMT devices listen on port 16992 In TLS mode Intel AMT devic...

Page 41: ... Intel AMT computers that do not have the Altiris Agent installed If you choose not to install the Altiris Agent on the computers with Intel AMT you cannot perform the following actions Discover unconfigured Intel AMT capable computers in your environment Use other Altiris solutions to run in band management tasks for example software inventory software installation and so on on these computers Ru...

Page 42: ...ynchronizing Intel SCS and Notification Server resources on page 88 After this policy has run the computer resources appear in the Configured Intel AMT Computers filter This policy creates resources only for the Intel AMT computers that you set up and configured with Out of Band Management Component The computers that do not have the Altiris Agent installed do not appear in the standard Symantec M...

Page 43: ...f Band Management Component requirements on page 43 Client computer software and hardware requirements See About client computer software and hardware requirements on page 44 About Out of Band Management Component requirements Out of Band Management Component requires the following Symantec Management Platform 7 0 SP4 When you install Out of Band Management Component through Symantec Installation ...

Page 44: ...and Management Component must meet certain hardware and software requirements The client computers must support one of the out of band management technologies Table 3 1 Client computer software requirements Description Requirement 60 MB free hard disk space 64 MB RAM 128 MB recommended Hardware Windows 2003 Server SP2 or later Windows XP SP2 or later Operating system Table 3 2 Client computer out ...

Page 45: ... on page 27 After you upgrade the product you must upgrade the Out of Band Task Agents that are installed on the target computers To upgrade the Out of Band Task Agent 1 In the Symantec Management Console on the Actions menu click Agents Plug ins Rollout Agents Plug ins 2 In the left pane click Remote Management Out of Band Management Out of Band Task Agent Upgrade 3 Turn on the policy To turn on ...

Page 46: ...allation process can take some time to start depending on the intervals that are set between the updates of the Altiris Agent See Configuring the Altiris Agent settings for evaluation use on page 52 Do not uninstall the Out of Band Management Component software from Notification Server until the task has run on all computers When Out of Band Management Component is uninstalled there is no automate...

Page 47: ...tion Manager to uninstall Out of Band Management Component For more information on uninstalling products see the Symantec Installation Manager documentation See Where to get more information on page 27 47 Installing Out of Band Management Component Uninstalling Out of Band Management Component ...

Page 48: ...Installing Out of Band Management Component Uninstalling Out of Band Management Component 48 ...

Page 49: ... use Out of Band Management Component you must prepare the computers that you want to manage Table 4 1 Process for preparing target computers for management Description Action Step Discovery helps you find the host names of the computers on which you can install the Altiris Agent See Discovering computers on page 51 Discover manageable computers in your environment Step 1 4 Chapter ...

Page 50: ...nt Component make the Altiris Agent request configuration from Notification Server more frequently See Configuring the Altiris Agent settings for evaluation use on page 52 Optional Configure the Altiris Agent settings for evaluation use Step 3 The Out of Band Discovery policy lets you find the computers that are capable of out of band management See Discovering out of band capable computers on pag...

Page 51: ...een Notification Server and the computers in your network Computers with the Altiris Agent installed on them are called managed computers Notification Server then interacts with the Altiris Agent to monitor and manage each computer from the Symantec Management Console You must install the Altiris Agent on the computers that you want to manage with Out of Band Management Component For more informat...

Page 52: ...rs excluding Site Servers 3 On the General tab in the Download new configuration every box change the value to 5 minutes This forces the agent to check more frequently for changes so you can see the results of the changes you make more quickly 4 In the Upload basic inventory every box change the value to 15 minutes This forces inventory data to be sent more frequently 5 Click Save changes Discover...

Page 53: ...iew the list of the out of band capable computers 1 In the Symantec Management Console on the Manage menu click Filters 2 In the left pane click Out of Band Management 3 Click one of the following filters ASF DASH Capable Computers Intel AMT Capable Computers Installing the Out of Band Task Agent The Out of Band Task Agent runs on client computers and lets you perform ASF and DASH in band configur...

Page 54: ...and capable If you want to run the policy on a different set of computers under Applied to change the resource targets 4 Turn on the policy To turn on the policy at the upper right of the page click the colored circle and then click On 5 Click Save changes Preparing target computers for management Preparing target computers for management 54 ...

Page 55: ...equirements on page 32 You must integrate Intel SCS with Active Directory if you want to use the following Intel AMT features Kerberos authentication using AMT objects User lists 802 1X Profiles To integrate Intel SCS with Active Directory 1 Ensure the OOB site server computer by default the Notification Server computer is registered in a domain 2 Create a new organizational unit in the Active Dir...

Page 56: ...figured Intel AMT devices are registered 3 In the Symantec Management Console on the Settings menu click All Settings 4 In the left pane click Remote Management Out of Band Management Configuration Service Settings General 5 Check Active Directory Integration 6 In the Default AD OU drop down list click the name of the organizational unit that you created In this example click IntelAMT 7 Click Save...

Page 57: ...AMT computers in small business mode About configuring Intel AMT computers for out of band management Before you can manage Intel AMT computers out of band you must configure the Intel AMT devices Configuration of Intel AMT computers in enterprise mode consists of the following stages You initialize Intel AMT computers by installing PID PPS pairs into the Intel AMT firmware either manually or auto...

Page 58: ...computers for out of band management on page 61 About Intel AMT initialization Initialization previously known as pre provisioning is the process of populating the client Intel AMT computers with the Provisioning ID and the Provisioning Pre Shared Key PID PPS pairs These pairs are needed for secure communications during the setup and configuration process Depending on your infrastructure and the I...

Page 59: ...he Intel AMT device you must resend Hello messages when the configuration server becomes available See About resending Hello messages on page 89 If you want to initialize set up and configure Intel AMT capable notebook computers make sure you connect the computers to the wired network See Prerequisites for Intel AMT configuration on page 61 See Configuring Intel AMT computers for out of band manag...

Page 60: ... IP address of the configuration server into the Intel AMT computer s MEBx 3 The Intel AMT device sends a TCP IP Hello message to the configuration server If for some reason the configuration server is unavailable for more than six hours the device stops sending messages See About resending Hello messages on page 89 4 Based on the UUID that is located in the Hello message Out of Band ManagementCom...

Page 61: ...Intel AMT setup and configuration the following conditions must be met An OOB site server is installed in your environment and the AMTConfig service is running See About OOB site servers on page 118 The OOB site server computer is registered in the DNS as ProvisionServer See About configuring DNS on page 33 You configured the firewall to allow incoming traffic to Intel SCS See Configuring a firewa...

Page 62: ...zing Intel AMT computers using the Remote Configuration feature on page 65 See Initializing Intel AMT computers manually on page 76 Initialize the Intel AMT computers Step 3 After you set up and configure the Intel AMT computers they are ready for out of band management See Setting up and configuring initialized Intel AMT computers on page 82 Set up and configure the Intel AMT computers Step 4 Cre...

Page 63: ...and TLS features Trusted Root Certificates Wireless profiles let you specify wireless settings and are applied to configuration profiles For each configuration profile there can be multiple wireless profiles applied to it to specify settings for multiple wireless access points See Configuring Intel AMT wireless settings on page 64 Wireless Profiles Out of Band Management Component installs with a ...

Page 64: ...s 2 In the left pane click Remote Management Out of Band Management Configuration Service Settings Auxiliary Profiles Wireless Profiles 3 On the Wireless Profiles page click the Add symbol 4 In the Add Wireless Profile dialog box configure the wanted settings and click OK See Auxiliary Profiles Wireless Profiles page on page 130 Configuring the automatic Intel AMT configuration profile assignment ...

Page 65: ... one profile for example if you want to assign different profiles to computers from different domains 4 If you want to assign an FQDN to an Intel AMT computer that does not have the Altiris Agent installed and whose FQDN is not known to Notification Server check UseDNSIPresolutiontofindFQDNwhenassigningprofiles 5 Turn on the policy and click Save changes Initializing Intel AMT computers using the ...

Page 66: ...earn how Remote Configuration works Step 1 You must prepare your environment to support Remote Configuration See Prerequisites for using the Remote Configuration feature on page 69 Make sure you meet the requirements for this feature Step 2 You must generate and install certificates See Configuring your OOB site server computer by default the Notification Server computer for Remote Configuration o...

Page 67: ...e you purchase a commercial certificate from a certificate provider The hash that you must add to the Intel AMT firmware is displayed at the Thumbprint field of the trusted root CA certificate These hashes can be added to the Intel AMT firmware by an OEM on your request or you can flash the firmware yourself You can also enter the hash into the MEBx manually through the SetupandConfiguration TLS P...

Page 68: ...hority that matches one of the root certificate hashes 6 The Intel AMT device verifies that the suffix matches the DNS suffix in the Intel SCS certificate 7 Intel SCS and the Intel AMT device perform a complete mutual authentication session key exchange The Intel AMT device uses a self signed certificate and sends its public key Intel SCS creates a TLS session master key encrypts it with the Intel...

Page 69: ... The OOB site server computer is in either the same domain as the device or a domain with the same suffix See About configuring DNS on page 33 See Initializing Intel AMT computers using the Remote Configuration feature on page 65 Configuring your OOB site server computer by default the Notification Server computer for Remote Configuration To configure your OOB site server by default the Notificati...

Page 70: ...ernal certificate vendor on page 74 Acquire the certificate Step 4 See Initializing Intel AMT computers using the Remote Configuration feature on page 65 Preparing a certificate template for Remote Configuration You must create a new certificate template that you will use to request a certificate See Configuring your OOB site server computer by default the Notification Server computer for Remote C...

Page 71: ...nagement Platform Help 16 On the Extensions tab click Application Policies and then click Edit 17 In the EditApplicationPoliciesExtension dialog box click Add click Server Authentication and then click OK 18 In the Edit Application Policies Extension dialog box click Server Authentication and then click Edit Verify the Object identifier is 1 3 6 1 5 5 7 3 1 and then click Cancel 19 Click Add once ...

Page 72: ...ertificate providers whose root certification authority hash is already in the firmware of the Intel AMT device You must do this for each OOB site server in your environment See About OOB site servers on page 118 See Configuring your OOB site server computer by default the Notification Server computer for Remote Configuration on page 69 To prepare a certificate request 1 Log on to the OOB site ser...

Page 73: ...risign fails to issue the certificate if the state name is abbreviated 10 Under Key Options in the Key Size box type 1024 11 Check Mark keys as exportable 12 Under Additional Options click PKCS10 13 If you are preparing a certificate request for a commercial certificate provider Check Save request to a file Type the full path name of the request file to create in the Fullpathname box For example c...

Page 74: ...to the MEBx of an Intel AMT computer 2 Go to the certificate vendor s Web site submit the certificate request CSR that you prepared and purchase an SSL certificate See Preparing a certificate request for Remote Configuration on page 72 For example the following link to Verisign site http www verisign com ssl intel vpro technology index html describes how to purchase an appropriate certificate The ...

Page 75: ...antec Management Console on the Settings menu click All Settings 2 In the left pane click Remote Management Out of Band Management Configuration Service Settings General 3 In the right pane check Allow Remote Configuration 4 Click Save changes 5 Proceed to the next step See Starting the Intel AMT Remote Configuration on page 75 Starting the Intel AMT Remote Configuration Plug in the network cable ...

Page 76: ... AMT versions Manual initialization of Intel AMT computers is performed at the computer location and in most cases requires an administrator to physically touch the computers If you have a large number of Intel AMT 3 0 or later computers we recommend that you initialize the computers using the Remote Configuration feature See Initializing Intel AMT computers using the Remote Configuration feature ...

Page 77: ... security keys supplied by an OEM 1 In the Symantec Management Console on the Settings menu click All Settings 2 In the left pane click Remote Management Out of Band Management Configuration Service Settings Security Keys 3 On the Security Keys page click the Import security keys symbol 4 Browse to the security keys file and then click Import Initializing computers manually using a USB key If the ...

Page 78: ... file must be the only file that is stored on the USB key See Initializing Intel AMT computers manually on page 76 To initialize Intel AMT manually using the USB key 1 In the Symantec Management Console on the Settings menu click All Settings 2 In the left pane click Remote Management Out of Band Management Configuration Service Settings Security Keys 3 Optional To use previously generated keys th...

Page 79: ...AMT related credentials on page 22 Note You must type a strong password See About passwords used with Intel AMT on page 177 NewIntelManagementEngine password 7 Click Generate A file with the keys is created in the format expected by the platform BIOS 8 Click the Download USB key file link and then save the file to the USB key 9 Click Close The exported keys are also added to the Intel SCS database...

Page 80: ...r MEBx and changed the factory default MEBx password and thus cannot use the USB initialization method You have not configured the DNS to resolve the ProvisionServer host name to the OOB site server computer by default the Notification Server computer See About configuring DNS on page 33 You can still use the USB key method but you must enter the MEBx after initialization and manually type the IP ...

Page 81: ...EBx password See About Intel AMT related credentials on page 22 New Intel Management Engine password 5 Optional Click the keys you want to use 6 Click the Print security keys symbol A new window opens with the selected keys and passwords listed in a printer friendly format 7 Print the contents of the window and then close the window 8 Click the keys that you printed and then click the Mark selecte...

Page 82: ...oves any settings that can fail the setup and configuration process We recommend you doing so even if this is the first time you accessed the MEBx 13 Set the Provision Mode to Enterprise if it is not already set 14 Modify the Provisioning Server settings Type the IP of the configuration server and SCS port the port that Intel SCS is listening to for Hello messages By default the port is 9971 To vi...

Page 83: ...r out of band management on page 61 Table 6 4 Process for setting up and configuring Intel AMT computers Description Action Step Out of Band Management Component displays Intel SCS management pages in the Symantec Management Console See Understanding the Intel SCS interface on page 84 Understand the Intel SCS interface in the Symantec Management Console Step 1 Configuration profile defines Intel A...

Page 84: ...es to the SCS These devices can be configured or unconfigured You can update the configuration of one or all of the already configured devices among other operations Intel AMT Systems A list of profile assignments that are created by the administrator or that are created automatically by the Resource Synchronization policy See Configuring the automatic Intel AMT configuration profile assignment on...

Page 85: ... on page 85 Manually to a single computer See Assigning a profile to a single computer manually on page 86 Manually to multiple computers See Assigning a profile to multiple computers manually on page 86 See Setting up and configuring initialized Intel AMT computers on page 82 About assigning a profile to multiple computers automatically You can configure Out of Band Management Component to assign...

Page 86: ... 2 In the grid click a computer 3 Click the Assign profile symbol 4 In the Edit mapping dialog box type the FQDN of the computer This FQDN will be assigned to the Intel AMT device during setup and configuration 5 If you enabled Active Directory integration select the organizational unit where you want to register AMT objects Example IntelAMT See Integrating Intel SCS with Active Directory on page ...

Page 87: ...nfigure the configuration profile mappings You can assign different profiles to computers from different domains 7 Click OK About monitoring the setup and configuration process After you assign a profile to the Intel AMT device the setup and configuration process starts You can watch the Intel AMT device status on the Intel AMT Systems page See Understanding the Intel SCS interface on page 84 The ...

Page 88: ...want to manage After the task runs the computers that are set up and configured with Out of Band Management Component appear in the Configured Intel AMT Computers filter See Setting up and configuring initialized Intel AMT computers on page 82 To run the Resource Synchronization policy 1 In the Symantec Management Console on the Settings menu click All Settings 2 In the left pane click Remote Mana...

Page 89: ...ation policy lets you re open the Intel AMT interface for the computers that are in the delayed configuration state for another 6 hours Computers that entered the delayed configuration state appear in the All Intel AMT Computers in Delayed Configuration State filter Resending Hello messages with the Delayed Configuration policy is an in band functionality and requires the Windows operating system ...

Page 90: ... system to be running and the Altiris Agent to be installed on the Intel AMT computer See About resending Hello messages on page 89 To run the Send Intel AMT Hello Message task 1 Install the Altiris Agent on the Intel AMT computers if it is not already installed See Installing the Altiris Agent on page 51 2 Install the Out of Band Task Agent on the client computer if it is not already installed Se...

Page 91: ...ough the Intel Management Engine BIOS extension MEBx on the Intel AMT computer Out of Band Management Component is not involved in this process See About Intel AMT configuration modes on page 18 After you configure the Intel AMT computer in small business mode it is ready for out of band management with Altiris solutions To run out of band management tasks on this computer from the Symantec Manage...

Page 92: ...estart the computer for the additional Intel AMT configuration options to appear in the MEBx 4 If you have Intel AMT already enabled before making any changes you must select Un Provision FullUnprovision in the MEBx to fully unconfigure the Intel AMT device 5 Set the ProvisionModel to SmallBusiness listed as Small MediumBusiness with some computers 6 Configure the network settings of the Intel AMT...

Page 93: ...tings 2 In the left pane click Monitoring and Alerting Protocol Management Connection Profiles Manage Connection Profiles 3 In the right pane click the connection profile that you want to use to connect to Intel AMT computers with Altiris solutions and then click the Edit symbol 4 In the Define Group Settings dialog box expand the AMT section 5 Turn on the AMT protocol if it is not turned on yet T...

Page 94: ...st configured In this example click My AMT 12 Click OK For more information view topics about using connection profiles and credential manager in the Symantec Management Platform Help Configuring Intel AMT computers for out of band management Configuring Intel AMT computers in small business mode 94 ...

Page 95: ...fication Server See About configuring and enabling TLS on page 95 About configuring and enabling TLS Optional Out of Band Management Component and the Intel AMT devices that are set up and configured in enterprise mode support Transport Layer Security TLS encryption for secure communications between each other You can configure TLS in the following two modes When Altiris solutions connect to the I...

Page 96: ... on page 32 Meet the requirements for TLS Step 1 CA issues certificates to Intel AMT devices See Installing and configuring CA on page 36 Install Microsoft certification authority CA if it is not already installed Step 2 You need this certificate if you want to use the SOL IDE R functionality of Intel AMT See Exporting the CA Root Certificate for the Altiris Real Time System Manager software on pa...

Page 97: ..._server_name certsrv See Configuring TLS on page 96 To export the CA root certificate 1 On the CA computer click Start Run 2 In the Open box type mmc and then click OK 3 In the Microsoft Management Console click File Add Remove Snap in 4 Click Add 5 Click Certificates and then click Add 6 Click Computer account and then click Next 7 Click Local computer click Finish and then click Close 8 Click OK...

Page 98: ...files Manage Connection Profiles 3 Click the connection profile that you use to connect to Intel AMT computers with Real Time System Manager and then click the Edit symbol 4 In the Define Group Settings dialog box expand the AMT section 5 Check Secure mode 6 If you want to use the SOL IDE R functionality in the TrustedCAcertificate location box click Browse and browse to the CA certificate that yo...

Page 99: ...es dialog box click the Add symbol to add a new certification authority CA to the list Specify the CA settings in the Add Certificate Generation Properties dialog box The default template for TLS is WebServer Click OK On the Select Certificate Generation Properties page click the CA that you just added and then click OK 7 Click OK to close the profile To reconfigure Intel AMT computers 1 In the Sy...

Page 100: ...the requirements for TLS with mutual authentication Step 1 You must issue and install an Intel AMT client certificate that will be used to authenticate to the client Intel AMT computers See Creating and installing a client certificate using an Enterprise CA on page 100 Install a client certificate Step 2 You must modify the Intel AMT configuration profile and reconfigure Intel AMT computers See Co...

Page 101: ...solutions that manage Intel AMT computers require that the mutual authentication certificate is also installed in the local computer certificate store See Installing the new mutual authentication certificate into the local computercertificatestore onpage105 Install the new certificate into the local computer certificate store Step 4 This step is required only if you want to use the SOL IDE R funct...

Page 102: ...og box under CSPs check Microsoft Strong Cryptographic Provider and then click OK 14 On the Subject Name tab click Supply in the request 15 On the Security tab grant the Read Write and Enroll permissions to both the DomainAdmins group and the Notification Server s Application Identity account 16 On the Extensions tab click Application Policies and then click Edit 17 In the Edit Application Policie...

Page 103: ...icate for mutual authentication Now you must request a new certificate from your local online CA based on the template that you created Note In case of a default Out of Band Management Component installation perform this procedure on the Notification Server computer If you installed the Out of Band site server on a computer other than Notification Server you must perform this procedure on the Noti...

Page 104: ...4 Click advanced certificate request 5 Click Create and submit a request to this CA 6 In the CertificateTemplate drop down list click the template that you created AMT Mutual 7 In the Name box type the FQDN for example computername mydomain com of the Notification Server computer or the Out of Band site server depending on to which computer you are logged on Warning Do not type the CNAME alias suc...

Page 105: ...computer and then click Finish 8 Click Certificates and then click Add 9 Click My user account and then click Finish 10 Click Close 11 Click OK 12 In the management console tree click Console Root Certificates Current User Personal Certificates 13 Copy the mutual authentication certificate that you created the certificate that is using the AMT Mutual template and paste it into the Console Root Cer...

Page 106: ... convert the certificate to PEM format on page 107 Convert the certificate to PEM format Step 2 See To configure a connection profile on page 107 Configure connection profiles to use the certificate Step 3 To export the certificate 1 On the Notification Server computer click Start Run 2 In the Open box type mmc and then click OK 3 In the Microsoft Management Console click File Add Remote Snap in 4...

Page 107: ...Settings menu click All Settings 2 In the left pane click Monitoring and Alerting Protocol Management Connection Profiles Manage Connection Profiles 3 Click the connection profile that you want to use to connect to Intel AMT computers with Real Time System Manager and then click the Edit symbol 4 In the Define Group Settings dialog box expand the AMT section 5 Check Secure mode 6 In the Trusted CA...

Page 108: ...tion in the configuration profile and then reconfigure the Intel AMT computers that use this profile After reconfiguration the Intel AMT computers are ready to be managed out of band with Altiris products See Altiris products that can manage computers out of band on page 15 See Configuring TLS with mutual authentication on page 100 To enable TLS mutual authentication in the configuration profile 1...

Page 109: ...olbar click the Add symbol and add your root CA certificate to the Trusted Certificates list If needed in the Select Trusted Root Certificate dialog box use the buttons on the toolbar to add or import the CA certificate To reconfigure Intel AMT computers with the new profile 1 In the Symantec Management Console on the Settings menu click All Settings 2 In the left pane click Remote Management Out ...

Page 110: ...Configuring TLS Configuring TLS with mutual authentication 110 ...

Page 111: ... of Band Task Agent that you install on the target computers lets you configure ASF or DASH capable computers for out of band management Configuration of ASF or DASH is an in band functionality See About out of band management on page 14 Note If the client computer supports both ASF and Intel AMT we recommend configuring the computer to use Intel AMT See About configuring Intel AMT computers for o...

Page 112: ...t computers if it is not already installed Step 3 For easier configuration and evaluation of Out of Band Management Component make the Altiris Agent request configuration from Notification Server more frequently See Configuring the Altiris Agent settings for evaluation use on page 52 Optional Modify the Altiris Agent settings for evaluation use Step 4 The Out of Band Discovery policy lets you find...

Page 113: ... ASF capable computers for out of band management you must have the ASF management software installed on these computers If the ASF management software is not installed on the Broadcom ASF capable computers you must install the software manually You can obtain the Broadcom ASF Management Application from an installation CD that comes with the computer or from the Broadcom Web site http www broadco...

Page 114: ...un the task one time or on a schedule For more information view topics about running and scheduling tasks in the Symantec Management Platform Help To view the ASF DASH inventory for a client 1 Open the Resource Manager for the computer To open the Resource Manager double click or right click and then click Resource Manager on a specific resource that is found in a filter or in any grid that displa...

Page 115: ...e Manage menu click Jobs and Tasks 2 In the left pane click Samples Remote Management ASF DASH Tasks Update ASF Configuration Settings or Samples Remote Management ASF DASH Tasks Update DASH Configuration Settings 3 Configure settings If you check Modify settings the settings that are shown in the group are modified when the task runs If you uncheck Modify settings the settings on the target compu...

Page 116: ...See Altiris products that can manage computers out of band on page 15 Configuring ASF DASH computers for out of band management What to do next 116 ...

Page 117: ...tact for the Symantec Management Agents thus reducing the load on Notification Server The official name for a middleware component is site service Any computer that hosts a site service is known as a site server A site server can have one or more site services installed on it For example if you install the package server site service the package service onto a computer that computer becomes a site...

Page 118: ...er You can later deploy more OOB site servers to other subnets or geographic locations For example if Intel AMT computers in a subnet cannot reach the main OOB site server you can install another OOB site server into that subnet Also if you want to reduce the Notification Server computer s workload you can move the OOB service from the Notification Server computer to another site server on the net...

Page 119: ...with Microsoft Windows 2003 Server SP2 operating system can become OOB site servers See Viewing potential OOB site server computers on page 119 Choose a computer for OOB site server installation Step 1 Configure which SQL server you want to use and if you want to run a prerequisites check when installing the OOB site server See Configuring the OOB site server installation settings on page 120 Conf...

Page 120: ...OOB site server installation settings 1 In the Symantec Management Console on the Settings menu click Notification Server Site Server Settings 2 In the left pane click Site Management Settings OOB Service OOB Service Configuration 3 In the right pane configure the settings For help press F1 or click Help Context See OOB Site Service page on page 161 4 Click Save changes Rolling out the OOB site se...

Page 121: ...ecessary You can also run additional tasks that are shown on the page The tasks can help you troubleshoot the OOB site server installation See Troubleshooting OOB site server installation on page 175 Uninstalling an OOB site server You can uninstall an OOB site server If you uninstall the OOB site server that is set as default you must configure Out of Band Management Component to use another OOB ...

Page 122: ...n on page 175 Configuring the default OOB site server location By default Out of Band Management Component is configured to use the Intel SCS that is installed on the Notification Server computer as part of the default OOB site server installation If you move the OOB site server and Intel SCS to another computer you must configure Out of Band Management Component To set the default OOB site server...

Page 123: ...nce Servers page Auxiliary profiles Remote Access Policies page Auxiliary Profiles Wireless Profiles page Trusted Root Certificates page Configuration Profiles page DNS configuration page General page Maintenance page Security keys page Service location page Users page Delayed Setup and Configuration page Intel AMT systems page Profile assignments page 10 Chapter ...

Page 124: ...grade Job internal task OOB Site Server Inventory task Send Intel AMT Hello Message task Auxiliary profiles 802 1x Profiles page IEEE 802 1x defines an extendable set of layer 2 protocols that are used to authenticate LAN communications The profiles that are defined here can apply to any Intel AMT Profile and to either wired connections or wireless connections This capability only applies to Intel...

Page 125: ...se include the Server certificate that is required for TLS and any client certificates that are required for 802 1x profiles or for NAC posture signing In a normal installation a single client certificate would be purchased for all applications in the facility If a profile requires more than three certificates setup of an Intel AMT device based on this profile fails Client certificate Check to ena...

Page 126: ... properties Table 10 2 Options on the Add Certificate Generation Properties dialog box Description Option Type the FQDN of the computer that handles stores and issues digital certificates You can click and select one from the list of Certificate Authorities CA known to Notification Server Microsoft certification authority CA is used to generate individual certificates for Intel AMT devices CA Host...

Page 127: ...ou want Intel SCS to use when generating certificates for the functionality that you want to configure Auxiliary profiles Management Presence Servers page Intel AMT 4 0 and later support CIRA client initiated remote access CIRA allows an Intel AMT computer that is located outside an enterprise to connect to management consoles inside the enterprise The connection is accomplished through a Manageme...

Page 128: ...o use to request a certificate that the MPS can authenticate Then select the template that is defined for creating the appropriate client certificate This should be a template where the subject name is supplied in the request and the usage is Client Authentication For information on creating a template for 802 1x client certificates see the Intel Active Management Technology Setup and Configuratio...

Page 129: ...ote Policy dialog box Description Option Type a descriptive name for the policy Name Type an interval in seconds When there is no activity in an established tunnel for this period of time the Intel AMT device closes the tunnel Entering zero 0 means that the tunnel does not time out The tunnel stays open until the user closes it or when a different policy with higher priority needs to be processed ...

Page 130: ...11i See Configuring Intel AMT wireless settings on page 64 Wireless Profiles Add Wireless Profile dialog box This dialog box lets you configure the wireless settings that the Intel AMT devices should use in sleep S3 S4 or S5 state when the operating system cannot be used to configure wireless protocols Table 10 5 Options on the Wireless profiles Add Wireless Profile dialog box Description Option T...

Page 131: ...ck OK See Installing and configuring CA on page 36 Configuration Profiles page Configuration profiles contain the Intel AMT device configuration parameters Profiles determine which features are enabled in the device what authentication mechanism is used and which users have access to device features One or many profiles can be defined For example use a different profile for different sites Each pr...

Page 132: ...abase Unless you configure more administrative users on the ACL tab you can manage the computers from Notification Server only In this case Notification Server pulls the administrative credentials from the Intel SCS database every time you run an out of band task See Setup and configuration profile ACL tab on page 137 Note To use the credentials that are stored in Intel SCS create a connection pro...

Page 133: ...ftware from remote locations These actions are independent of and transparent to the host Check to allow this feature IDE redirection Select an optional 802 1x profile that you want the Intel AMT device to use when authenticating on a wired LAN This profile is active when the device is in S3 S4 or S5 power states This option applies only to Intel AMT releases 2 5 3 0 4 0 and 5 0 See Auxiliary prof...

Page 134: ...mote control of an Intel AMT system using a remote keyboard and mouse and viewing the managed system s screen output at a remote monitor Enable KVM Check if you want to define that the user of the Intel AMT system must consent to KVM connections A pop up window appears on the Intel AMT system when a KVM connection request is processed The window contains a code number that the user must provide by...

Page 135: ...ck Encrypted to allow setup and configuration only on the platforms that support encryption Click Plain Text to allow setup and configuration only on the platforms that do not support encryption Click Both to allow setup and configuration on both types of platforms encrypted and plain text Encryption Mode Select the certification authority CA that you want to use to generate server certificates fo...

Page 136: ...ked certificates This is an optional feature of TLS Mutual Authentication Click the Manage CRL symbol to define a CRL CRL The Fully Qualified Domain Name FQDN suffixes for mutual authentication The Intel AMT device validates that any client certificates that Intel SCS or Altiris solutions use have one of the listed suffixes in the certificate subject Type the FQDN suffix of the Notification Server...

Page 137: ...a file Setup and configuration profile ACL tab The Intel AMT access control list ACL manages who has access to which capabilities within Intel AMT An ACL entry has a user ID and a list of realms to which a user has access This access is required to use the functionality that is associated with a realm You can use two kinds of ACL entries Kerberos and Digest The main difference between them is that...

Page 138: ...on Access Permission Select the specific functional capabilities such as Redirection or PT Administration that will be available to this ACL entry Some of the realms cannot be used with a specific access permission An error is displayed if you select a realm that is not allowed Realms Add ACL Entry Select User dialog box Select the Active Directory user that you want to use for the functionality t...

Page 139: ...130 Create new wireless profile Add a wireless profile Add Adjust the relative priority of the profile The profile at the top of the list has the highest priority and is tried first by configured wireless Intel AMT devices Up Down When checked Intel AMT devices accept management traffic over a Virtual Private Network connection when Intel AMT detects that the platform is operating outside the ente...

Page 140: ... example the AMT is ON parameter is set to Host is ON S0 or in Standby S3 When the platform transitions to S3 the Intel AMT device remains awake until there is no activity for the number of minutes set in the Idle Timeout At that point the device reduces power Any network access to the Intel AMT device causes it to wake up and restart the timeout timer If you want to use this parameter set it to t...

Page 141: ...ydomain com Intel AMT computers in subdomain mydomain com can also be configured Allow sub domain Setup and configuration profile Remote Access tab Intel AMT 4 0 and later support client initiated remote access This feature allows a platform containing Intel AMT located outside an enterprise to connect to management consoles inside the enterprise The connection is accomplished through a Management...

Page 142: ...alizing computers manually through MEBx on page 80 Table 10 14 Options on the DNS configuration page Description Option Click to see if DNS is configured correctly Verify that the IP of the ProvisionServer matches the IP of Intel SCS Test General page This page lets you modify general settings of the Intel AMT Setup and Configuration Service Intel SCS This page modifies the settings of the Intel S...

Page 143: ...el AMT releases 2 2 2 6 3 0 4 0 5 0 and later support Remote Configuration Check this option to enable Intel SCS to accept Remote Configuration requests from Intel AMT devices See Initializing Intel AMT computers using the Remote Configuration feature on page 65 AllowRemoteConfiguration Displays the FQDN of the OOB site server computer with which Out of Band Management Component is configured to w...

Page 144: ...termines the maximum number of SCS operations that can be performed concurrently by each SCS service The operations are configuring or unconfiguring an Intel AMT platform synchronizing clocks and so on This value can be adjusted to optimize the service s performance depending on the number of CPUs and the memory size Default 6 threads Worker threads The system wide actions log can be recorded at s...

Page 145: ...ged periodically to either a randomly generated password or to a fixed password Which option to use is defined in the configuration profile on the General tab See Setup and configuration profile General tab on page 131 Normally this maintenance function is used only with the random password option Default 1 month Change Intel AMT Administrator password This option synchronizes the clock in each In...

Page 146: ...ers manually through MEBx on page 80 If you use the Remote Configuration feature of Intel AMT 3 0 the keys are generated and installed automatically See Initializing Intel AMT computers using the Remote Configuration feature on page 65 Table 10 17 Options on the Security keys page Description Option Click to add a new security key The PID is the eight character identification string that is sent i...

Page 147: ...curity keys that you have used to initialize an Intel AMT device manually All marked security keys disappear from the SecurityKeys page so the keys cannot be reused However the keys and passwords stay in the Intel SCS database and are used for initialization of Intel AMT devices Marking the keys is necessary if you use the MEBx initialization method See Initializing computers manually through MEBx...

Page 148: ...otification Server computer Default URL Displays the URL of the Intel SCS installed on the OOB site server To fill in this field automatically in the Site Servers section select a site server and click the Set as default location of Intel SCS symbol Alternative URL Lists the OOB site servers that are known to Out of Band Management Component Site Servers Displays the computers that have Intel SCS ...

Page 149: ...age can view the standard log and the security audit log can access the complete configuration parameters branch LogViewer This role allows a user to view the standard log and the security audit log Add Click to edit the user Edit Click to delete the user Warning Never remove the user that is used by the SCS service when it is started Removing this user causes the service to fail Delete Delayed Se...

Page 150: ... AMT in the client computer s BIOS Note The computers that have ASF or None selected in the MEBx do not appear in the default All Intel AMT Computers in Delayed Configuration State filter If you want to switch such computers to Intel AMT assign this policy to a custom filter For example assign it to All Intel AMT Capable Computers Switch to AMT If you want the Delayed Setup and Configuration proce...

Page 151: ...ration page on page 149 Authorize systems This operation updates the list of Intel AMT users according to the ACL entries in the profile that is associated with each device and their access privileges See Setup and configuration profile ACL tab on page 137 Update ACL This operation resets the random number generator key for selected devices Renew RNG key This operation updates the power policy for...

Page 152: ...age 86 Assign profile This operation lets you assign profiles to multiple Intel AMT computers Check Overrideexistingprofileassignments to assign the profile that is defined on this page to the Intel AMT computers that already have a configuration profile assigned This option changes the profile assignment but does not re configure the Intel AMT device with the new configuration profile If you want...

Page 153: ...pping The exported CSV file can later be imported into the Profile Assignments page Export the list of the systems Lists the Intel SCS log entries that are filtered by the system s UUID Open log for this system Displays configuration information for the selected system Show detailed system information Deletes the selected devices and the associated log entries from the Intel SCS database For examp...

Page 154: ...Imports profile assignments Import system mappings Deletes assignments Delete Resource Synchronization page This page lets you configure automatic configuration profile assignment to the new Intel AMT devices that request configuration from Intel SCS You can also change profile assignment for existing configured devices This page also lets you configure the schedule on which the configuration prof...

Page 155: ...ration profiles on page 62 Add Check if you want to assign an FQDN to an Intel AMT computer that does not have the Altiris Agent installed and whose FQDN is not known to Notification Server Use DNS IP resolution to find FQDN when assigning profiles Check to delete duplicate resources when synchronizing the Intel SCS and Notification Server resources Remove duplicate Intel AMT resources from Notifi...

Page 156: ...ices from the domain you specified here Profile Get ASF DASH Configuration Inventory task This task lets you get the ASF or DASH settings inventory from client computers The ASF DASH inventory is collected and sent to Notification Server in the standard Notification Server Inventory format Note The Out of Band Task Agent must be installed on the client computers before you run the task The client ...

Page 157: ...ansmit periodic system heartbeat or entity presence messages to the management console Heartbeats indicate that the managed client computer is still operating Transmit system heartbeat messages Check to modify the settings in this group when the task runs Modify security settings The scope of these keys is a local policy issue that is determined by the equipment owner at the time of installation T...

Page 158: ...ationonlinkreconnect Check this option if you want to delay sending events to the management console after the link is restored for example if the network traffic is high Type the number of seconds to wait Default 10 seconds Delay sending Platform Event Traps on link reconnect Check to modify the settings in this group when the task runs Modify remote control settings Check to enable a low latency...

Page 159: ...al in seconds between retransmission of a PET message Default 20 seconds PET retransmission interval Check to modify the settings in this group when the task runs Modify system management bus settings Type the interval at which the network adapter monitors legacy SMBus devices such as the chassis intrusion sensor Default 15 seconds Legacy poll interval Type the time delay before the first legacy S...

Page 160: ...er up ASF Power cycle Check if you want the configuration inventory to be sent to Notification Server after this task runs on the client computer Refresh inventory on settings change Update DASH Configuration Settings task This task lets you enable DASH and configure DASH settings remotely on client computers Note The Out of Band Task Agent must be installed on the client computers before you run ...

Page 161: ...ce Browse to the key in the expected format Replace security key Check to replace the certificate on the DASH device Browse to the certificate in the expected format Replace certificate Check to modify the settings in this group when the task runs Modify Administrator account password Type and confirm the new password for Administrator account Password Check if you want the configuration inventory...

Page 162: ...d SQL Access Check if you want the Intel SCS installation to re use the existing database with the Intel AMT data in it By default it is checked Uncheck only if you want to clear the database on Intel SCS install Warning All OOB site servers in your environment use the same database Clearing this check box when installing an OOB site server removes all data about Intel AMT computers in your enviro...

Page 163: ...Specific Installation Settings Each instance of Intel SCS listens for Hello messages from Intel AMT devices on a defined TCP port Type the TCP port that you want Intel SCS to use The default port is 9971 The settings under General Intel SCS Settings take effect at the time of the OOB site server installation After you installed an OOB site server use the General page to configure the settings See ...

Page 164: ...ded at several levels The more detail recorded the more system resources and bandwidth must be allocated Log Level Certificate Enrollment task This task lets you enroll the TLS Mutual Authentication certificates Browse to the certification authority that you are using and then browse to the template AMTMutual that you prepared for TLS Mutual Authentication Run this task on the Notification Server ...

Page 165: ...o re run the installation that has failed For more information on running tasks see the Symantec Management Platform Help Install OOB Site Service agent task This task is an internal task that is used by the OOS site server installation jobs This task installs the OOB site server agent to the OOB site server computer You can also run this task manually for example if you want to re run the install...

Page 166: ...task checks the target computer for the OOB site server prerequisites See Installing an OOB site server on page 119 You can also run this task manually You can view collected inventory in the target computer sResourceManager intheView Inventory OutofBandManagement OO Site Server State data class Send Intel AMT Hello Message task This task lets you resume sending setup and configuration requests fr...

Page 167: ...SCS logs Out of Band Management Component installs Intel SCS Intel SCS handles the interaction with Intel AMT devices and creates logs to record these interactions The logs are located in the Intel SCS database Default Symantec_CMDB_IntelAMT If you have problems configuring connecting to managing or otherwise interacting with the Intel AMT devices you can check the logs through the Symantec Manage...

Page 168: ... Remote Management Out of Band Management Configuration Service Settings General 3 Under Log Options in the Log level drop down list click the log level that you want For example click Detailed verbose to see the most detailed information in the logs Troubleshooting Out of Band Management Component Viewing Intel SCS logs 168 ...

Page 169: ...mponent performed for example the results of a resource synchronization Application Log These records provide the information that is related to Notification Server interactions with Intel AMT These show information and errors from the Intel SCS service AMTConfig including interaction with the Intel SCS database These logs show the status on tasks such as RNG keys configuration steps Hello packet ...

Page 170: ...tion sequence Intel SCS rejects additional requests if the system is already listed as Configured Error 102 Intel AMT device is already configured This error can be caused in the following situations Trying to delay a request that is already set to be delayed Trying to push a request that is already in the queue Trying to push a request to the poller that is already in the poller This error is a s...

Page 171: ... state A manual process of partial unconfiguration may be required Removing the assigned profile at the console should occur also Error 137 Another process currently working on AMT Intel SCS has the ability to integrate with Microsoft Active Directory for Kerberos based authentication Check to ensure that schema extensions have been applied and proper authentication to the Kerberos server for exam...

Page 172: ...n to occur the UUID and the FQDN of the target Intel AMT system are mapped together The configuration script may attempt to use WMI reverse DNS previously stored asset data or client agents to obtain this data This error occurs when the configuration script cannot obtain this data To resolve this issue you can manually assign a configuration profile and type the FQDN of the Intel AMT device Error ...

Page 173: ...t contain the Remote Configuration certificate The Thumbprint field of the certification authority certificate that issued this Remote Configuration certificate must match one of the hashes that are programmed into the Intel AMT device Configure Out of Band Management Component to use the Remote Configuration feature or use the manual initialization method See Initializing Intel AMT computers usin...

Page 174: ... reasons of Intel SCS pages not being displayed are as follows The OOB site server is not installed See About OOB site servers on page 118 See Troubleshooting OOB site server installation on page 175 The OOB site server is installed but Out of Band Management Component is not configured to use the correct site server See Configuring the default OOB site server location on page 122 The AMTSCS Web s...

Page 175: ...quency of filter updates and the target computer s configuration update schedule Configure the All Site Servers targeted Altiris Agent settings policy to speed up the process See Configuring the Altiris Agent settings for evaluation use on page 52 You can also make target computers update configuration immediately using one of the following methods From the Symantec Management Console run the Upda...

Page 176: ...Troubleshooting Out of Band Management Component Troubleshooting OOB site server installation 176 ...

Page 177: ...g passwords are accepted by Intel AMT devices The strong password must meet the following criteria Be at least eight characters long Characters allowed are 7 bit ASCII characters in the values of 32 126 inclusive The characters and are not allowed Have at least one digit Example 0 1 2 9 Have at least one 7 bit ASCII non alphanumeric character Example Contain both upper and lower case Latin charact...

Page 178: ...ration state This filter is populated by the Out of Band Task Agent that is installed on the client computer The agent sends this information to the Notification Sever using the Altiris Agent s basic inventory interval See About resending Hello messages on page 89 See Installing the Out of Band Task Agent on page 53 Intel AMT Computers in Delayed Configuration State This filter is populated when t...

Page 179: ...wn to Intel SCS but are not configured for any reason For example a setup and configuration profile has not been assigned or Out of Band Management Component cannot assign an FQDN to this Intel AMT device Non configured Intel AMT Computers This filter shows Intel AMT capable computers with Intel AMT functionality enabled in BIOS This filter is populated using the Out of Band Discovery Task through...

Page 180: ...t executes and checks the target computer for ASF functionality This task detects ASF capabilities of the target computers even if ASF is not configured or not enabled in BIOS See Discovering out of band capable computers on page 52 Broadcom ASF capable computers This filter is populated using the Out of Band Discovery Task through the Altiris Agent This task copies down an exe that executes and c...

Page 181: ...he following four items Cleans up duplicate resources if the appropriate check box is checked on the Resource Synchronization page When the Altiris Agent installed on an Intel AMT enabled computer sends basic inventory Notification Server may create a new resource in addition to the existing resource representing the Intel AMT device attached to the same computer When the Resource Synchronization ...

Page 182: ...rprise com or the domain suffix of the platform for example west yourenterprise com or yourenterprise com The keys should be exportable to support IT key backup policies The request type should be PKCS10 See Initializing Intel AMT computers using the Remote Configuration feature on page 65 Remote Configuration certificate differences between releases Intel AMT validates the SCS certificate by comp...

Page 183: ...atch all fields of the FQDN or it must be a wildcard entry with a match in all but the first field of the FQDN For example if the FQDN is east corp yourenterprise com the CN in the certificate must also be east corp yourenterprise com or corp yourenterprise com If a DSN suffix is entered then all fields in the suffix must be included in the CN For example if the entered suffix is corp yourenterpri...

Page 184: ...the domain suffix that is received from DHCP When one of the names matches Intel AMT accepts the certificate A certificate with multiple DNS names would be useful when the root domain is not com or net When one of these methods is used a single Intel SCS can support Intel AMT devices with Release 2 6 in multiple domains with a single remote configuration certificate Reference topics Remote Configu...

Page 185: ...hnicians can identify computers with disabled or uninstalled software agents and take appropriate actions Altiris Agent The software that is installed on the computers that you want to manage It facilitates interactions between Notification Server and a managed computer The agent receives requests for information from Notification Server sends data to Notification Server and downloads files The Al...

Page 186: ... requires the target computer s operating system to be initialized and to function properly Intel AMT Intel Active Management Technology A solution that is based in hardware and firmware and is connected to the system s auxiliary power plane Despite the power state or the operating system state of the client computer Intel AMT provides IT administrators with access to alerts hardware inventory pow...

Page 187: ...Permissions are granted to users through their security role PET Platform Event Trap An event that is originated directly from platform firmware BIOS or platform hardware ASIC chipset or microcontroller independently of the state of the operating system or system management hardware PET events provide advance warning of possible system failures policy A set of rules that control the execution of a...

Page 188: ...d user interface for managing the Symantec Management Platform and any other installed solutions Symantec Management Platform The platform that provides a set of services for IT related solutions These services include security scheduling client communications and management task execution file deployment reporting centralized management and CMDB services task An action that is performed on a comp...

Page 189: ... management 14 populating with PID PPS pairs 58 server prerequisites 43 viewing out of band capable 53 computers discovering 51 preparing for management 49 configuration mode Intel AMT enterprise mode 19 Intel AMT small business mode 18 configuration profile assigning 85 creating 62 mapping to Intel AMT computers 64 configuring Altiris Agent 52 computers for out of band management 61 Intel AMT ent...

Page 190: ...configuration works 57 ports used by 40 security 20 small business mode 18 tasks 27 version features 17 Intel AMT computer initializing manually 76 remotely 65 managing without Altiris Agent 41 populating with PID PPS pairs 58 setting up and configuring 82 Intel SCS about 17 viewing logs 167 L lab environment installing in 41 logs 167 M manageable resources creating 88 Management Presence Servers ...

Page 191: ...32 Intel AMT configuration 61 minimum 43 server computer 43 product comparison 25 provision profile See configuration profile provisioning See setup and configuration R Release Notes 27 Remote Configuration 65 certificate providers 67 purchasing 74 requirements 182 certificate request preparing 72 certificate template issuing 72 preparing 70 enabling support 75 requirements 69 starting 75 version ...

Page 192: ...Intel AMT computers 108 copying certificate 105 creating template 101 exporting certificate 106 installing certificate 103 troubleshooting 167 U uninstalling Out of Band Management Component 45 Out of Band Task Agent 46 with Symantec Installation Manager 47 upgrading Out of Band Management Component 45 USB key initialization 77 W wireless profile about 24 configuring Intel AMT settings 64 creating...

Reviews:

No comments

Related manuals for ALTIRIS OUT OF BAND MANAGEMENT COMPONENT 7.0 SP3 - V1.0

Brand: NEC Pages: 4

Brand: NEC Pages: 81

Wide Format 6030

Brand: Xerox Pages: 8

Brand: Barco Pages: 22

NETWORK AND SECURITY MANAGER 2010.4 - REV1

Brand: Juniper Pages: 244

Ripstation v4.4.11.0

Brand: MF DIGITAL Pages: 43

Persona Persona M30e

Brand: Fargo Pages: 31

Brand: Nokia Pages: 84

Brand: Philips Pages: 2

Brand: Philips Pages: 2

Cineos 42PF9831D

Brand: Philips Pages: 3

Brand: Philips Pages: 2

37-LCD 37PF9431D

Brand: Philips Pages: 3

37-LCD 37PF9431D

Brand: Philips Pages: 3

Brand: Philips Pages: 16

37-LCD 37PF9431D

Brand: Philips Pages: 201

Brand: Paradyne Pages: 24

Brand: Nexo Pages: 24

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands