SMB Considerations for Deploying Wireless Intel® AMT Support

 

Wireless support for network management using Intel® Active Management Technology (Intel® AMT) offers numerous advantages for businesses of all sizes. This paper introduces some key considerations for IT organizations at Small and Medium Businesses (SMBs) to consider when investigating the potential for wireless Intel AMT support.

Overview

Intel® Active Management Technology (Intel® AMT), a component of Intel® vPro and Intel® Centrino® Pro processor technology, enables IT organizations to extend the manageability of their client computers by performing remote management operations on them, even if they are in a powered-down state or the operating system has ceased functioning. It achieves this functionality by means of an out-of-band communication channel based on firmware-resident components that share the physical interfaces with conventional network connectivity but remain logically separate from them.

Intel AMT enables organizations of all sizes to achieve greater efficiency in their desktop support operations, allowing a larger proportion of trouble calls to be resolved without dispatching a technician to physically visit the machine. It also simplifies hardware and software audits and inventories, since client machines can be powered on and off remotely as needed to complete the operation. Finally, it allows enhanced security, both by allowing the proactive isolation of malware-infected machines and by enabling the deployment of security patches and agents in isolated partitions where users can not inadvertently or intentionally alter or remove them.

With the new availability of Intel vPro processor technology in laptops based on Intel Centrino Pro processor technology, these manageability and security enhancements have been added to wireless mobile computing for business (although the wireless interface has some limitations, as discussed below). The new mobile platform incorporates the following core components:

  • Intel® Core™2 Duo processor with Intel® Virtualization Technology, up to 4MB L2 cache, and up to 800MHz front-side bus
  • Mobile Intel® GM/PM965 Express Chipset with enhanced I/O Controller Hub (ICH8M) and support for Intel AMT 2.5
  • Intel® Wireless WiFi Link with choice of Next-Gen Wireless-N Intel® Wireless WiFi Link 4965 AGN] or Intel Wireless WiFi Link 4965 AG or Intel® PRO/Wireless WiFi Link 3945 ABG supporting Intel AMT
  • Intel® 82566MM Gigabit Ethernet Connection supporting Intel AMT

This paper introduces key considerations for IT organizations in Small/Medium Businesses (SMBs) planning wireless support for Intel AMT. It discusses the security requirements and configuration issues associated with the technology, and it directs the reader to resources for more in-depth investigation of these topics. This discussion assumes a general familiarity with the capabilities and functionality of Intel AMT, as well as general Intel AMT deployment considerations and techniques; for further information, please see the Intel® Manageability Community. For a corresponding discussion that targets enterprise-scale environments, see "Enterprise Considerations for Deploying Wireless Intel® AMT Support." Preliminary Considerations: Capabilities and Limitations

Intel AMT devices have two modes of operation: Enterprise Mode and Small/Medium Business (SMB) Mode. In Enterprise Mode, setup and configuration requires the use of Transport Layer Security (TLS) communication protocols for secure communication, and the process is quite automated. By contrast, SMB Mode does not require the added complexity of TLS (and in fact, does not support it), but the process is somewhat more manual, requiring hands-on operations to each machine. The initial setting of Enterprise or SMB Mode is made at the point of manufacture, and the default setting is typically Enterprise Mode, so the value must be changed to SMB mode during the setup and configuration process.

Wireless profiles must be configured in the Intel AMT device separately from the wireless profiles that are configured in the wireless client within the host OS, even though the profiles may be exactly the same. The Intel AMT device does not have the capability to synchronize profiles with those configured in the host OS. This configuration must be accomplished through the wired interface for security reasons, since client machines right out of the box have no security configured on the wireless Intel AMT interface.

System administrators can access the Intel AMT device either by means of the Intel AMT BIOS Extensions or using a built-in web interface, but initial setup and configuration must be done using the BIOS extensions. In this context, setup and configuration is the process that populates a system with the network credentials and parameters that enable it to be administered remotely using Intel AMT. Once initial setup and configuration is complete, device settings and profiles can be changed and maintained using the web interface.

Depending on system state and what management functions are being undertaken, control of the wireless network interface controller (NIC) is passed back and forth between the Intel AMT network interface and the host network interface. For details, see "Technical Considerations for Intel® AMT in a Wireless Environment." Because of the logical separation of the two interfaces (even though they share physical hardware), they have separate IP addresses, and only one of them is active at a time. Further, since the wireless NIC is powered off in low- and no-power platform states (e.g., standby, sleep, hibernate, and off), wireless management functionality is not available in these states.

While in the wired context, Intel AMT supports both DHCP and static IP, the wireless management interface requires DHCP and does not support static IP addresses. In addition, the wireless management interface is always initially disabled, even if valid wireless profiles are configured and Intel AMT is enabled. By contrast, wired Intel AMT interfaces can be enabled by default at the point of manufacture. Wired and wireless management interfaces can not be on the same subnet concurrently. IT organizations at SMBs should carefully consid er these issues, to develop a clear understanding of how wireless support for Intel AMT fits into the larger network and management frameworks.

Planning Wireless Intel AMT Deployment for SMBs

In the SMB environment, the use of Intel AMT does not require the use of third-party management software. The basic requirement for initial setup and configuration is BIOS support for Intel AMT in the form of the BIOS Extensions Intel AMT configuration screen. Once the Intel AMT device is set up and configured, it can be managed by means of a web browser. The following browsers have been validated and can be used remotely to connect to any configured Intel AMT system (other browsers can be used, but they may not be supported by some Intel AMT-enabled systems):

  • Microsoft Internet Explorer 6.0 SP1*
  • Netscape 7.2* for Windows* or Linux*
  • Mozilla Firefox 1.0* for Windows or Linux
  • Mozilla 1.7* for Windows or Linux

A primary matter for consideration in deployment planning should be how existing wireless network infrastructure fits in with support for wireless access to Intel AMT. Security is a key consideration for network administrators planning support for wireless Intel AMT capabilities, both for its own sake and to ensure that their network security infrastructure is compatible with the requirements of Intel AMT. Networks that do not employ encryption or that employ Wired Equivalent Privacy (WEP) are not supported by Intel AMT. Administrators in such environments can typically implement Wi-Fi Protected Access (WPA) security for their existing wireless networks with little or no investment in additional network hardware.

As part of the needs analysis associated with such upgrades, however, IT organizations should thoroughly validate all combinations of client hardware and wireless access points to ensure that performance levels are acceptable using WPA on legacy hardware. In some cases, it may be necessary to maintain a legacy wireless network as a transition measure until older client machines that do not provide adequate performance using WPA are retired. For those organizations that implement more advanced wireless security, Intel AMT supports Robust Security Network (RSN) and optionally, 802.1x authentication. Contact your equipment supplier for additional details about support for specific security protocols.

Once the necessary infrastructural accommodations are made, the actual deployment of laptop computers with support for wireless Intel AMT support is not dramatically different from the corresponding process with wired-only Intel AMT support. At a high level, it involves the following:

  1. Unpack the machine and boot it to BIOS
  2. Enable Intel AMT in SMB mode
  3. Deploy the machine at a user's desk
  4. Access the Intel AMT device remotely with the browser-based interface and configure network settings, wireless profiles, etc.

For more comprehensive information about provisioning Intel AMT devices in SMB Mode, see the Intel® Active Management Technology Small Business Configuration User Guide.

Conclusion

While deployment of wireless Intel AMT access is not a major undertaking in the SMB environment, system administr ators should understand the general considerations associated with the deployment of Intel AMT first. It is also necessary to have WPA or RSN wireless network security in place in order to support access to the wireless Intel AMT interface.

As an adjunct to wired access to the Intel AMT device, wireless access extends manageability of laptops based on Intel Centrino Pro processor technology. SMBs that deploy that access add valuable management functionality to their networks.

Additional Resources

The following materials provide a point of departure for further research on this topic:

  • Intel Manageability Community is a core developer resource for manageability technologies from Intel. It provides tools, documentation, use cases, blogs, and user forums.
  • Intel AMT Technology & Research provides in-depth information about the hardware and software features and capabilities that underlie Intel AMT.
  • Intel AMT Technology Brief provides a concise overview of the technology from a business perspective, with a focus on features and benefits to IT organizations and software vendors.

 

Nähere Informationen zur Compiler-Optimierung finden Sie in unserem Optimierungshinweis.