The Client Initiated Remote Access (CIRA) feature of Intel® Active Management Technology (Intel® AMT) allows Intel® vPro™ technology platforms to initiate a secured connection to a gateway server residing in the enterprise De-Militarized Zone (DMZ). Using CIRA, Intel vPro technology-based clients can be managed remotely by the IT Administrator when the system is located outside the corporate network (intranet).
Conventional Connectivity Limitations
Traditionally, it is assumed that management consoles establish a direct connection within the corporate network (intranet) to manage platforms with Intel vPro technology.
In this conventional scenario, when the end user system is outside the corporate network, any out-of-band IT support would require the system to be brought into the corporate network. Intel vPro technology management features can only be used after the system is connected to the intranet.
Many service providers exist today that deliver remote services to PCs in small business environments, with some offering remote management based on Intel Active Management Technology. This connectivity works if within Small Medium Business (SMB) there is an appliance like Intel entry storage platform SS4200-EHW that acts as the proxy running onsite manager components of software connecting the Intel vPro platform with the remote management console. Alternatively, a Virtual Private Network (VPN) should be established between Customer Premises Equipment (CPE) and Network Operations Center (NOC). Systems outside of this connectivity environment cannot take advantage of the Intel vPro technology management capabilities.
Using Intel® AMT and CIRA to Overcome Limitations
The solution using CIRA comprises of three components - Intel vPro technology-based PCs with Intel AMT configured for remote connectivity, Management Presence Server (MPS) and Management Console (MC). In the conventional network infrastructure, the connection is initiated by the Management console and Intel AMT acts as a TCP Server responding to MC's connection attempts. When Intel AMT is outside the intranet this model doesn't exist due to security concerns.
To address this situation, Intel AMT is configured for remote connectivity, initiates a secure TLS connection to an intermediate server MPS located in the enterprise DMZ environment. MPS mediates the connection between Intel AMT located outside the intranet and the management console located inside the corporate network. Communication between the management console and Intel AMT is protected using the secure TLS tunnel established.
Once a secured TLS tunnel is established between Intel AMT and MPS, multiple management consoles can communicate with the same device and all of the traffic is piped through the same secured tunnel as shown in the figure below. MPS is responsible for connecting/disconnecting sessions as management consoles initiate and complete their actions. Intel AMT can also drop the secure connection after a defined period of inactivity.
Key Functionality Enabled by Intel AMT that Underlies this Use Case
The following table summarizes the connectivity options and functionality utilized in this use case that are provided by Intel AMT or enabled by Intel AMT:
|User-Initiated Connection||Remote access connection initiated through BIOS when the system is not able to boot. This connection can also be initiated through OS when in need of help from the corporate IT department.|
|Periodic Connection||Remote access connection at defined time period to allow for routine maintenance, patch deployment, inventory etc during off hours by corporate IT department.|
|Alert Based Connection||Remote access connection when platform alerts occurs. Alerts could be agent presence events, Intel® System Defense filter trips etc.|
The Advantage of Intel AMT
Intel AMT enables multiple connectivity options independent of the OS state when the platform is located outside the corporate network making it available for manageability operations. It achieves this goal by providing the connection through BIOS when the operating system, agent and/or VPN software are disrupted or unavailable.
Business Value of the Intel AMT Solution
This use case enables IT organizations to remotely manage clients with Intel vPro technology configured for CIRA:
- Non-responsive systems: For systems located outside the corporate environment and not able to boot, user-initiated CIRA connection allows for remote diagnosis and repair of the systems by IT department.
- Scheduled system maintenance: Periodic CIRA connection allows the IT department to perform operations related to scheduled maintenance, patch deployment, inventory etc.
- Platform alerts: In the event of a predefined platform event occurrence, such as agent presence alerts or system defense filter trip events, alert based CIRA connection allows IT departments to resolve the alert situation.
Client Initiated Remote Access Usage Case Implementation
The components required to configure CIRA use case are as follows:
Management Console (MC) application: This is an application running on a system elsewhere on the corporate network managing Intel vPro technology-based clients.
Management Presence Server (MPS) Server: Resides in the corporate DMZ and is responsible for mediating the communication between MC and PCs with Intel vPro technology.
Intel vPro technology client configured for CIRA.
The MC application is used to configure and manage the events generated by Intel AMT. MC will configure Intel AMT allowing the firmware to establish connections as needed.
In the following example, a system has been residing outside the corporate network and is unable to boot. The system needs help from the corporate IT department to make it functional. The following is the User Initiated CIRA Connection Overview:
- Management Console (MC) configures Intel AMT with the information to establish secured TLS connection with MPS.
- MC configures the user initiated remote access policy in the platform and enables CIRA in BIOS. Also environment detection is enabled.
- When the platform is outside the corporate network, environment detection is triggered.
- In the event when the system is not able to boot, user-initiated CIRA connection triggered through BIOS establishes a secure connection to MPS.
- MPS authenticates the connection request and notifies MC about the connection and the reason for it.
- MC using MPS as proxy connects to Intel AMT and remotely performs the diagnosis and repair.
- MPS terminates the secured connection after the repair is finished.
The following table provides some high-level instructions on how to enable/disable/manage CIRA settings in Intel AMT.
|Add Certificates||1. Call AddTrustedRootCertificate() to add a trusted root certificate in Intel AMT which will be used to authenticate MPS|
2. Call CertStoreAddCertificate() and CertStoreAddKey() to add a client certificate along with its key in Intel AMT platform to be used for TLS authentication.
|Add MPS Server||1. Call AddMpServer () to add information about MPS server to be connected for CIRA connection. Client certificate handle for TLS connections need to be passed in this API.|
|Add Remote Access Policy||1. Call AddRemoteAccessPolicy() to add a policy for either user-initiated or periodic or alert based CIRA connection|
2. Call the API once for each type of trigger
|Enable User Initiated Interface||1. Call EnableUserInitiatedInterface() to enable/disable user-initiated CIRA connection through BIOS or OS|
2. Call the API once for each type of interface (BIOS, OS)
|Enable Environment Detection||1. Call SetEnvironmentDetection() to define the local domains and enable environment detection|
- See the "Intel® AMT Network Interface Guide.pdf" documents located in the Intel AMT SDK for further details.
- When Intel® AMT system is configured in Small Medium Business(SMB) mode, the client certificate used for TLS connection is replaced by username/password credentials. These credentials are used in the AddMPServer API.
The following assumptions underlie the analysis in this use case:
- The Intel® AMT system is provisioned with all the needed certificates and profiles in the intranet
- The Intel® AMT system is located outside the intranet to initiate CIRA connections
- The Intel® AMT system is provisioned in enterprise mode when using TLS mutual authentication for the secured CIRA connection.
- Corporate IT department is hosting MPS in DMZ network and Management console is modified to use MPS as proxy when communicating over CIRA connections.
About the Author
Ajith Illendula is an embedded software engineer and currently working in the Enterprise Manageability Enabling group in SSG. Ajith is an application engineer supporting the Endpoint Access Control (EAC) and Client Initiated Remote Access (CIRA) features in Intel® AMT and Manageability forum on the Intel Developer Zone. Ajith graduated from the University of New Mexico in 2000 with a Master's degree in Computer Engineering. Ajith joined Intel in 2000 as a software engineer and worked on developing enabling software for various embedded platforms ranging from network processors to flash file systems. Ajith's areas of interests include embedded software development, multi-threaded applications, parallel programming.