Remote Alerts Call for Help Overview


Intel® Active Management Technology Use Case #12:
Fast Call for Help

Fast Call for Help aka Client Initiated Remote Access (CIRA) feature of Intel® Active Management Technology (Intel® AMT) allows Intel® vPro™ technology platforms to initiate a secured connection to a gateway server residing in the enterprise De-Militarized Zone (DMZ). Using call for help feature, Intel vPro technology-based clients can be managed remotely by the IT Administrator when the system is located outside the corporate network (intranet).


Conventional Connectivity Limitations

Traditionally, it is assumed that management consoles establish a direct connection within the corporate network (intranet) to manage platforms with Intel vPro technology.

In this conventional scenario, when the end user system is outside the corporate network, any out-of-band IT support would require the system to be brought into the corporate network. Intel vPro technology management features can only be used after the system is connected to the intranet.

Many service providers exist today that deliver remote services to PCs in small business environments, with some offering remote management based on Intel Active Management Technology. This connectivity works if within Small Medium Business (SMB) there is an appliance like Intel entry storage platform SS4200-EHW that acts as the proxy running onsite manager components of software connecting the Intel vPro platform with the remote management console.  Alternatively, a Virtual Private Network (VPN) should be established between Customer Premises Equipment (CPE) and Network Operations Center (NOC). Systems outside of this connectivity environment cannot take advantage of the Intel vPro technology management capabilities.


Using Intel® AMT and Fast Call for Help to Overcome Limitations

The solution using fast call for help comprises of three components – Intel vPro technology-based PCs with Intel AMT configured for remote access connectivity, vPro Enabled Gateway aka Manageability Presence Server (MPS) and Management Console (MC). In the conventional network infrastructure, the connection is initiated by the Management console and Intel AMT acts as a TCP Server responding to MC’s connection attempts. When Intel AMT is outside the intranet this model doesn’t exist due to security concerns.

To address this situation, Intel AMT is configured for remote connectivity, initiates a secure TLS connection to an intermediate server vPro Enabled Gateway located in the enterprise DMZ environment. vPro Enabled Gateway mediates the connection between Intel AMT device located outside the intranet and the management console located inside the corporate network. Communication between the management console and Intel AMT is protected using the secure TLS connection.

Once a secured TLS tunnel is established between Intel AMT and vPro Enabled Gateway, multiple management consoles can communicate with the same device and all of the traffic is piped through the same secured tunnel as shown in the figure below. vPro Enabled Gateway is responsible for c onnecting/disconnecting sessions as management consoles initiate and complete their actions. Intel AMT can also drop the secure connection after a defined period of inactivity.


Key Functionality Enabled by Intel AMT that Underlies this Use Case

The following table summarizes the connectivity options and functionality utilized in this use case that are provided by Intel AMT or enabled by Intel AMT:

Feature

Functionality

Fast Call for Help

Remote access connection initiated through BIOS when the system is not able to boot. This connection can also be initiated through OS when in need of help from the corporate IT department.

Remote Scheduled Maintenance

Remote access connection at defined time period to allow for routine maintenance, patch deployment, inventory etc during off hours by corporate IT department.

Remote Alerts

Remote access connection when platform alerts occurs. Alerts could be agent presence events, Intel® System Defense filter trips etc.


The Advantage of Intel AMT [4]

Intel AMT enables multiple connectivity options independent of the OS state when the platform is located outside the corporate network making it available for manageability operations. It achieves this goal by providing the connection through BIOS when the operating system, agent and/or VPN software are disrupted or unavailable.


Business Value of the Intel AMT Solution

This use case enables IT organizations to remotely manage clients with Intel vPro technology configured for fast call for help :

  • Non-responsive systems: For systems located outside the corporate environment and not able to boot, fast call for help connection allows for remote diagnosis and repair of the systems by IT department.
  • Scheduled system maintenance: Scheduled maintenance call for help connection allows the IT department to perform operations related to scheduled maintenance, patch deployment, inventory etc. 
  • Platform alerts: In the event of a predefined platform event occurrence, such as agent presence alerts or system defense filter trip events, remote alert call for help connection allows IT departments to resolve the alert situation.

Fast Call for Help Usage Case Implementation

The components required to configure fast call for help u se case are as follows:

Management Console (MC) application: This is an application running on a system elsewhere on the corporate network managing Intel vPro technology-based clients.

vPro Enabled Gateway (MPS): Resides in the corporate DMZ and is responsible for mediating the communication between MC and PCs with Intel vPro technology.

Intel vPro technology client configured for fast call for help.

The MC application is used to configure and manage the events generated by Intel AMT. MC will configure Intel AMT allowing the firmware to establish connections as needed.

In the following example, a system has been residing outside the corporate network and platform events are occurring. The system needs to notify corporate IT department about the platform events. The following is the Remote Alerts Call for Help Overview:

  • Management Console (MC) configures Intel AMT with the information to establish secured TLS connection with vPro Enabled Gateway.
  • MC configures the alert based remote access policy in the platform and enables environment detection.
  • When the platform is outside the corporate network, environment detection is triggered.
  • In the event when the system is generating platform events, remote alert call for help trigger establishes a secure connection to vPro Enabled Gateway.
  • vPro Enabled Gateway authenticates the connection request and notifies MC about the connection and the reason for it. MC will be notified of the Platform Event Trap (PET) alerts.
  • MC using vPro Enabled Gateway as proxy, connects to Intel AMT and remotely performs the actions to recover from the platform events. For example, for agent presence alerts, the monitored agent is restarted.
  • MC terminates the secured connection after the alert is handled.

 The following table provides some high-level instructions on how to enable/disable/manage remote access settings in Intel AMT.

Action

CIRA API/Steps

Add Certificates

  1. Call AddTrustedRootCertificate() to add a trusted root certificate in Intel AMT which will be used to authenticate vPro Enabled Gateway.
  2. Call CertStoreAddCertificate() and CertStoreAddKey() to add a client certificate along with its key in Intel AMT platform to be used for TLS authentication.

Add MPS Server

  1. Call AddMpServer () to add information about vPro Enabled Gateway server to be connected for CIRA connection. Client certificate handle for TLS connections need to be passed in this A PI.

Add Remote Access Policy

  1. Call AddRemoteAccessPolicy() to add a policy for remote alert call for help connection

Enable Environment Detection

  1. Call SetEnvironmentDetection() to define the local domains and enable environment detection

Note:

  • See the “Intel® AMT Network Interface Guide.pdf” documents located in the Intel AMT SDK for further details.
  • When Intel® AMT system is configured in Small Medium Business(SMB) mode, the client certificate used for TLS connection is replaced by username/password credentials. These credentials are used in the AddMPServer API.

About the Author

Ajith Illendula is an embedded software engineer and currently working in the Enterprise Manageability Enabling group in SSG. Ajith is an application engineer supporting the Endpoint Access Control (EAC) and Fast Call for Help features in Intel® AMT and Manageability forum on the Intel Developer Zone. Ajith graduated from the University of New Mexico in 2000 with a Master's degree in Computer Engineering. Ajith joined Intel in 2000 as a software engineer and worked on developing enabling software for various embedded platforms ranging from network processors to flash file systems. Ajith's areas of interests include embedded software development, multi-threaded applications, parallel programming. 


[4] The following assumptions underlie the analysis in this use case:

  1. The Intel® AMT system is provisioned with all the needed certificates and profiles in the intranet
  2. The Intel® AMT system is located outside the intranet to initiate call for help connections
  3. The Intel® AMT system is provisioned in enterprise mode when using TLS mutual authentication for the secured call for help connection.
  4. Corporate IT department is hosting vPro Enabled Gateway in DMZ network and Management console is modified to use vPro Enabled Gateway as proxy when communicating over call for help connections.

For more complete information about compiler optimizations, see our Optimization Notice.