Connecting to AMT over the internet

Connecting to AMT over the internet

I am having a problem when trying to connect to machines over the internet. I can use the Standard Manageability web page but when I try to connect with my program it doesn't work. I am able to create a new WSManClient but when I actually try to get information from the machine I get the same error as I would if the IP is wrong.

The same program works fine when I try to connect to a machine on the local network. I can also connect to the machines with Commander over the internet. Any ideas on what could be happening?

20 posts / 0 new
Last post
For more complete information about compiler optimizations, see our Optimization Notice.

Is there a firewall between the two systems? Are you able to ping between the two OSs? Is one of the systems behind a router that's running NAT?

Quoting - rogerb

Is there a firewall between the two systems? Are you able to ping between the two OSs? Is one of the systems behind a router that's running NAT?

Ok, so I looked into it a bit more and realized I was making some assumtions. I thought because the other computer was really really far away it must be over the internet. I was wrong. All of the computers are on the same network. So there aren't any firewalls or NAT between them. I can ping the far computer, takes about 200 ms.

While looking through WS Management code it doesn't look like the WSManClient waits for a response. Could it be something like it tries for a bit then quits after taking too long? Or it moves on before the client created?

You said that you could get Commander to talk to the remote system? What I've found to be the most helpful in these cases is to run WireShark on the management system, and look at the network traffic between the two systems. You should see them negotiate a connection, and then you should see your API request go to the AMT system over the connection, and then you should see the response come back. If TLS is turned off, then you should see all of this network traffic in the clear so that you can look at it.

Regards,
Roger

Yeah, Commander worked fine. That's why I think it may be a timing issue. I was thinking that maybe Commander had a way of checking to make sure the connection was made before querying the machine. I also tested the IT Helper that Stephen Hibbert created over the summer and put on here (blogs). That produced the same errors as my code.

Thanks for the advice. I'll try WireShark and hopefully it'll help me figure this out.

Quoting - odla0024

Yeah, Commander worked fine. That's why I think it may be a timing issue. I was thinking that maybe Commander had a way of checking to make sure the connection was made before querying the machine. I also tested the IT Helper that Stephen Hibbert created over the summer and put on here (blogs). That produced the same errors as my code.

Thanks for the advice. I'll try WireShark and hopefully it'll help me figure this out.

It's interesting that Stephen's IT helper showed the same behavior. Could you tell me what AMT version your system has? I hadn't heard of the IT Helper having an issue before, so I'd like to capture that.

Quoting - Andrew Schiestl (Intel)

It's interesting that Stephen's IT helper showed the same behavior. Could you tell me what AMT version your system has? I hadn't heard of the IT Helper having an issue before, so I'd like to capture that.

The machines that I cannot connect to that are at the remote location have versions 5.0.1 and 5.0.2. The machine that I can connect to that is near me has version 5.1.0.

So I'm starting to feel more and more like an idiot :)

I'm pretty new to this and haven't had much networking experience. So this is the current situation I am in.

I am trying to connect from a 172.x.x.x machine to a 10.x.x.x machine (Which I believe means there is a NAT).

When I tested it with Wireshark I could see the connection being made to 172.x.x.x machines but there seemed to be nothing being sent to the 10.x.x.x machine.

Thanks for being patient while I try to figure this stuff out.

Quoting - odla0024
So I'm starting to feel more and more like an idiot :)

I'm pretty new to this and haven't had much networking experience. So this is the current situation I am in.

I am trying to connect from a 172.x.x.x machine to a 10.x.x.x machine (Which I believe means there is a NAT).

When I tested it with Wireshark I could see the connection being made to 172.x.x.x machines but there seemed to be nothing being sent to the 10.x.x.x machine.

Thanks for being patient while I try to figure this stuff out.

That really sounds like a network issue, it sounds like traffic can't be routed to the 10.X.X.X network. The 10.x.x.x is intended as a private network (along with the 192.168.x.x and 172.16.x.x through 172.31.x.x). If you're not as familiar with networking, you might want to start with AMT systems on the same subnet (at least initially).

Without knowing more about your network infrastructure, it's difficult to say why you are unable to reach the 10.x.x.x machine. It might just be that you're possibly trying to route from one private network to another. If you're just getting started with networking, I'd look into the ping and traceroute (tracert ona Windows OS)commands for debugging issues. Sometimes IT shops block those tools since they can be considered a security risk, but both are useful for debugging network issues that can prevent communications with a vPro system.

Andy

Thanks for your advice. I've tried both ping and tracert. I am able to reach the machine using both. The trace jumps to 2 other locations before reaching the destination.

I had thought about it being a network issue but since I can reach it with Commander just fine and reach the machine in other ways, you'd think that the SDK should be able to connect to it.

Quoting - odla0024

Thanks for your advice. I've tried both ping and tracert. I am able to reach the machine using both. The trace jumps to 2 other locations before reaching the destination.

I had thought about it being a network issue but since I can reach it with Commander just fine and reach the machine in other ways, you'd think that the SDK should be able to connect to it.

Whoops, sorry, I answered your question too quickly without noticing it was part of the previous thread, where you can access the machine with Commander just fine. Wait, even when you connect with Commander, you're not seeing any packets with Wireshark going to port 16992? When you said that nothing was being sent to the 10.x.x.x machine, I thought that Commander wasn't working either. Also, just so I'm clear the machine on the 10.x.x.x is one of the AMT 5.0 machines you have?

If Commander is working, and the traffic isn't encrypted with TLS, you'll be able to see the commands being sent to port 16992. That's actually useful for comparison purposes, I've debugged problems before by checking how I was calling something on AMT, and comparing it to how Commander (or one of the SDK samples) was calling it.

What functionality are you trying to use out of the SDK? Do none of the examples work, or is there a specific one you're trying to get working?

Sorry I was unclear. When using the Commander I can see packets being sent between the two machines with attempting to connect to both the 172.x.x.x and the 10.x.x.x. When using my code with the SDK and the IT Helper I can only see packets attempting to connect to the 172.x.x.x machine.

The machine is AMT 5.0.1.

At the moment I am trying to get hardware information and would like to be able to turn the machine on and off. The AssetDisplay application in the SDK works fine.

Quoting - odla0024

Sorry I was unclear. When using the Commander I can see packets being sent between the two machines with attempting to connect to both the 172.x.x.x and the 10.x.x.x. When using my code with the SDK and the IT Helper I can only see packets attempting to connect to the 172.x.x.x machine.

The machine is AMT 5.0.1.

At the moment I am trying to get hardware information and would like to be able to turn the machine on and off. The AssetDisplay application in the SDK works fine.

That is really odd, I've never seen something like that before. I'd expect to at least see the request going to the AMT system, and not getting a response back, the fact that you're not seeing any traffic to the 10.x.x.x machine is confusing, especially since Commander works and you can ping the system. Let me ask around about that behavior. Oh, which AssetDisplay are you using? C# WS-Man, C++ WS-Man, or SOAP? I guess if you were trying to use the C# one and there was a WinRM issue, that could cause the behavior you're seeing.

Also, you mean AssetDisplay works fine against the 172.x.x.x system, and not against the 10.x.x.x system, correct? Since you're interested in turning the machine on and off, have you tried the RemoteControl sample? And does it show the same behavior?

Andy

Quoting - rogerb

Is there a firewall between the two systems? Are you able to ping between the two OSs? Is one of the systems behind a router that's running NAT?

I MET THE PROBLEM BEFORE.and finally it proved the hardware problem. after i change the netcard,all is ok

Quoting - avensue

I MET THE PROBLEM BEFORE.and finally it proved the hardware problem. after i change the netcard,all is ok

Was it a hardware configuration issue or failed hardware? I tried using two different machines (both identical builds as used before) and still could not connect to the machine on the other IP.

Quoting - Andrew Schiestl (Intel)

That is really odd, I've never seen something like that before. I'd expect to at least see the request going to the AMT system, and not getting a response back, the fact that you're not seeing any traffic to the 10.x.x.x machine is confusing, especially since Commander works and you can ping the system. Let me ask around about that behavior. Oh, which AssetDisplay are you using? C# WS-Man, C++ WS-Man, or SOAP? I guess if you were trying to use the C# one and there was a WinRM issue, that could cause the behavior you're seeing.

Also, you mean AssetDisplay works fine against the 172.x.x.x system, and not against the 10.x.x.x system, correct? Since you're interested in turning the machine on and off, have you tried the RemoteControl sample? And does it show the same behavior?

Andy

The C# Asset Display in the Samples folder of the SDK is the one that didn't work for me. It could connect to the 172.x.x.x system but not the 10.x.x.x. I have not tried the RemoteControl sample because the machines are currently in the field and being used.

Thank you for working on this with me.

Quoting - odla0024

The C# Asset Display in the Samples folder of the SDK is the one that didn't work for me. It could connect to the 172.x.x.x system but not the 10.x.x.x. I have not tried the RemoteControl sample because the machines are currently in the field and being used.

Thank you for working on this with me.

So if only C# Asset Display example didn't work, does that mean the WSMan C++ example or the SOAP example did work?

And as a second question, what was the error (if any was displayed) that you got back when you tried to run the C# Asset Display example against the 10.x.x.x system? If it's only the C# example that has an issue, I think we can start addressing the issue.

Andy

Hi Andrew,

i am also trying the same in our lab, we have succesfully implemented the AMT over the local network, now i was exploring more about connecting over the internet.

could you please redirect me to right place where i can learn this ? also can i connect to remote machine over the internet through WS-Man Interface using c# ? does it support all commands i.e. power up, power down, asset display ?

if all these operations are possible then what settings are required on host machine and client machine ? how to build trusted relationship between two systems over the internet and what changes are required at network side ?

if you could clear my above doubts i will be very thanksful to you.

many thanks.

Tej.

Hi Tejs,

The way to connect to an AMT system over the Internet is to use Client Initiated Remote Access (CIRA). This allows the client to connect to a Management Presence Server (MPS). The ME establishes a TLS connection to the MPS, which then establishes a connection to the managment console. The console then uses a tunnelled connection through the MPS back to the ME over the Internet while using the MPS as a proxy. This process is described in the documentation that accompanies the SDK.

Regards,

Roger

Hello Tejs,

You can download the AMT SDK at this LINK. Please refer to Remote Access section in the documentation available from the Start Here link in the Intel AMT Release 6.0 Start Here.htm.

We also have a couple of videos on the topic, which unfortunately seem be non-operational at the moment, but please try them in a couple days: Video1, Video2

Leave a Comment

Please sign in to add a comment. Not a member? Join today