Remote Control with Intel KVM doesn't work after provisioning

Remote Control with Intel KVM doesn't work after provisioning

salva g.'s picture

Hi all,

I have some issues with remote control with Intel KVM, we are using landesk management suite 9.0 in the server side, godaddy certificate for remote provisioning, The devices are amt versions 6,7,8, and all have Intel integrated graphics. After provisioning all vPro options work but in some devices Remote Control via Intel KVM desn't work. To get kvm option working, in landesk managemet console we have to go to Intel vPro Options -> Intel vPro Status.. then we go to Remote Control via Intel KVM and works. It seems that device is provisioned but kvm option is "False", then when we do Intel vPro Status, Intel amt finish configuration.. We don't know.  When a device is just  provisioned it show KVMOptions><EnableKVM>False</EnableKVM>.. in log file from scs_discovery, after intel vPro status it show True. Maybe a bug in provisioning process? Also to say that when device is provisioned and kvm doesn´t work, we go to Intel MEBX with Ctrl+P and KVM is Enabled..

Is there some issue like this that you know?

Thanks very much in advance,

11 posts / 0 new
Last post
For more complete information about compiler optimizations, see our Optimization Notice.
Gael Hofemeier (Intel)'s picture

Not sure where to start here....  What tool are you using to provision AMT?  I know that the LANDesk software has custom provisioning built in so hopefully you are provisioning from within the LANDesk software.

You can do KVM via the Redirection Ports or via the KVM ports.  Can you make sure that Redirection is enabled?  (I don't know how LAN Desk implemented the KVM feature.)  You say this only happens on select systems?  And were they all provisioned the same way?

Typically if KVM is not working, the HECI (or MEI driver) may be missing or incorrect or redirection (and/or) KVM in the BIOS is not enabled.

Are you getting specific errors when you try to have a KVM session?

I wrote a blog for trouble shooting KVM a while ago - you can check it out here.

Follow me on Twitter: @GHIntelBlogs Facebook: https://www.facebook.com/gh.intelblogs
salva g.'s picture

Hi Gael,
-We are using Landesk 9.0 with Godaddy certificate to provision all our Intel AMT devices. The provisioning process works ok.
-When a device is provisioned, from landesk console, we tried to do Remote Control via Intel KVM and it doesn’t work. We get LANDesk error message like “The AMT device refused the TCP connection. Verify the device’s name or IP address and verify that the device’s configuration allows TCP connections.”
-After this we check with intel tool Manageability Commander Tool Mesh Edition:
Remote Control -> Remote Desktop Setting:
State=Disabled
Standard Port=Disabled
Redirecction Port (16993/16995)=Enabled
-Wth SCS_Discovery, we see that all labels are TRUE but EnableKVM is False, KVMOptions>False
-Also we go to MEBX with CTRL P and we see that KVM is ENABLED.
-Then, to get KVM working from LANDesk management console usualy do next,
From Landesk Console, we go to Intel vPro Options -> Intel vPro Status.. after Status windows is showed in landesk management console, KVM works. Some thing has to change in intel AMT because KVM works.
-After kvm is ok we check again with Intel tools the computer and we can see next:
In Manageability Commander Tool Mesh Edition:
Remote Control -> Remote Desktop Setting:
State=Enabled
Standard Port=Enabled
Redirecction Port (16993/16995)=Enabled
--Wth SCS_Discovery, we see that EnableKVM is TRUE, KVMOptions>True

Thanks very much for you time

Gael Hofemeier (Intel)'s picture

So you were able to enable the KVM port by using the Commander, right?  And then were you able to get KVM working after that?  Do you have User Consent enabled? If User Consent is enabled then a Sprite screen will come up on the AMT client with a number that would have to be entered by someone at the Management Console.  Also did you set up the RFB password correctly?  I has to be exactly 8 characters.

I have found that I've had to have both the KVM standard port AND the Redirection ports enabled in order to have a KVM session.  Not sure why - may be a bug in the Commander...

Follow me on Twitter: @GHIntelBlogs Facebook: https://www.facebook.com/gh.intelblogs
salva g.'s picture

No, I was able to enable KVM using LANDesk Intel vPro Status function, after that kvm works. (kvm port and redirections port are enabled afeter landesk status). Our password in Landesk has more than 8 character, it works,

this is from landesk help, the password has to be at least 8 character long:

http://help.landesk.com/Topic/Index/ENU/LDMS/9.5/Content/Windows/vpro_t_password.htm

Changing the password for Intel vPro devices

A secure password is required to communicate with and to provision new Intel vPro devices. For devices that you will manage, the "admin" password you enter in the Intel AMT Configuration Screen (accessed in the device BIOS) should be the same as the password that you enter in the Intel vPro General Configuration dialog box. That password is saved in theManagement Suite database and applied globally for provisioning Intel vPro devices.

Intel vPro requires the use of a strong password to enable secure communications. Passwords should meet these requirements:

  • At least 8 characters long
  • Includes at least one number character (0-9)
  • Includes at least one non-alphanumeric ASCII character (such as !, &, %)
  • Contains both upper- and lowercase Latin characters, or non-ASCII characters (UTF+00800 and above)
Gael Hofemeier (Intel)'s picture

Yes, but the RFB password (if you are using the standard KVM port) is exactly 8 characters.  What you are describing above is the ME and the AMT user password requirements.  The admin password is synced with the ME password unless you change it - this is also a little confusing to some.  The RFB password is only used for KVM sessions.

Follow me on Twitter: @GHIntelBlogs Facebook: https://www.facebook.com/gh.intelblogs
salva g.'s picture

Ok, in Landesk management console we have only a place where specify the password vPro. This password is supposed is for provisioning and kvm (and all communications with Intel AMT devices). 

Attachments: 

Gael Hofemeier (Intel)'s picture

Ok - on those screens it looks like you are simply setting up your admin password account (which when you do this for the first time, this password is also your ME password.)  If you were to open the WebUI and change the Admin password to a new password after you provisioned your systems, you would access AMT from the APIs using your new admin password but in order to get into the MEBx menus (or WebUI, for example) you would use the ME password.  

The configuration screens are not setting up an RFB password for KVM.  This leads me to believe that LANDesk may be using the Redirection ports to do KVM (if you aren't using the KVM standard port, you don't need an RFB password.)

Since I am not familiar with how LANDesk implements KVM, this would be a better question for the LANDesk Support team.

Follow me on Twitter: @GHIntelBlogs Facebook: https://www.facebook.com/gh.intelblogs
salva g.'s picture

Okay, you're right, maybe I have a question for the LANDesk Support team.
Thanks very much.
-Salva from south Spain.

Gael Hofemeier (Intel)'s picture

Just out of curiosity, can you send me the information on the system?  What processor including the number, any motherboard information?  (for example the kind of information you would get from "ark.intel.com"  You did get KVM working so did you still have questions?  If you did not get KVM to work, then maybe your system isn't capable of doing KVM (SCS Discovery tool doesn't always report the right information where KVM is concerned.)

There are some systems that are "upgradeable" meaning they come with a limited set of AMT features and KVM capability is not included in the upgradable systems (until you purchase the upgrade via the Intel Upgrade Service.) 

Follow me on Twitter: @GHIntelBlogs Facebook: https://www.facebook.com/gh.intelblogs
salva g.'s picture

Hi, we have Lenovo devices, workstations, thinkstations and laptops, etc. AMT versions 6, 7 and 8  kvm capables, also have old AMT versions 3,4,5 no kvm capables.

Yes, we are getting kvm working, always after to open 5900 port in Intel AMT devices. 

When a device is provisioned by LANDesk server with GoDaddy certificate, only ports 16992 and 16994 are open in device. At this moment Remote Control via Intel KVM from LANesk console doesn't work. Then in LAdesk console we use Intel vPro Options -> Intel vPro Status.. ( is a command that get information and status from device provisioned), after running Status port 5900 is open.., and Remote Control via Intel KVM works.

Regards.

Login to leave a comment.