Intel AMT Features > Remote Access > Detailed Description

Detailed Description

The Remote Access feature enables a management console to securely access Intel AMT platforms even if they are located outside the enterprise network. This is achieved by creating a secure TLS based tunnel via a Management Presence Server (MPS) as illustrated in the following figure.

The MPS enables enterprise management consoles located behind the enterprise firewall to connect to Intel AMT platforms located outside the enterprise. The MPS mediates between the platform and the management console and appears as a proxy server to the management consoles.

The Intel AMT platform connects to the MPS to establish a secure connection to the enterprise network. Once a TLS tunnel is established between the platform and the MPS, multiple management consoles can connect with the system. The MPS uses the Intel AMT port forwarding protocol (APF) built into the platform to differentiate between different management console sessions. The MPS creates and tears down sessions and allocates/de-allocates ports as management consoles initiate and complete actions. The Intel AMT platform will drop the tunnel connection after a defined period of inactivity.

Intel AMT maintains a connection with the MPS by sending a periodic “keep alive” message. If the “keep alive” message does not arrive, the MPS drops the connections after a configurable waiting period.

The MPS depends on the following third-party software to implement some of the required functionality:

   A Tunneling Proxy – Establishes the TLS tunnel with the Intel AMT platform and passes the traffic through to the MPS.

   A Proxy Server – Handles proxy HTTP connections between management consoles and the MPS. The HTTP proxy socksifies the connections and forwards the connections by proxy chaining to the MPS.

 

 Note:

   The Remote Access feature is different from most other features in that the Intel AMT system acts as a client (and not a server) since it is requesting the service (from the MPS) and not providing it.

   Remote Access will not work if the Intel AMT system does not have a root certificate for the MPS server certificate.

   An Intel AMT platform that only supports NULL ciphers cannot connect to an MPS. Such a platform rejects attempts to define an MPS connection.

   For more information, see Intel® vPro™ Gateway (MPS)

 

Multiple MPS Instances

An enterprise installation may require more than one instance of an MPS. Intel AMT platforms can be configured with four different MPS instances. A remote access policy can be associated with up to two MPS instances. Intel AMT will attempt to connect with the first instance, and then the second instance. The attempt to connect will be repeated once. At this point, a new trigger will be required before the next connection attempt.

It is required that no more than one instance of an MPS can run on a server.

See Also:

   Remote Access Policies

   Enabling Remote Access

   User Initiation Host Interface Commands

 

Copyright © 2006-2022, Intel Corporation. All rights reserved.