Intel AMT Features > Remote Access

Remote Access

The Remote Access feature enables a management console to securely access Intel AMT platforms even if they are located outside the enterprise network. This is achieved by creating a secure TLS-based tunnel via an Intel vPro Gateway, also known as a Management Presence Server (MPS).

 Note:

The Remote Access feature requires that Environment Detection is configured (see Configuring Environment Detection).

Using environment detection, Intel AMT detects where the platform is inside or outside the enterprise.

When a user initiates a connection (Fast Call for Help),

   If the platform is outside the enterprise, two events are triggered. Intel AMT connects to an MPS, triggering an MPS event, and performs a Fast Call for Help remotely (also called Client Initiated Remote Access, or CIRA).  In addition, a WS-Eventing event is sent by the platform.

   If it is inside the enterprise, Intel AMT sends a WS-Eventing event to a subscribing console, without needing to connect to an MPS. This allows performing a Fast Call for Help locally (also called Client Initiated Local Access, or CILA).

For more information about the Remote Access feature, see the following:

   Detailed Description

   CIM Elements

   Events

   Use Cases


CIRA Over Proxy

In Intel AMT 12.0 and later, Intel® AMT supports the use case of CIRA being used behind an HTTP proxy. Up to 15 proxies can be defined for this use. The following diagram shows the architecture of a system using proxies for CIRA connection.

Intel AMT connects to the MPS through a proxy server defined in the proxy configuration in the following cases:

   When a CIRA connection request is received by Intel AMT in an environment where the MPS FQDN is not in the same network domain as the current network, and the current network domain is in one of the allowed proxy configurations.

   When a CIRA connection request is received by Intel AMT in an environment where the MPS FQDN is in the current network domain but direct connection to the MPS server fails, and the current network domain is in one of the allowed proxy configurations.

To enable using an HTTP proxy, you add it to the list of allowed proxies in the proxy configuration.

Each HTTP proxy is defined in an instance of the IPS_HTTPProxyAccessPoint: CIM_RemoteServiceAccessPoint class. To add a proxy to the list, you use HTTPProxyService:CIM_Service to create an instance of IPS_HTTPProxyAccessPoint:CIM_RemoteServiceAccessPoint.

IPS_HTTPProxyAccessPoint:CIM_RemoteServiceAccessPoint is available from both local (if Proxy Sync is enabled) and remote to the NETWORK_SECURITY_ADMIN realm. The properties can be read by a user with GENERAL_INFO privileges. Note: The Proxy Sync feature is currently disabled by default and will be enabled in a future release.

IPS_HTTPProxyAccessPoint:CIM_RemoteServiceAccessPoint attributes

Attribute

Description

Values

UINT8 Type

Indicates whether this proxy was set by IT or through Proxy Sync. Note: The Proxy Sync feature is currently disabled by default and will be enabled in a future release.

0: IT Type Proxy
1: Sync Type Proxy

Char AccessInfo [MAX_FQDN_LENGTH]

Access name information for an HTTP proxy: the IP address or FQDN of the server. MAX_FQDN_LENGTH=256

 

UINT16 InfoFormat

Enumerated integer describing the format and interpretation of the AccessInfo property (whether IPv4, IPv6 or FQDN)

UINT16 Port

The port to be used for this HTTP proxy

Char NetworkDnsSuffix [MAX_DNS_SUFFIX_LENGTH]

Domain name of the network to which this proxy belongs. MAX_DNS_SUFFIX_LENGTH=192

UINT Priority

Initialized to the current priority counter value when the proxy is added and is raised to the highest priority whenever the proxy is used. The priority can also be raised manually to the highest priority with the UpdatePriority function.

The IPS_HTTPProxyAccessPoint class implements the following methods: Enumerate, Get, Put, and Delete.

An additional function to update priority to the highest, UpdatePriority, is available from both local and remote.

The HTTPProxyService class has the following attribute:

This class implements the following methods: Get and Put.

The AddProxyAccessPoint function adds a proxy access point that will be used when the firmware needs to open a user-initiated connection:

Copyright © 2006-2022, Intel Corporation. All rights reserved.