A VPN (Virtual Private Network) connection tunnels network traffic, encrypting it end-to-end, thus avoiding interception of the traffic anywhere along the path. When a VPN stream reaches the host platform, the platform drivers decrypt the stream and then process the packets within the stream. If the driver detects manageability traffic, defined as being addressed to the Intel AMT IP address and port, the driver channels the packet to the LMS, which listens for such packets, and sends them to the Intel AMT local interface using the Intel Management Engine Interface (MEI) driver. LMS detects that the source IP is not the host and marks the packets as “remote”. Intel AMT treats them as remote based on this marking, as if they were received from a network interface. Intel AMT accepts the VPN packets only if:
• VPN routing is enabled
• DHCP is enabled (required for Release 2.5/2.6 only–this limitation does not apply to Release 4.0 and later releases.)
• Environment detection is set (see Detecting Whether the Platform is Inside or Outside the Enterprise.)
• Intel AMT detects that the platform is operating outside of the enterprise (i.e., the domain suffix of its current IP is not in the list of “inside the enterprise” domains). (Release 2.5/2.6 only–this limitation does not apply to Release 4.0 and later releases.)
Intel AMT applies System Defense policies to VPN traffic when it is still encrypted (incoming) or already encrypted (outgoing). It does not apply policies to the actual VPN traffic after it has been received and decrypted or before it has been encrypted and sent.
Management consoles need to detect the VPN IP using DNS.
Copyright © 2006-2021, Intel Corporation. All rights reserved.