Technical BKM - LANDesk and CIRA.docx - Communities - Intel

Document Sample
Technical BKM - LANDesk and CIRA.docx - Communities - Intel Powered By Docstoc
					Technical BKM sharing document – how to get CIRA functionality working with LANDesk


CIRA (client initiated remote access) is the technology that allows OOB access to vPro clients that are
residing outside the managed corporate network. The traditional Server to Client flow doesn’t work
because the client is receiving a local private IP address, which the vPro enabled Management Server
cannot reference. What is required therefore is for the client to initiate the connection to the Server –
hence CIRA. The whole flow is facilitated by a proxy server called the MPS (manageability presence server)
which acts as a gatekeeper between the internal secure network and the external non-secure network, but
from which the remote vPro client will be connecting. The following list of steps have been validated based
on a real world customer implementation.

High Level Steps for Setup and Configuration of CIRA in LANDesk

1.   Install LANDesk 8.8 SP3
2.   Install MPS
3.   Configure 4 config files
4.   Configure LANDesk Console CIRA specific settings
5.   Provision vPro system
6.   Take vPro system outside corporate environment and use CIRA

Detailed Setup and Configuration steps for CIRA in LANDesk

1. Require a minimum of LANDesk Management Suite 8.8 SP3
2. Verify pre-requisites for MPS exist on server that will have the MPS installed on:
    Windows Server 2003 SP2
    .Net Framework 2.0
    C++ 2005 Redistributable Package (x86)
3. Install the MPS component by running the setup.exe from:
   C:\Program Files\LANDesk\ManagementSuite\Install\vpro\RemoteAccess\setup.exe
4. Reboot the Server on which the MPS has just been installed.
5. Go to Start  Run  services.msc and verify the MPS.exe, Apache2.2 and stunnel services are all set
   to start automatically and have all indeed started after the reboot.
6. Verify that an MPS certificate directory appears at:
   C:\Program Files\LANDesk\ManagementSuite\amtprov\certStore\
   With the following contents:
7.   Configure the stunnel.conf file (located at: C:\Program Files\stunnel\stunnel.conf) in notepad:
    Cert = C:\mps\remote_client.pem
    Key = C:\mps\remote_client_key.pem
    Accept = 20013 (the port number is fully configurable – this is the port on which the vPro client will
     initiate the CIRA connection)
    Connect = (port 1234 is fully configurable – this is the port on which the MPS will be
     listening to the stunnel)

Per screenshot below:

* IMPORTANT – when configuring the different ports both in this configuration file and subsequent
configuration files, all 4 ports that are being configured must be different port numbers.
8. Configure the mps.config file (located at C:\Program Files\Intel\MPS\conf\ MPS.config) in notepad:

   AMTListenIP= (leave as is)
   AMTListenPort= 1234 (set this to the same port number as in the connect field in the stunnel.conf file)
   SocksListenIP= (set this to the internal IP address of Server where MPS is installed)
   SocksListenPort= 16993 (this port number is fully configurable)
   HttpListenPort= 8080 (leave as is)

Per screen shot below:
9. Configure the httpd.conf file (located at C:\Program Files\Apache Software
   Foundation\Apache2.2\conf\ httpd.conf) in notepad:

   ProxySocks On
   ProxySocksIP (set this to the internal IP address of Server where MPS is installed)
   ProxySocksPort 16993 (set this to the same port as the SocksListenPort in the mps.config
    configuration file in step 8 above)
   ProxySocksAuth Off
   ProxySocksUsername testusername
   ProxySocksPassword testpassword
   ProxyRequests On
   Allow from all (this is important – make sure you allow from all)
   AllowCONNECT 443 623 664 16992 16993 16994 16995 (this allows traffic to the usual AMT ports)

Per screen shot below:

10. Configure the NotificationList.config (located at: C:\Program Files\Intel\MPS\conf) in notepad:
 The IP address of the LANDesk Core Server and port 9972 (not 9971).

Per screen shot below:
11. Configure the LANDesk CIRA settings in the LANDesk Management Console, by clicking on the
    Configure menu item  Intel vPro options  Network Environment Detection & Remote Access
    Configuration, per screen shots below:

12. In the Intel vPro Network Detection Configuration (per screen shot below):
          Check the Apply NED setting only to machines configured for Remote Access checkbox
          In the Add approved domain: field, add connection specific DNS suffices of internal enterprise
             network (any DHCP option 15 that is used internally in the corporate environment), click the
             Add button and make sure it appears in the Approved vPro domains.
          Click Apply and then OK button.
13. In the Intel vPro Remote Access Configuration (per screen shot below):
          Enter internal of Gateway (this is the IP of the ProxySocksIP that was configured in the
             mps.config in step 8 above)
          Enter external IP address
          Enter HTTP port (this is the port that was configured in the HTTPListenPort field in the
             mps.config file in step 8 above)
          Enter redirection port port (this is the port that was configured in the SOCKSListenPort field in
             the mps.config file in step 8 above)
          Enter client port (this is the port that was configured in the accept field in the stunnel.conf file
             in step 7 above)
          Configure CIRA connection lifetime in minutes (you won’t be using this for now)
          Tick the checkbox for Enable Remote Access on all vPro clients
          Click Apply and then OK button.

14. IMPORTANT: Do not install the LANDesk agent on the vPro system prior to completing the provisioning
    process. Install the LANDesk agent only once you have verified that provisioning has completed
    successfully. (This is due to a bug which has been identified which is currently being addressed by
15. Provision the vPro systems inside the corporate environment and verify provisioning has completed
    successfully by being able to perform an AMT reboot command on the vPro client.
16. Verify the CIRA credentials have been loaded onto the vPro client by right-clicking on the vPro client in
    the managed devices, selecting vPro options and then selecting vPro Status. It will take some time for
    this to load, but when completed, it checks that the client has the same settings as configured on the
    LANDesk Management Server Remote access menu and NED menu. On the status page if you see
    remote access settings and sNED settings as per your setting and client is identified as AMT SKU then
    you are assured the client has got the correct CIRA settings.
17. Place the vPro system outside the corporate environment and make sure you release and renew the IP
    address information so the client picks up its new network environment, by opening a command line
    and typing ipconfig /release and thereafter ipconfig /renew. You can also visually confirm that the DNS
    connection specific suffix in the IP information is different to what it was when the system was inside
    the corporate environment, or is blank – as this is a necessary requirement for the vPro system to
    realise that it is outside the corporate environment and to allow you to initiate a CIRA connection.
18. On the vPro client, boot the system into OS and make sure the IMSS (Intel Manageability and Security
    Status icon is present in the system tray.

19. Double-click the icon and go to the middle tab – Intel AMT. At the bottom of the tab note that the
    status should be set to Disconnected and the Connect button is available.

20. Press the Connect button and notice that the status changes to Connected. At this point you have
    established a CIRA connection from the vPro client to the MPS.
    Note: you can initiate a CIRA connection at a pre-OS stage as well, when prompted during the boot-up
    process of the system. This is OEM dependent; for example: on a Lenovo system – press F12 and then
    select menu option 2 to commence CIRA connection; on an HP system – press Esc and then F3.
    The BIOS will need to support CIRA specifically for this pre-OS option to be available; the OS level CIRA
    initiation has no BIOS dependency.
21. Refresh the LANDesk management console until the vPro system name changes from hostname only to
    a FQDN where the domain suffix is the domain suffix that was configured in step 12 above (this may
    take a few minutes).
    Note: If you have multiple vPro systems initiating CIRA connections, you need to pay attention which
    vPro system you will actually be performing operations on (might be more of an issue when vPro
    systems don’t have a user specific hostname).

On the MPS Server the following 3 logs are available:

   C:\Program Files\stunnel\stunnel.log (most detailed log) - look for entries of:
        o Certificates being loaded
        o “psudo-tcp bound to<port number>” will ultimately suggest CIRA connection between
            client and MPS is successful

Per screenshot below:

   C:\Program Files\Intel\MPS\logs\mps.log – look for entry of:
        o “Remote Client <UUID> is now connected” will indicate client CIRA has successfully connected
            to MPS

Per screenshot below:
   C:\Program Files\Apache Software Foundation\Apache 2.2\logs\access.log – look for entry of:
        o “Connect <FQDN of system>” appears in log file then connection has been established between
            client and MPS

Per screenshot below:

Known Issue

Currently SOL and IDER do not work over a CIRA connection. LANDesk will be releasing a patch as well as
incorporating the fix into LANDesk 9.0 which is scheduled to be released in 2010.

vPro Expert Centre blog postings

Shared By:
xiaohuicaicai xiaohuicaicai