Intel® Business Client Software Development
Support for Intel® vPro™ software development and technologies associated with Intel vPro platforms.
1381 Discussions

How to enable AMT machines to generate SoH messages by what tools?

houchenglee
Beginner
‎12-15-2008 08:54 AM
347 Views

Hi everyone,

I have problems to enable the generation of SoH messages in AMT machine. Details are described as following:

-------------------

Goal:
Follow "Intel AMT System Health Validator Sample" document in AMT SDK 5.0.1.4 to see how AMT can interact with MS NAP

Background:
We visited the official AMT download page, (http://software.intel.com/en-us/articles/intel-active-management-technology-downloads), and read the documents of Software Development kit (SDK), Manageability Developer Tool Kit (DTK), and Setup and Configuration Service (SCS). After gathering these information, we tried to build the client part on a Intel Centrino vPro machine. The machine runs on Vista, and we enabled Intel AMT from its BIOS settings.

Problems:
*** How to enable our AMT machine to generate SoH messages by what tools?

In the section 5 of the document, "Intel Active Management Technology System Health Validator Sample" from SDK, the instruction is not clear enough for us to enable SoH generation in a Intel AMT machine. Our understanding is that, EndpointAccessControlAdminService is a web service related to the generation of SoH messages, and can be accessed via the WS-Management interface, but we don't know how to access the web service or the interface. Are there any tools which can be used to enable the SoH generation? or Is there any document that explains the generation of SoH messages in Intel AMT further?

Thanks.

0 Kudos

Link Copied

4 Replies
THOMAS_P_Intel1
Employee
‎12-16-2008 07:39 AM
347 Views
Can you provide some more details?
  • Does your NAP environment function correctly without AMT? Does the NAP agent in the host respond to requests for health information?
  • Are you working in "active" or "passive" mode as defined in the SDK?
  • What are you using to provision AMT? You mention the SDK, SCS and DTK which all could be used.
  • What specific 802.1x protocol does your environment use?
  • Can you explain the network topology including NAP details and network hardware?

NAP is not a simple technology so I assume that you are already very familiar with NAP operation independent of AMT. If this is not the case, please let me know. You mention that "...EndpointAccessControlAdminService is a web service related to the generation of SoH messages" but this is not correct. The EndpointAccessControlAdminService is the service used to configure EAC on AMT. This service is called by the tool you are using for provisioning. A SoH will be generated by AMT in active mode when a request is recieved by the enforement point in the network. This should be the same enforcement point that challenges your existing NAP agent.

0 Kudos
Copy link
houchenglee
Beginner
‎12-17-2008 01:42 PM
347 Views
Hi, Thomas,

Thanks for your reply. Let me try to provide more details.

  • Does your NAP environment function correctly without AMT? Does the NAP agent in the host respond to requests for health information?
I'm not very familiar with the NAP setup, but I followed the document "Step-by-Step Guide: Demonstrate IPsec NAP Enforcement in a Test Lab", and the client can successfully request and get the health certificate.

  • Are you working in "active" or "passive" mode as defined in the SDK?
According to the document in SDK,

----------------------------------------
The UNS running on the host requests status from the Intel AMT device periodically so that it is
available to the NAP agent on request. This is known as passive mode.

When the host processor on the platform is in an Sx sleep state, or the host operating system is
not functional or fails 802.1x authentication, the Intel AMT device on the platform can respond to
a request for health information directly, depending on its own network connectivity. This is known
as active mode."
---------------------------------------

Actually, I'm not sure which mode I'm working on, and I have no idea how to configure it into which mode.

  • What are you using to provision AMT? You mention the SDK, SCS and DTK which all could be used.
I followed this document, "How to set up AMT machine?", to set up the AMT machine. It looks like "YouTube - Provision your Intel AMT in SMB mode", so when booting up the machine, I just Ctrl+P into the machine, and did the configuration. Is the way I configured AMT only works in SMB mode? and I have to provision it into Enterprise mode to let NAP work? Do you mean SDK, SCS, or DTK can provision AMT into Enterprise mode?

  • What specific 802.1x protocol does your environment use?
Since I followed the NAP IPsec enforcement document, I didn't use any 802.1x protocol. Is 802.1x required to use NAP with AMT?
  • Can you explain the network topology including NAP details and network hardware?
My network topology is exactly the same as the NAP IPsec enforcement document, "Step-by-Step Guide: Demonstrate IPsec NAP Enforcement in a Test Lab".


I'm a newbie to both NAP and AMT world, so some questions might look dumb, but I couldn't find any more documents about NAP with AMT, so forgive me if I'm asking dumb questions, and thanks for your patience.

Thanks.



Can you provide some more details?
  • Does your NAP environment function correctly without AMT? Does the NAP agent in the host respond to requests for health information?
  • Are you working in "active" or "passive" mode as defined in the SDK?
  • What are you using to provision AMT? You mention the SDK, SCS and DTK which all could be used.
  • What specific 802.1x protocol does your environment use?
  • Can you explain the network topology including NAP details and network hardware?

NAP is not a simple technology so I assume that you are already very familiar with NAP operation independent of AMT. If this is not the case, please let me know. You mention that "...EndpointAccessControlAdminService is a web service related to the generation of SoH messages" but this is not correct. The EndpointAccessControlAdminService is the service used to configure EAC on AMT. This service is called by the tool you are using for provisioning. A SoH will be generated by AMT in active mode when a request is recieved by the enforement point in the network. This should be the same enforcement point that challenges your existing NAP agent.

0 Kudos
Copy link
THOMAS_P_Intel1
Employee
‎12-17-2008 02:30 PM
347 Views
Unfortunately, you are facing more than one hurdle.
  1. AMT does not support IPSec. You will have to use another access control protocol.
  2. AMT must be configured with the correct information to allow it to connect in a NAP environment. Enterprise provisioning tools like the SCS are commonly used for this.
  3. NAP and AMT each are quite complex technologies. Tackling them both simultaneously will be very difficult as you will have a hard time determining where the problems are. I suggest becoming intimately familiar with one or the other before putting them together. AMT in a NAP environment would be considered a complex / advanced configuration.

If you are not currently supporting NAP in the host, may I ask what your goal is when using AMT in a NAP environment? Perhaps there is a more suitable solution to accomplish what you need. Allowing AMT on a network is far less risky than allowing Windows on your network. If the concern is securing the traffic to and from AMT, I'd suggest a simpler solution like TLS.

0 Kudos
Copy link
THOMAS_P_Intel1
Employee
‎12-17-2008 02:35 PM
347 Views
Unfortunately, you are facing more than one hurdle.
  1. AMT does not support IPSec. You will have to use another access control protocol.
  2. AMT must be configured with the correct information to allow it to connect in a NAP environment. Enterprise provisioning tools like the SCS are commonly used for this.
  3. NAP and AMT each are quite complex technologies. Tackling them both simultaneously will be very difficult as you will have a hard time determining where the problems are. I suggest becoming intimately familiar with one or the other before putting them together. AMT in a NAP environment would be considered a complex / advanced configuration.

If you are not currently supporting NAP in the host, may I ask what your goal is when using AMT in a NAP environment? Perhaps there is a more suitable solution to accomplish what you need. Allowing AMT on a network is far less risky than allowing Windows on your network. If the concern is securing the traffic to and from AMT, I'd suggest a simpler solution like TLS.

Assuming you choose to tackle AMT before NAP, and assuming you've read general introductions on AMT, I suggest you read through the "Developers Guide to the Sample Setup and Configuration Application.pdf" document to get a feel for the process of AMT setup and configuration (in enterprise mode).
0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.