- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi everyone,
I have problems to enable the generation of SoH messages in AMT machine. Details are described as following:
-------------------
Goal:
Follow "Intel AMT System Health Validator Sample" document in AMT SDK 5.0.1.4 to see how AMT can interact with MS NAP
Background:
We visited the official AMT download page, (http://software.intel.com/en-us/articles/intel-active-management-technology-downloads), and read the documents of Software Development kit (SDK), Manageability Developer Tool Kit (DTK), and Setup and Configuration Service (SCS). After gathering these information, we tried to build the client part on a Intel Centrino vPro machine. The machine runs on Vista, and we enabled Intel AMT from its BIOS settings.
Problems:
*** How to enable our AMT machine to generate SoH messages by what tools?
In the section 5 of the document, "Intel Active Management Technology System Health Validator Sample" from SDK, the instruction is not clear enough for us to enable SoH generation in a Intel AMT machine. Our understanding is that, EndpointAccessControlAdminService is a web service related to the generation of SoH messages, and can be accessed via the WS-Management interface, but we don't know how to access the web service or the interface. Are there any tools which can be used to enable the SoH generation? or Is there any document that explains the generation of SoH messages in Intel AMT further?
Thanks.
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
-
Does your NAP environment function correctly without AMT? Does the NAP agent in the host respond to requests for health information?
-
Are you working in "active" or "passive" mode as defined in the SDK?
-
What are you using to provision AMT? You mention the SDK, SCS and DTK which all could be used.
-
What specific 802.1x protocol does your environment use?
- Can you explain the network topology including NAP details and network hardware?
NAP is not a simple technology so I assume that you are already very familiar with NAP operation independent of AMT. If this is not the case, please let me know. You mention that "...EndpointAccessControlAdminService is a web service related to the generation of SoH messages" but this is not correct. The EndpointAccessControlAdminService is the service used to configure EAC on AMT. This service is called by the tool you are using for provisioning. A SoH will be generated by AMT in active mode when a request is recieved by the enforement point in the network. This should be the same enforcement point that challenges your existing NAP agent.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
-
Does your NAP environment function correctly without AMT? Does the NAP agent in the host respond to requests for health information?
-
Are you working in "active" or "passive" mode as defined in the SDK?
available to the NAP agent on request. This is known as passive mode.
not functional or fails 802.1x authentication, the Intel AMT device on the platform can respond to
a request for health information directly, depending on its own network connectivity. This is known
as active mode."
-
What are you using to provision AMT? You mention the SDK, SCS and DTK which all could be used.
-
What specific 802.1x protocol does your environment use?
- Can you explain the network topology including NAP details and network hardware?
-
Does your NAP environment function correctly without AMT? Does the NAP agent in the host respond to requests for health information?
-
Are you working in "active" or "passive" mode as defined in the SDK?
-
What are you using to provision AMT? You mention the SDK, SCS and DTK which all could be used.
-
What specific 802.1x protocol does your environment use?
- Can you explain the network topology including NAP details and network hardware?
NAP is not a simple technology so I assume that you are already very familiar with NAP operation independent of AMT. If this is not the case, please let me know. You mention that "...EndpointAccessControlAdminService is a web service related to the generation of SoH messages" but this is not correct. The EndpointAccessControlAdminService is the service used to configure EAC on AMT. This service is called by the tool you are using for provisioning. A SoH will be generated by AMT in active mode when a request is recieved by the enforement point in the network. This should be the same enforcement point that challenges your existing NAP agent.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- AMT does not support IPSec. You will have to use another access control protocol.
- AMT must be configured with the correct information to allow it to connect in a NAP environment. Enterprise provisioning tools like the SCS are commonly used for this.
- NAP and AMT each are quite complex technologies. Tackling them both simultaneously will be very difficult as you will have a hard time determining where the problems are. I suggest becoming intimately familiar with one or the other before putting them together. AMT in a NAP environment would be considered a complex / advanced configuration.
If you are not currently supporting NAP in the host, may I ask what your goal is when using AMT in a NAP environment? Perhaps there is a more suitable solution to accomplish what you need. Allowing AMT on a network is far less risky than allowing Windows on your network. If the concern is securing the traffic to and from AMT, I'd suggest a simpler solution like TLS.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- AMT does not support IPSec. You will have to use another access control protocol.
- AMT must be configured with the correct information to allow it to connect in a NAP environment. Enterprise provisioning tools like the SCS are commonly used for this.
- NAP and AMT each are quite complex technologies. Tackling them both simultaneously will be very difficult as you will have a hard time determining where the problems are. I suggest becoming intimately familiar with one or the other before putting them together. AMT in a NAP environment would be considered a complex / advanced configuration.
If you are not currently supporting NAP in the host, may I ask what your goal is when using AMT in a NAP environment? Perhaps there is a more suitable solution to accomplish what you need. Allowing AMT on a network is far less risky than allowing Windows on your network. If the concern is securing the traffic to and from AMT, I'd suggest a simpler solution like TLS.

- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page