Intel® Business Client Software Development
Support for Intel® vPro™ software development and technologies associated with Intel vPro platforms.
1388 Discussions

Intel AMT 9: Accessing one PC over Internet Securely

Bunkai_S_
Beginner
1,397 Views

Dear all,

I hope, I am asking in the correct place: My question is regarding Intel AMT v9 technology. I have only one PC which is app 300 KM far from me. To have as good control over it as possible, I have decided to control it using Intel AMT. My configuration uses Intel AMT 9.

I can access the PC without problems through Intel AMT KVM through un-encrypted connection. However, I want to be able to access the PC securely. Here are my questions:

  • To my knowledge, standard procedures to configure encrypted Intel AMT KVM is using provisioning server. Is it possible to configure Intel AMT communication through TLS-PSK or TLS-PKI without installing provisioning server, please? For one remote PC it does not make too much sense to install a server. I would like to configure one PC manually.
  • If I have to install a provisioning and configuration server, is it enough to let the server running during remote PC provisioning only? After the Intel AMT PC is provisioned, I do not wish to have the server running all the time just for this PC, and I would like to shut it down. 
  • Are TLS-PSK and TLS-PKI equally secure? I know that TLS-PSK will be discontinued, which looks like it is less secure encryption standard. However, I have also heard, that after both encryption standards are configured, they are equally safe.
  • Is it safe to use Intel AMT v9 over the Internet if the connection is encrypted?

 

As I use software firewall on the remote PC, I can not use a VPN channel through a router or a firewall, which would protect the Intel AMT communication. I would really take advantage of encrypted Intel AMT technology.

Thank you very much for your responses. 

Kind regards,

 

 

 

0 Kudos
3 Replies
Gael_H_Intel
Moderator
1,397 Views

 

You can use the "Director" which is part of the Manageability Developer Toolkit for proviaioning a single AMT Client that requires TLS.  You can also use Power shell to install the certificates.  (Links below)

The provisioning server only needs to be running if you are in the process of configuring your system so you don't need to have it running after that.

https://software.intel.com/en-us/articles/download-the-latest-version-of-manageability-developer-tool-kit/

https://software.intel.com/en-us/blogs/2012/01/20/how-to-configure-your-system-to-run-the-intelvpro-powershell-module

But if your system is far away, it sounds like you need to configure a "Manageability Presence Server" as described in the Implementation and Reference guide (link below)

https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/WordDocuments/intelvprogatewaymps.htm

Here is some information on configuring the KVM:

https://software.intel.com/en-us/blogs/2012/08/08/intel-kvm-port-requirements-and-troubleshooting-tips

And the Start Here guide also talks about TLS and KVM:

https://software.intel.com/en-us/articles/intel-active-management-technology-start-here-guide-intel-amt-9

 

 

0 Kudos
helo_f_
Beginner
1,397 Views

Hi Gael,

Thank you for your help.  I have a question that I think is related to the original post.  I have a home computer that I would like to use Intel AMT KVM on.  I have seen a few guides on setting it up and have no problem using port forwarding in my home router for 16992-95...and 15900 i suppose for VNC.  I saw that you were talking about an MPS. This seems like an appropriate solution if you're behind and enterprise firewall. What if I'm just using this on a home computer and opening those ports to the Internet to manage my home computer remotely?  Is that a major security issue?  I'm trying to figure out the best and preferably safest way to connect to my computer remotely with the two options I'm considering being vPro or using Microsoft's RDP or some combination there of to be able to power on remotely and then access the OS fluidly.

0 Kudos
Joseph_O_Intel1
Employee
1,397 Views

Hey Helo f,

MPS is not the right solution for what you are trying to accomplish, as it is used for user initiated calls for help. 

The only ports you need worry about are 16992-16995 and possibly 5900 (if you set up the RDB password).

In your instance, I would suggest taking a look at meshcentral.com (free) as it should be able to provide what you are looking for in regards to vPro KVM.

 

 

 

0 Kudos
Reply