Community
cancel
Showing results for 
Search instead for 
Did you mean: 
mugwump
Beginner
77 Views

MPS: Why does this need both SOCKS5 and STunnel?

Jump to solution
Hi,

The config instructions for MPS include both SOCKS5 stuff and STunnel. But it sounds like both of these are proxying tools. Is STunnel used for the legacy SOAP API and SOCKS5 for WS-Management? Clarifying this in the documentation, maybe along with a diagram showing the connections between the 3 MPS components, would be a big help.
0 Kudos

Accepted Solutions
Ajith_I_Intel
Employee
77 Views
Quoting - mugwump
Hi,

The config instructions for MPS include both SOCKS5 stuff and STunnel. But it sounds like both of these are proxying tools. Is STunnel used for the legacy SOAP API and SOCKS5 for WS-Management? Clarifying this in the documentation, maybe along with a diagram showing the connections between the 3 MPS components, would be a big help.

Hi mugwump,
I would recommend you to take a look at Intel AMT Remote Access Overview.pdf document in the SDK. Second figure in that document clearly indicate the different components needed for vPro Enabled Gateway (aka MPS).

vPro Enabled Gateway is intended to be residing in the DMZ and support internet and intranet facing traffic. For internet facing side of it, all of the communication from vPro Enabled Gateway to Intel AMT clients needs to be encrypted and we use TLS for that. Stunnel is a product that we used in our reference implementation that is responsible for TLS encryption.

On the intranet facing side, we need to support multiple types of traffic from management console(s). Many of operations with Intel AMT are performed using HTTP traffic (both SOAP and WS-Man) and SOL/IDE-R traffic is TCP/IP traffic. So in order to support these two types of traffic, we chose to use HTTP proxy for HTTP traffic, SOCKSv5 proxy for SOL/IDE-R traffic. In the SDK, you will see references to 3Proxy or Apache as the tool being used for proxy server.

For vPro Enabled Gateway, its configuration needs to expose settings for both internet and intranet facing sides of it. For the internet facing side, it needs a port where stunnel can hand off AMT traffic to vPro Enabled Gateway.
For intranet facing side, it needs the SOCKS proxy port, HTTP proxy port and IP address of the proxy server (Apache or 3Proxy).

In addition to these settings, there are other authentication options that can be configured and these are optional. Hope this helps clarify your questions. Once again, please do read the Intel AMT Remote Access Overview.pdf document and will answer most of these commonly asked questions. If you are still confused with that document, let us know how we can improve the document and we will make our best effort to make that happen.

Thanks,
Ajith

View solution in original post

4 Replies
Lance_A_Intel
Employee
77 Views

SOCKS5 is a protocol and STunnel is an application.
I'll see if we can have the documentation explain their use more clearly.
Ajith_I_Intel
Employee
78 Views
Quoting - mugwump
Hi,

The config instructions for MPS include both SOCKS5 stuff and STunnel. But it sounds like both of these are proxying tools. Is STunnel used for the legacy SOAP API and SOCKS5 for WS-Management? Clarifying this in the documentation, maybe along with a diagram showing the connections between the 3 MPS components, would be a big help.

Hi mugwump,
I would recommend you to take a look at Intel AMT Remote Access Overview.pdf document in the SDK. Second figure in that document clearly indicate the different components needed for vPro Enabled Gateway (aka MPS).

vPro Enabled Gateway is intended to be residing in the DMZ and support internet and intranet facing traffic. For internet facing side of it, all of the communication from vPro Enabled Gateway to Intel AMT clients needs to be encrypted and we use TLS for that. Stunnel is a product that we used in our reference implementation that is responsible for TLS encryption.

On the intranet facing side, we need to support multiple types of traffic from management console(s). Many of operations with Intel AMT are performed using HTTP traffic (both SOAP and WS-Man) and SOL/IDE-R traffic is TCP/IP traffic. So in order to support these two types of traffic, we chose to use HTTP proxy for HTTP traffic, SOCKSv5 proxy for SOL/IDE-R traffic. In the SDK, you will see references to 3Proxy or Apache as the tool being used for proxy server.

For vPro Enabled Gateway, its configuration needs to expose settings for both internet and intranet facing sides of it. For the internet facing side, it needs a port where stunnel can hand off AMT traffic to vPro Enabled Gateway.
For intranet facing side, it needs the SOCKS proxy port, HTTP proxy port and IP address of the proxy server (Apache or 3Proxy).

In addition to these settings, there are other authentication options that can be configured and these are optional. Hope this helps clarify your questions. Once again, please do read the Intel AMT Remote Access Overview.pdf document and will answer most of these commonly asked questions. If you are still confused with that document, let us know how we can improve the document and we will make our best effort to make that happen.

Thanks,
Ajith

View solution in original post

mugwump
Beginner
77 Views
Thanks all, makes sense now.
mugwump
Beginner
77 Views
-------------