Intel® Business Client Software Development
Support for Intel® vPro™ software development and technologies associated with Intel vPro platforms.

iAMT over WAN

izem
Beginner
1,587 Views

hi

is it iAMT over WAN works the same way as iAMT over LAN?

does using iAMT on WAN have some limitations?

what about the security issues when using iAMT over WAN?

0 Kudos
12 Replies
john_prothro
Beginner
1,587 Views

Does AMT work the same over WAN as LAN? Technically, no... it has to be different in some respects, correct? In a pratical sense though, yes... I cannot think of an operation that I do over LAN that I cannot do over WAN... but I am sure there is some small something that I could of missed... I just do not recall ever finding it. ;)

0 Kudos
izem
Beginner
1,587 Views
thanks for the reply
what is the security procedure for management console outside LAN to communicate with PC based on vPro in LAN?
what about if the management console need to login to vpn to access PC in LAN?
0 Kudos
Ajith_I_Intel
Employee
1,587 Views

Hi IzEm,

Can you be more specific about your question regarding security procedure? Currently AMT supports TLS based authentication and depending on how it is configured, your management console need to be able to support it. When you management console is outside the LAN, you can establish a server-server to connection to a server that is residing in the LAN and use that to do the management of AMT systems in LAN. Lot of small business use this model. Hope this helps.

Thanks.

0 Kudos
izem
Beginner
1,587 Views

is it possible for the management console outside LAN (internet)to manage directly a PC in LAN?

what i know is just either establish server-server connection or by using AMT switchbox.

what if there's an AMT system outside LAN, is it still manageable by management console inside LAN?btw, theAMT systemconnect to LAN through VPN only.

0 Kudos
Ajith_I_Intel
Employee
1,587 Views

In order for MC located outsie LAN to manage a AMT device inside LAN, you have to use Server-Server connection or VPN the MC into the LAN network.

Currently we do not support the AMT systems located outside the LAN because they could be behind firewall or NAT.

Hope this helps.

0 Kudos
Ylian_S_Intel
Employee
1,587 Views
Hi,

I hav been working on Intel AMT management over WAN for quite some time. First, if you can access Intel AMT over a WAN, management should work fine, but IDE-R is going to be very slow. IDE-R is not a efficient protocol and usualy runs at around CDROM 4X speeds over a LAN network. If you attempt to perform IDE-R over a DSL line, it's going to take over one hour to boot WinPE, etc.

Now there is the question of accessing AMT from the WAN. You can port map 16992 to 16995 of the router to a single computer, if you do that I highly recommand you enable TLS security first, also you are still exposing AMT to the internet and who knows what could happen. If you port map, you can only access one computer from WAN. You could port map other ports, but consoles will not like it (Intel hard coded ports inside Redirection & 3PDS libraries).

Another solution is to setup a VPN router and VPN into the LAN network. Then, you can communicate and manage all of the computers on the LAN network.

Lastly, you can use Intel AMT Switchbox on the local LAN. Switchbox is a remote management point that monitors computers and solves the NAT problem. You can find blog entries here, here, here and here. You can also remotly upload disk images into Switchbox and perform fast IDE-R when you need it.

Ylian (Intel AMT Blog)
0 Kudos
izem
Beginner
1,587 Views
hi
can you explain to me how VPN is used for managing AMT from internet? it's just i'm curious there must some IPSec stack within AMT to establish VPN for out-of-band communication right?
0 Kudos
Ajith_I_Intel
Employee
1,587 Views

Assume that all of the AMT systems are inside the corporate LAN (intranet) and your management console is on the internet. If you set up a VPN router to access your corporate LAN, MC will establish a VPN connection. Once the VPN connection is established, MC can access all of the systems in the intranet and start managing them. In this scenario there is not need for AMT to do with VPN.

On the other hand, when the MC is in intranet and the AMT systems are on internet, things are different. Only for the mobile platforms, there is a feature called environment detection. When this feature is turned on AMT will be aware of its location and opens/closes the management interface when system is in intranet/internet respectively. You can learn more about this feature here. Along with environment detection, when you enable VPNRouting, after you establish the VPN connection through host OS (not AMT), you can connect to AMT from the MC using the host VPN tunnel. The local manageablilty service (LMS) intercepts the traffic for AMT and route it throug the MEI interface, only when VPNRouting is enabled. Hence there is no need for any kind of VPN client in AMT.

Hope this clarifies a little further. Please do checkout the Do it Yourself lab on environment detection.

0 Kudos
izem
Beginner
1,587 Views
thanks for the good reply.
ok now i understand that only mobile platforms are available with this feature right? if this feature is enabled, this PC can still access the network as usual but the management console couldn't connect to the management interface (http:/:port) right? only when it establishes VPN connection through host OS, then management console can connect to the management interface (http page) right?

so does this mean, if the OS pc is not operational, meaning that it can't establish VPN connection, the management console wouldn't be able to connect to the management interface which in short, this PC is not manageable?
0 Kudos
Ajith_I_Intel
Employee
1,587 Views

ok now i understand that only mobile platforms are available with this feature right? - Correct, only mobile platforms have environment detection feature

if this feature is enabled, this PC can still access the network as usual but the management console couldn't connect to the management interface (http:/:port) right? - When the PC is outside intranet, OS will work as usual, AMT will not be available.

only when it establishes VPN connection through host OS, then management console can connect to the management interface (http page) right? - Yes

so does this mean, if the OS pc is not operational, meaning that it can't establish VPN connection, the management console wouldn't be able to connect to the management interface which in short, this PC is not manageable? - Correct. For PCs to be manageable, they have to be in intranet or has to have VPN connection through host OS when they are located outside intranet.

0 Kudos
izem
Beginner
1,587 Views
i'm wondering if the environment detection is disabled, the management interface can be accessed, thus the AMT machine is manageable.. but that would raise security issue, is it?
0 Kudos
Ajith_I_Intel
Employee
1,587 Views
If environment detection is not enabled, then the maangement interface will stil be available when you take the system out of intranet. In which case, one could potentially try to hack AMT's credentials and start managing them. This is the reason, we have introduced this feature.
0 Kudos
Reply