Does AMT work the same over WAN as LAN? Technically, no... it has to be different in some respects, correct? In a pratical sense though, yes... I cannot think of an operation that I do over LAN that I cannot do over WAN... but I am sure there is some small something that I could of missed... I just do not recall ever finding it. ;)
what is the security procedure for management console outside LAN to communicate with PC based on vPro in LAN?
what about if the management console need to login to vpn to access PC in LAN?
Can you be more specific about your question regarding security procedure? Currently AMT supports TLS based authentication and depending on how it is configured, your management console need to be able to support it. When you management console is outside the LAN, you can establish a server-server to connection to a server that is residing in the LAN and use that to do the management of AMT systems in LAN. Lot of small business use this model. Hope this helps.
is it possible for the management console outside LAN (internet)to manage directly a PC in LAN?
what i know is just either establish server-server connection or by using AMT switchbox.
what if there's an AMT system outside LAN, is it still manageable by management console inside LAN?btw, theAMT systemconnect to LAN through VPN only.
In order for MC located outsie LAN to manage a AMT device inside LAN, you have to use Server-Server connection or VPN the MC into the LAN network.
Currently we do not support the AMT systems located outside the LAN because they could be behind firewall or NAT.
Hope this helps.
I hav been working on Intel AMT management over WAN for quite some time. First, if you can access Intel AMT over a WAN, management should work fine, but IDE-R is going to be very slow. IDE-R is not a efficient protocol and usualy runs at around CDROM 4X speeds over a LAN network. If you attempt to perform IDE-R over a DSL line, it's going to take over one hour to boot WinPE, etc.
Now there is the question of accessing AMT from the WAN. You can port map 16992 to 16995 of the router to a single computer, if you do that I highly recommand you enable TLS security first, also you are still exposing AMT to the internet and who knows what could happen. If you port map, you can only access one computer from WAN. You could port map other ports, but consoles will not like it (Intel hard coded ports inside Redirection & 3PDS libraries).
Another solution is to setup a VPN router and VPN into the LAN network. Then, you can communicate and manage all of the computers on the LAN network.
Lastly, you can use Intel AMT Switchbox on the local LAN. Switchbox is a remote management point that monitors computers and solves the NAT problem. You can find blog entries here, here, here and here. You can also remotly upload disk images into Switchbox and perform fast IDE-R when you need it.
Ylian (Intel AMT Blog)
can you explain to me how VPN is used for managing AMT from internet? it's just i'm curious there must some IPSec stack within AMT to establish VPN for out-of-band communication right?
Assume that all of the AMT systems are inside the corporate LAN (intranet) and your management console is on the internet. If you set up a VPN router to access your corporate LAN, MC will establish a VPN connection. Once the VPN connection is established, MC can access all of the systems in the intranet and start managing them. In this scenario there is not need for AMT to do with VPN.
On the other hand, when the MC is in intranet and the AMT systems are on internet, things are different. Only for the mobile platforms, there is a feature called environment detection. When this feature is turned on AMT will be aware of its location and opens/closes the management interface when system is in intranet/internet respectively. You can learn more about this feature here. Along with environment detection, when you enable VPNRouting, after you establish the VPN connection through host OS (not AMT), you can connect to AMT from the MC using the host VPN tunnel. The local manageablilty service (LMS) intercepts the traffic for AMT and route it throug the MEI interface, only when VPNRouting is enabled. Hence there is no need for any kind of VPN client in AMT.
Hope this clarifies a little further. Please do checkout the Do it Yourself lab on environment detection.
ok now i understand that only mobile platforms are available with this feature right? if this feature is enabled, this PC can still access the network as usual but the management console couldn't connect to the management interface (http:/
so does this mean, if the OS pc is not operational, meaning that it can't establish VPN connection, the management console wouldn't be able to connect to the management interface which in short, this PC is not manageable?
ok now i understand that only mobile platforms are available with this feature right? - Correct, only mobile platforms have environment detection feature
if this feature is enabled, this PC can still access the network as usual but the management console couldn't connect to the management interface (http:/
only when it establishes VPN connection through host OS, then management console can connect to the management interface (http page) right? - Yes
so does this mean, if the OS pc is not operational, meaning that it can't establish VPN connection, the management console wouldn't be able to connect to the management interface which in short, this PC is not manageable? - Correct. For PCs to be manageable, they have to be in intranet or has to have VPN connection through host OS when they are located outside intranet.