is it iAMT over WAN works the same way as iAMT over LAN?
does using iAMT on WAN have some limitations?
what about the security issues when using iAMT over WAN?
Does AMT work the same over WAN as LAN? Technically, no... it has to be different in some respects, correct? In a pratical sense though, yes... I cannot think of an operation that I do over LAN that I cannot do over WAN... but I am sure there is some small something that I could of missed... I just do not recall ever finding it. ;)
Can you be more specific about your question regarding security procedure? Currently AMT supports TLS based authentication and depending on how it is configured, your management console need to be able to support it. When you management console is outside the LAN, you can establish a server-server to connection to a server that is residing in the LAN and use that to do the management of AMT systems in LAN. Lot of small business use this model. Hope this helps.
is it possible for the management console outside LAN (internet)to manage directly a PC in LAN?
what i know is just either establish server-server connection or by using AMT switchbox.
what if there's an AMT system outside LAN, is it still manageable by management console inside LAN?btw, theAMT systemconnect to LAN through VPN only.
In order for MC located outsie LAN to manage a AMT device inside LAN, you have to use Server-Server connection or VPN the MC into the LAN network.
Currently we do not support the AMT systems located outside the LAN because they could be behind firewall or NAT.
Hope this helps.
Assume that all of the AMT systems are inside the corporate LAN (intranet) and your management console is on the internet. If you set up a VPN router to access your corporate LAN, MC will establish a VPN connection. Once the VPN connection is established, MC can access all of the systems in the intranet and start managing them. In this scenario there is not need for AMT to do with VPN.
On the other hand, when the MC is in intranet and the AMT systems are on internet, things are different. Only for the mobile platforms, there is a feature called environment detection. When this feature is turned on AMT will be aware of its location and opens/closes the management interface when system is in intranet/internet respectively. You can learn more about this feature here. Along with environment detection, when you enable VPNRouting, after you establish the VPN connection through host OS (not AMT), you can connect to AMT from the MC using the host VPN tunnel. The local manageablilty service (LMS) intercepts the traffic for AMT and route it throug the MEI interface, only when VPNRouting is enabled. Hence there is no need for any kind of VPN client in AMT.
Hope this clarifies a little further. Please do checkout the Do it Yourself lab on environment detection.
ok now i understand that only mobile platforms are available with this feature right? - Correct, only mobile platforms have environment detection feature
if this feature is enabled, this PC can still access the network as usual but the management console couldn't connect to the management interface (http:/
only when it establishes VPN connection through host OS, then management console can connect to the management interface (http page) right? - Yes
so does this mean, if the OS pc is not operational, meaning that it can't establish VPN connection, the management console wouldn't be able to connect to the management interface which in short, this PC is not manageable? - Correct. For PCs to be manageable, they have to be in intranet or has to have VPN connection through host OS when they are located outside intranet.