- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've managed to get my EMA server online and clients connecting.
My server is in a workgroup and is publicly accessible over the internet via rmm.myhosteddomain.com I'm using nginx as the proxy and it has the signed certificate for the domain name. The workstations are on a windows domain clientdomain.local
I have 3 clients connected (only 2 support AMT) these clients are connected over the internet and not locally on the LAN.
None of them show the CIRA connected and I'm not sure why. Maybe it's the DNS issue? I'm confused about this part of the settings. Do the clients need to connect to a server that has their same local domain name for CIRA to connect?
I'm also confused about the admin mode, which I'd like to implement. I attempted to export my certificate from nginx and import it into the certificates in EMA but it failed with:
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi XCEL,
Thank you for posting on Intel Community.
For the query reported, we request to post the query on the Software Development Technologies forum for further assistance.
https://community.intel.com/t5/Software-Development/ct-p/software-dev-technologies
We would like to inform you that we are closing this request as we have referred your query to Software Development Technologies forum.
Please don't hesitate to ask any further questions in the future.
Feel free to start a new conversation, as this thread will no longer be monitored.
Regards,
Megha K
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you explain this action? This make no sense to be in the software development forum, this is the correct location as it's a vPro issue.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, XCEL,
My name is Miguel, I am an Intel EMA support member. I will gladly assist you.
I understand this is a new configuration with the following:
EMA version: 1.12.1
FQDN: rmm.myhosteddomain.com
EMA Server accessible over the internet; signed certificate for the domain name (IIS).
Using nginx as the proxy.
Windows domain: clientdomain.local
EMA configuration in Client Control Mode
Endpoints are working remotely (2 with vPro, 1 non-vPro)
AMT setup: Provisioned Completed
CIRA Not Connected
I will need your confirmation on the questions below:
1- Do the endpoints belong to the domain clientdomain.local?
2- Did you create a CIRA Proxy Setting for the EMA agent file?
Log in as a Tenant and go to AMT profile>General>CIRA Proxy Settings
3- Do the endpoints share the same FQDN of the EMA Server?
4- Are the endpoints working with a wired or wireless connection?
5- Please share the EMA server logs.
Default Path: [System drive]\Program File(x86)\Intel\Platform Manager\EmaLogs
Please send me the files without the date called:
EMAlog-Webserver.txt
EMAlog-Swarmserver.txt
EMAlog-Ajaxserver.txt
EMAlog-Recoveryserver.txt
EMAlog-Manageabilityserver.txt
6-Please share a log from an Intel® vPro system.
Intel® EMA Configuration Tool (ECT)
Installation:
Download and unzip the tool.
Double-click the .msi file and follow the prompts.
Run:
a- Open a command prompt as administrator (alternatively, you can run the tool from Windows PowerShell*).
b- Navigate to the installation folder (default C:\Program Files (x86)\Intel\EMAConfigTool).
c- Run the command: EMAConfigTool.exe --verbose
Intel® EMA requires its certificate for Admin Control Mode (access without User consent to OS and BIOS). It is a dedicated Certificate for Intel® vPro (AMT). This certificate contains the unique Intel® AMT OID number 2.16.840.1.113741.1.2.3.
XCEL, please share the information in a private message, for security reasons.
Regards,
Miguel C.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the followup Miguel.
1- Do the endpoints belong to the domain clientdomain.local?
YES
2- Did you create a CIRA Proxy Setting for the EMA agent file?
Log in as a Tenant and go to AMT profile>General>CIRA Proxy Settings
NO, these are the settings:
3- Do the endpoints share the same FQDN of the EMA Server?
NO, totally different networks. The EMA server is in a workgroup, not on a domain.
4- Are the endpoints working with a wired or wireless connection?
NO, CIRA has never worked.
5- Please share the EMA server logs.
Sending in PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, XCEL,
Thank you for sending the EMA Server logs and endpoint log.
My findings are below:
The endpoint seems connected to the internet via a USB dongle or docking station.
*** ME Wired Network Information ***
ME Wired Interface Not Detected
*** ME Wireless Network Information ***
Link Status: Down
IP Address: 0.0.0.0
Intel® EMA requires an Intel® network adapter connection; this can be a wired, wireless, or passthrough Thumber-bolt docking station (approved by Intel®).
Please remember, that the Client Control Mode option gives you access to the endpoints when they are in the operating system. To access the BIOS or wake up the machines an Intel® AMT certificate is necessary.
https://www.intel.com/content/www/us/en/architecture-and-technology/vpro/active-management-technology/implementation.html (bottom of the page).
If I understand correctly, the Windows Server machine containing the EMA configuration has a Proxy. If this is the case, it is necessary to access the EMA console and update the AMT profile with the Proxy requirements. Go to AMT profile > General > CIRA Proxy Settings
In addition, I noted the endpoint is using an old BIOS version. I suggest updating it to the latest version 1.26.0.
Dell Latitude 7310 and 7410 System BIOS
I look forward to hearing back from you.
Regards,
Miguel C.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, XCEL,
It is necessary to validate the EMA web page with a valid TLS SSL Certificate in IIS. In addition, if you want to have remote access to the endpoints without user consent or access to the endpoints' BIOS an AMT Certificate is necessary. You can buy it from the authorized vendors.
Vendor Certificates to Support Intel® AMT (bottom of the page).
Note: the AMT Certificate performs both validations and remote provisioning.
1- Allows remote configuration
2- Validate the EMA web page. The Certificate’s domain is usually equal to the company domain.
3- Validates the connection between the endpoints and the EMA server without OS and user consent.
Intel® EMA is prepared for adding extra security options such as a Proxy Server or adding 802.1x. Additional Certificates are necessary.
Regards,
Miguel C.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2- Validate the EMA web page. The Certificate’s domain is usually equal to the company domain.
If the domain is NOT the same, what should I do? For instance, the computers local domain is domainabc.local and my webserver, secured by a Godaddy certificated as you mentioned, is rmm.cloudhost.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also, I've added the certificate to the IIS site and that part is working properly. However, in EMA if I go to the certificates section, there are none. Should my godaddy certificate also be in here?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, XCEL,
The EMA domain (FQDN) needs to be validated by a dedicated Certificate for it. The certificate for rmm.cloudhost.com will not work. I suggest recreating the EMA configuration with the same domain cloudhost.com if it is possible.
It is necessary a dedicated Certificate chain for Intel® EMA. The Certificate allows the remote configuration of endpoints and validates the connection between the EMA server and the endpoints when we are trying to access the BIOS and performing requests before the OS. This Certificate has a dedicated OID number for Intel® vPro. It is 2.16.840.1.113741.1.2.3.
This dedicated Certificate chain can also be used for validating the EMA website in IIS.
After adding the Certificate chain in IIS; it is necessary to export the PFX file to your desktop and then, upload it to the Settings tab in the EMA web console.
I am adding useful links related to the EMA Certificate and the installation.
1.3.6 Intel® AMT PKI Certificate
3.5 Upload Certificates
Regards,
Miguel C.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not sure I understand what you are saying about the domain certificate.
In my example (not the exact domain name I'm using but the same concept) I am using the URL rmm.cloudhost.com, which I also have a Godaddy certificate for. Are you saying the certificate from godaddy must only include cloudhost.com? Why can't a subdomain be used? I thought I read that a subdomain such as rmm.cloudhost.com could be used, in fact, there is a document stating the level of subdomains allowed for each type of extension i.e. .com .co .net etc.
I did find that the reason I was unable to import the certificate into the EMA web certificates was because the godaddy root had to be installed on the server first. I now have the certificate listed.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, XCEL,
You are right. The EMA certificate domain could be rmm.cloudhost.com. The domain cloudhost.com covers more endpoint location possibilities.
I am glad to hear you were able to upload the Cert into the settings Tab. If further assistance is necessary, please share a screenshot on how the Cert chain looks in the Settings tab. Make sure the Intel® AMT OID number 2.16.840.1.113741.1.2.3 is included in the Cert (Go to IIS, open the Cert. from the Personal Certificate Store, go to Details tab then open the Enhanced Key Usage option.
Regards,
Miguel C.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't see Intel® AMT OID number 2.16.840.1.113741.1.2.3 I see:
Am I looking in the right place?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see the issue, Godaddy's process is a little confusing. Working on the new cert now.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, XCEL,
I will wait for your feedback.
The Intel® AMT OID number 2.16.840.1.113741.1.2.3 is visible at:
Go to IIS, and open the Certificate / Personal Certificate Store.
Go to the Details tab
Open the Enhanced Key Usage option.
Regards,
Miguel C.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've managed to get the correct certificate from Godaddy, I have it installed and it shows as a PKI certificate in the settings.
I've connected a laptop to the EMA server and it's mostly connected:
The problem appears to be that the client is not able to see or determine the CIRA server; as it shows CIRA Server: Not found. Where do I need to look to troubleshoot this issue?
*** Host Computer Information ***
Computer Name: DESKTOP-5PHS7B0
Manufacturer: Dell Inc.
Model: Latitude 5480
Processor: Intel(R) Core(TM) i5-7300U CPU @ 2.60GHz
Windows Version: Microsoft Windows 10 Pro
BIOS Version: 1.17.1
UUID: 4C4C4544-0048-5210-8030-B5C04F424832
*** SMBIOS Information ***
AMT Supported: True
AMT Enabled: True
SMBIOS ME SKU: Intel(R) Full AMT Manageability
SMBIOS ME Version: 11.8.70.3626
KVM Supported: True
SOL Supported: True
USB-R supported in BIOS: True
RSE Supported: True
*** ME Information ***
Version: 11.8.70.3626
SKU: Intel(R) Full AMT Manageability
State: Provisioned
Control Mode: Admin
Driver Installed: True
Driver Version: 2316.5.0.0
PKI DNS Suffix: Not Found
LMS State: Running
LMS Version: 2316.5.0.0
MicroLMS State: NotPresent
EHBC Enabled: False
*** ME Capabilities ***
AMT in Enterprise Mode: True
TLS Enabled: False
HW Crypto Enabled: True
Current Provisioning state: POST_PROVISIONING_STATE
NetworkInterface Enabled: True
SOL Enabled: True
IDER Enabled: True
FWUpdate Enabled: False
LinkIsUp state: True
KVM Enabled: False
RSE Enabled: False
*** Power Management Capabilities ***
Supported Power States:
5: PowerCycle_Off_Soft
8: Off_Soft
2: On
10: Master_Bus_Reset
11: NMI
7: Hibernate
12: Off_Soft_Graceful
14: MasterBusReset_Graceful
Power Change Capabilities:
2: On
3: SleepLight
4: SleepDeep
7: Hibernate
8: Off_Soft
*** CIRA Information ***
CIRA Server: Not Found
CIRA Connection Status: NOT_CONNECTED
CIRA Connection Trigger: USER_INITIATED
*** ME Wired Network Information ***
Wired Interface Enabled: True
Link Status: Up
IP Address: 192.168.89.115
MAC Address: <removed>
DHCP Enabled: True
DHCP Mode: Passive
DNS Suffix (from OS): Not Found
*** ME Wireless Network Information ***
Wireless Interface Enabled: False
Link Status: Down
IP Address: 0.0.0.0
MAC Address: Information Unavailable
DHCP Enabled: True
DHCP Mode: Passive
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, Excel,
The Dell laptop Latitude 5480 is using an old BIOS version and the SMBIOS ME Version (Intel® AMT) is 11.8.70.3626. Intel® EMA requires at least the version 11.8.79. I reviewed Dell’s website and there are almost 15 newer versions available; the Intel® AMT version will be updated to this version or higher 11.8.92 or similar.
1.1 Usage Requirements - Intel® Endpoint Management Assistant (Intel® EMA) Administration and Usage Guide https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/intel-ema-admin-and-usage-guide.pdf#page=6
In addition, I noticed the laptop DNS Suffix (from OS) was Not Found and the Network Interface was Enabled. If the endpoint has a different DNS from the Server. I suggest typing the PKI DNS suffix of the Certificate in MEBx. Before doing this, you must do a Full unprovision. Keep the Network Interface Disable.
If you don’t mind, please share a screenshot of the Certificate chain from the Settings tab. Make sure from IIS, that each section of the chain is SHA256 from the Details tab.
Regards,
Miguel C.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had already typed the domain (rmm.mydomain.co) into the mebx settings manually.
I just updated the firmware, here is the latest log file:
*** SMBIOS Information ***
AMT Supported: True
AMT Enabled: True
SMBIOS ME SKU: Intel(R) Full AMT Manageability
SMBIOS ME Version: 11.8.94.4494
KVM Supported: True
SOL Supported: True
USB-R supported in BIOS: True
RSE Supported: True
*** ME Information ***
Version: 11.8.94.4494
SKU: Intel(R) Full AMT Manageability
State: Provisioned
Control Mode: Admin
Driver Installed: True
Driver Version: 2316.5.0.0
PKI DNS Suffix: Not Found
LMS State: Running
LMS Version: 2316.5.0.0
MicroLMS State: NotPresent
EHBC Enabled: False
*** ME Capabilities ***
AMT in Enterprise Mode: True
TLS Enabled: False
HW Crypto Enabled: True
Current Provisioning state: POST_PROVISIONING_STATE
NetworkInterface Enabled: True
SOL Enabled: True
IDER Enabled: True
FWUpdate Enabled: False
LinkIsUp state: True
KVM Enabled: False
RSE Enabled: False
*** Power Management Capabilities ***
Supported Power States:
5: PowerCycle_Off_Soft
8: Off_Soft
2: On
10: Master_Bus_Reset
11: NMI
7: Hibernate
12: Off_Soft_Graceful
14: MasterBusReset_Graceful
Power Change Capabilities:
2: On
3: SleepLight
4: SleepDeep
7: Hibernate
8: Off_Soft
*** CIRA Information ***
CIRA Server: Not Found
CIRA Connection Status: NOT_CONNECTED
CIRA Connection Trigger: USER_INITIATED
*** ME Wired Network Information ***
Wired Interface Enabled: True
Link Status: Up
IP Address: 192.168.89.115
MAC Address: <removed>
DHCP Enabled: True
DHCP Mode: Passive
DNS Suffix (from OS): rmm.mydomain.co
*** ME Wireless Network Information ***
Wireless Interface Enabled: False
Link Status: Down
IP Address: 0.0.0.0
MAC Address: Information Unavailable
DHCP Enabled: True
DHCP Mode: Passive
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, XCEL,
It is nice to hear the Intel® AMT firmware was updated with the BIOS update.
I am afraid the PKI DNS Suffix in MEBx was not updated, it is still empty.
*** ME Information ***
Version: 11.8.94.4494
SKU: Intel(R) Full AMT Manageability
State: Provisioned
Control Mode: Admin
PKI DNS Suffix: Not Found
I am concerned about the Domain of the Certificate, EMA domain, and endpoints. I have the information below:
EMA FQDN: rmm.myhosteddomain.com
Endpoint and Certificate DNS Suffix (from OS): rmm.mydomain.co
I understand you are changing the real DNS and FQDN for security purposes; however, I want to clarify the DNS of the EMA (FQDN) and the certificate should be the same: myhosteddomain.com.
1- Steps for Full unprovision and 2- Adding PKI DNS suffix to MEBx:
From the MEBx Main Menu, click MEBx Login, type your password. The Default is admin.
Click over Intel® AMT Configuration
Scroll down to Uncofigure Network Access <Full Unprovision>
Enter <Full Unprovision>
Enter Full Unprovision
Select yes to Reset network settings.
Wait until the Main Intel® AMT Configuration is displayed.
Exit
---------
From the MEBx Main Menu, click MEBx Login, and type your password. The Default is admin.
Click over Intel® AMT Configuration
Scroll down and select Remote Setup and Configuration
Select TLS PKI
Select PKI DNS Suffix, and hit Enter.
Type your PKI DNS Suffix, and hit Enter.
The new Window will display the new PKI DNS Suffix.
Then, keep pressing Exit until you close MEBX.
At this point, the Endpoint will be in Admin Mode with the company PKI DNS Suffix.
Regards,
Miguel C.
Intel Customer Support Technician
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page