Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2942 Discussions

Connect to an EMA provisioned machine by IP address

Jools86
New Contributor II
2,157 Views

One of the engineers on my team wants to be able to connect to an Intel EMA provisioned machine via IP address, i.e. 10.132.12.3:16992 like when we configured the machine via Client Control mode in the past.

 

Is this possible? I have/had tested and it doesn't work.

 

Is the only way you can connect to an AMT provisioned machine (via ema agent) via the ema web console?

0 Kudos
10 Replies
Victor_G_Intel
Employee
2,127 Views

Hello  Jools86,

 

Thank you so much for contacting Intel customer support,


To provide you with the necessary assistance please provide the following information:


1-What EMA version are you currently using in your deployment?


2-How many endpoints your deployment currently has?


3-Are you trying to access the endpoint while using http or https?


4-What port are you trying when attempting to connect to the endpoint via its IP?



5-Please provide the following report from one of the endpoints you have tried to connect to via their IP.


Intel® EMA configuration tool


https://www.intel.com/content/www/us/en/download/19805/30485/intel-endpoint-management-assistant-configuration-tool-intel-ema-configuration-tool.html


Installation:


Double-click the .msi file and follow the prompts.

 

Run:


a- Open a command prompt as administrator.

b- Navigate to the installation folder (default C:\Program Files (x86)\Intel\EMAConfigTool).

c- Run the command: EMAConfigTool.exe -filename XXXX --verbose


Best regards,

 

Victor G.

Intel Technical Support Technician


0 Kudos
Jools86
New Contributor II
2,122 Views

1-What EMA version are you currently using in your deployment?

1.10.1

2-How many endpoints your deployment currently has?

600

3-Are you trying to access the endpoint while using http or https?

Both, neither work

4-What port are you trying when attempting to connect to the endpoint via its IP?

16992/16993

 

Results of EMAConfigTool (replace DNS name and PC name for Data Protection)

Intel EMA Configuration Tool
Application Version: 1.0.3.83
Scan Date: 6/13/2023 12:47:42 PM

*** Host Computer Information ***
Computer Name: PCNAME
Manufacturer: Dell Inc.
Model: Precision 3630 Tower
Processor: Intel(R) Core(TM) i7-8700 CPU @ 3.20GHz
Windows Version: Microsoft Windows 10 Enterprise
BIOS Version: 2.10.0
UUID: 4C4C4544-0031-3210-8059-C8C04F363033

*** ME Information ***
Version: 12.0.81.1753
SKU: Intel(R) Full AMT Manageability
State: Provisioned
Control Mode: Admin
Driver Installed: True
Driver Version: 2210.2.80.0
PKI DNS Suffix: Not Found
LMS State: Running

*** ME Capabilities ***
AMT in Enterprise Mode: True
TLS Enabled: True
HW Crypto Enabled: True
Current Provisioning state: POST_PROVISIONING_STATE
NetworkInterface Enabled: True
SOL Enabled: True
IDER Enabled: True
FWUpdate Enabled: False
LinkIsUp state: True
KVM Enabled: True
RSE Enabled: False

*** CIRA Information ***
CIRA Server: ema.mlp.com
CIRA Connection Status: CONNECTED
CIRA Connection Trigger: TRIGGER_PERIODIC

*** ME Wired Network Information ***
Wired Interface Enabled: True
Link Status: Up
IP Address: 0.0.0.0
MAC Address: 00:4E:01:A0:3A:C9
DHCP Enabled: True
DHCP Mode: Passive
DNS Suffix (from OS): domain.com

*** ME Wireless Network Information ***
ME Wireless Interface Not Detected

*** Last AMT Provisioning Attempt Details ***
Host Initiated: True
Provisioning TLS Mode: PKI
Provisioning Root Cert: CB:3C:CB:B7:60:31:E5:E0:13:8F:8D:D3:9A:23:F9:DE:47:FF:C3:5E:43:C1:14:4C:EA:27:D4:6A:5A:B1:CB:5F
Provisioning Cert Hash Type: SHA256
Provisioning Server FQDN: EMA.DOMAIN.COM
Provisioning Server IP: Not Set
Secure DNS Mode: False
TLS Start Time: 6/12/2023 12:18:41 PM

0 Kudos
Victor_G_Intel
Employee
2,114 Views

Hello Jools86,

 

Thank you so much for your response.


To continue with our investigation we will need the following information:


1-Can you confirm whether or not the endpoint used for this test is fully updated (OS, drivers, and BIOS)?


2-You mentioned that this used to work when you had the machine configured in CCM, can you please confirm if that time happened before doing any recent updates or any changes to either the machine or the EMA server?


Best regards,

 

Victor G.

Intel Technical Support Technician


0 Kudos
Jools86
New Contributor II
2,107 Views

Machine fully updated, OS, Drivers and Hotfixes to May 23.

 

We could connect to a Client Control mode configured machine via IP address, i.e. 10.192.163.4:16992.

 

But since EMA, we can only connect to AMT via the ema console.

 

Is it possible to connect to a machine directly outside of ema console?

0 Kudos
Victor_G_Intel
Employee
2,082 Views

Hello Jools86,


Thank you so much for your response.


Have you tried re-provisioning an endpoint into CCM to see if it is reachable via its IP? Or in case you have some endpoints in CCM in your deployment already, would you be able to grab one of those and try to access them via IP?


Best regards,

 

Victor G.

Intel Technical Support Technician


0 Kudos
Jools86
New Contributor II
2,079 Views

We can access machines in CCM via IP address in our estate via: http://10.123.23.22:16992 or by using Mesh Commander.

 

Our only issue is how do we connect to an AMT chip that is configured as ACM via EMA.

 

Do you know if this is possible?

0 Kudos
Victor_G_Intel
Employee
2,056 Views

Hello Jools86,

 

Thank you for posting on the Intel® communities.

 

Please let me review this information internally, and kindly wait for an update.

 

Once we have more information to share, we will post it on this thread.

 

Regards,

 

Victor G.

Intel Technical Support Technician 


0 Kudos
Victor_G_Intel
Employee
2,039 Views

Hello Jools86,

 

Thank you so much for your response.


After further investigation from our end, we have determined that this behavior is expected. You can see more information on it on the link below: 

 

https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/intel-ema-admin-and-usage-guide.pdf (page 5 section 1.2.6 intel AMT CIRA that states the CIRA creates an encrypted tunnel and additional TLS is not needed)


Best regards,

 

Victor G.

Intel Technical Support Technician


0 Kudos
Jools86
New Contributor II
2,025 Views

Thanks a lot Victor.

 

For anyone else with the same issue:

 

 

The Answer is NO.

 

To confirm EMA provisioned AMT chip can only be connected via EMA console via CIRA or TLS relay.

 

You cannot connect directly via IP, like you may have done in the past.

0 Kudos
Jools86
New Contributor II
1,955 Views

The following AMT profile configuration (Enter your companies domain suffixes below), will get IP working:

Jools86_0-1687185185706.png

 

However only 16992 works properly, mixed results with 16993 (Browser and Mesh Commander work - TLS untrusted), IMC fails:

Jools86_1-1687185285493.png

 

 

v3.png

0 Kudos
Reply