Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2966 Discussions

EMA - Clients not provisioning to CCM or ACM

Jori
Beginner
1,092 Views

Hello,

So I'm currently trying to POC Intel EMA.  I'll do my best to describe my environment as it is configured...

I have 3 different servers.
svr-emaw - EMA Web and Ajax Server.  URL: emasupport.domain.com
svr-emasrm - EMA Swarm and Recovery Server. URL: emasrm.domain.com

svr-emam - EMA Manageability Server

PC's are all joined to an internal domain (lets just call it, AD.domain.com)

I'm attempting to provision my own machine first, however it will not provision AMT (at all).

Attached are logs from the attempt.  The system I'm attempting to provision is connected via ethernet to the network.


0 Kudos
17 Replies
vij1
Employee
1,054 Views

Hello Jori,

 

Greetings!

 

Please note the latest security updates regarding Intel AMT remote connections:

 

  1. Use HTTPS (TLS Connection) on Port 16993
  • Non-TLS connections are no longer supported.
  • Supported ports: 16993, 16995, and 664.
  • Example connection: https://<endpoint_IP>:16993.

 

For more details, please refer to the official Intel AMT Implementation and Reference Guide:


https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Fintelamtandsecurityconsiderations1.htm

 

Let us know if you need further clarification.


Best regards,

Vijay N.


0 Kudos
Jori
Beginner
991 Views

The results when attempting to provision with a certificate purchased from DigiCert are the same.

What am I missing?

0 Kudos
Jimmy_Wai_Intel
Employee
922 Views

Hi Jori,

The following error is shown in your manageability server log. Your manageability server is not able to find/talk to the swarm server. Your server and network configurations are where you should start looking for issues.

EMAManageabilityServer, Version=1.14.1.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Error:Unable to connect to a Swarm Server, user=SYSTEM : (TESTCLIENT01,D6890D49). 

 

Would you mind sharing how many PCs are you planning to manage with this multi-server setup?

 

Regards,

Jimmy Wai

Technical Sales Specialist, Intel

0 Kudos
Jori
Beginner
826 Views

Hi Jimmy,

I would say around 800.  The idea behind splitting the servers is less around performance, and more about security posture and monitoring traffic.

I will say this. During installation, the server selected for the Web server/Ajax server installed IIS.  None of the other servers installed IIS. Is IIS a required component for a server that is not hosting the web server component?

Regarding network connectivity.  The manageability server is able to resolve the swarm server.  What ports specifically should I be looking at?

This is how network connectivity currently looks..  I suspect if it is a connectivity issue, then I misinterpreted the documentation and traffic flow.

<> - 2 way connectivity

< or > 1 way connectivity

manageability  <-8000-> swarm

manageability  -8089-> swarm

manageability  -8093-> swarm
manageability  -8095-> swarm

swarm -8094-> manageability

EDIT:

So I took a look at the firewall logs (the 3 servers are on their own isolated VLANs).
I can see my test endpoint communicating with the Swarm server (It detects a SSL connection over port 8080).
During that time I do not see any communication attempted between the manageability and swarm server.  If either one of them attempted to reach the other, I should at least see it block the traffic.

0 Kudos
Jimmy_Wai_Intel
Employee
808 Views

Hi Jori,

Port 8089 between all servers should be both ways. You should also login to the Intel EMA web console with global administrator, and check if all the IP addresses of your server components are correct. Those are under the settings page of each Intel EMA server component. To remove complexity, I would also suggest to provision a PC into CCM first without using the provisioning certificate, i.e. setting an endpoint group with Host Based Provisioning. Once that is successfully, you can than proceed with ACM. You will need to unprovision the PC to change from CCM to ACM.

You don't need IIS running on all servers.

Regards,

Jimmy Wai

Technical Sales Specialist, Intel

0 Kudos
Jori
Beginner
772 Views

Hi Jimmy,

Still waiting to get the policy modified on my side.

Is there any diagram or material illustrating what components only need 1 way or 2 way communication?

Thank you very much for your help so far.  Hoping to have some positive results tomorrow!

0 Kudos
Jori
Beginner
586 Views

Hi Jimmy,

So after doing some double checking, all the rules are in place, and the traffic is NOT being blocked..  However, I do see the servers resetting the connecting, mostly from the server end?

I also don't see anything else in the logs implying that they are unable to connect to each other.  I can confirm that the ports are accessible using Powershell.

0 Kudos
Jimmy_Wai_Intel
Employee
522 Views

Hi Jori,

Have you tried reprovisioning the PC and see if it is successful, or if there are still errors in the manageability server log? Are the in-band functions like terminal and KVMs working?

Regards,

Jimmy Wai

Technical Sales Specialist, Intel

0 Kudos
Jori
Beginner
458 Views

Hi Jimmy,

So there was no change in the logs.  Provisioning was still failing with "Error:Unable to connect to a Swarm Server"

I ended up looking at this thread.. Re: Unable to connect to a Swarm Server - Failed PKI provisioning - Intel Community

What I saw was that the Swarm Server, Ajax Server and Manageability Server tab did not have a Swarm Server listed!

So, entering in the IP Address, and the Server ID I managed to set it for the Swarm Server and Ajax Server.  However, the Manageability Server tab I am unable to save on. It is telling me that "File path is not an existing path."

So I have a feeling I'm at least closer to a resolution.  The file paths in the configuration for 'Logs' and 'USBR Images Root Directory' both exist, and the service account EMA is running under has full control over the path.

0 Kudos
Jimmy_Wai_Intel
Employee
368 Views

Hi Jori,

Could you try accessing the web console from a browser on the manageability server, and then try saving the new settings for manageability server?

 

Regards,

Jimmy Wai

Technical Sales Specialist, Intel

0 Kudos
Jori
Beginner
342 Views

Hi Jimmy,

First off, thank you for your patience and continuing to work on this with me.

Second, that did not work, which I kind of expected.  The Manageability Server is only running the Manageability Component and is not running a local instance of IIS.

Would you like me to install the Web Component on that server and try again?

0 Kudos
Jimmy_Wai_Intel
Employee
245 Views

Hi Jori,

Instead, I would suggest creating the USBR directory on the server with AJAX server and IIS running, make sure it has the correct access right, and then try accessing the web console on the server and save the manageability server settings. If this is working, you can then remove the USBR directory on the AJAX server.

 

Regards,

Jimmy Wai

Technical Sales Specialist, Intel

0 Kudos
vij1
Employee
950 Views

Hello Jori,

 

Greetings!

 

As you mentioned in your previous post that you are unable to provision the endpoint in either CCM or ACM mode, we kindly request you to perform the following checks on the endpoint:

 

  1. Verify Port Connectivity:
  • Open PowerShell as an administrator and check the status of ports 8000, 8080, and 443.
  • Run the following commands:
  • Test-NetConnection -ComputerName <FQDN> -Port 80xx
  • Test-NetConnection -ComputerName <FQDN> -Port 443
  • Replace <FQDN> with your EMA server's Fully Qualified Domain Name.

 

  1. Verify EMA Server FQDN:
  • On the EMA Server, navigate to:
  • C:\Program Files (x86)\Intel\Platform Manager\Platform Manager Server
  • Open settings.txt and look for the following section near the top:
  • emahostname=ematest.intel.com
  • Ensure that the FQDN listed matches the one used in the provisioning process.

 

Let us know the results of these checks, and we can assist further.

 

Best regards,

Vijay N.

 


0 Kudos
Jori
Beginner
891 Views

Hi Vijay,

So in this case, I have 3 different servers, all with different roles.

svr-emaw - EMA Web and Ajax Server.  URL: emasupport.domain.com
svr-emasrm - EMA Swarm and Recovery Server. URL: emasrm.domain.com

svr-emam - EMA Manageability Server



Looking at the settings, it looks like the "emahostname" is emasupport.domain.com

The certificate was made for emasrm.domain.com

From my understanding, the endpoints just connected to the swarm server.. So I'm a little unclear why "emasupport.domain.com" needs to be the name on the certificate.

As a follow up to that..  In the scenario where I am trying to manage a device over the internet, would both emasupport and emasrm need to be reachable from an endpoint? Or could emasupport.domain.com stay internal, but emasrm.domain.com be externally available?

0 Kudos
Suneesh
Employee
859 Views

Hello Jori,


Good day.


We would like to inform you that the provisioning failure could be due to an incorrect certificate configuration. The certificate is issued for emasrm.domain.com, but the `emahostname` in `settings.txt` is set to emasupport.domain.com, causing a mismatch.

You may have to verify and correct the certificate configuration to ensure the `emahostname` matches the certificate's Common Name (CN). Additionally, you should check network connectivity and ensure the required ports (8080 and 443) are open between the Manageability Server and the Swarm Server and verify DNS resolution for the Swarm Server to ensure the Manageability Server can resolve its hostname.


We may have to consider these two things:

  1. The certificate is issued for emasrm.domain.com, however the `emahostname` in `settings.txt` is set to emasupport.domain.com.
  2. The logs indicate that the Manageability Server is unable to connect to the Swarm Server during the provisioning process, resulting in a failure.


Regards,

Suneesh_intel


0 Kudos
Jimmy_Wai_Intel
Employee
837 Views

Hi Suneesh,

A properly issued provisioning certificate for emasrm.domain.com indeed works in this scenario as long as DHCP option 15 is set to domain.com. The CN in the certificate does not need to match the full FQDN of Intel EMA server name or the emahostname in settings.txt. Intel AMT only checks for a depth of 2 or 3 into the DNS suffix in the certificate CN. For .com domains, only 2 levels are checked. In this case, it is only 'domain.com'. The technical reference is here.

Best regards,

Jimmy Wai

Technical Sales Specialist, Intel

0 Kudos
pujeeth
Employee
36 Views

Hi Jori,


Greetings!


We wanted to follow up on this case to check if you had an opportunity to go through the previous plan of action shared.


Feel free to reply to this email, and we'll be more than happy to assist you further.


Regards,

Pujeeth_Intel


0 Kudos
Reply