- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have our internal DNS using an internal domain name that is not the same as the external domain name. It will not be possible to change this configuration.
Is it possible to acquire a externally signed certificate to allow remote configuration of the vPro devices?
One idea that I have is to create a certificate for provisionserver.example.com and may be add a subject alternative name to provisionserver.example.local. Would this work and if not what will work?
I think that having different internal and external domain names is relatively common.
Thanks
- Tags:
- Provisioning
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately your idea will not work as Public CA's will not issue certificates with CN or SAN that can't be verified for domain ownership.
This issue used to be Intel AMT Remote Configuration showstopper for a long time but ...not anylonger
Possible sollutions from the most ready/easy to use:
- Use the latest McAfee ePO Deep Command - it has incorporated pseudo DHCP server that "spoofs" Intel AMT that it is in ... your external registered domain - just for configuration proces time.
- Create DHCP reservations in your DHCP server for Intel AMT based systems to be configured with Reservation (only) Option 15 equal your external/registered domain name.
- Change just DHCP server Option 15 to = your external/registered domain name. This will make AMT Remote Configuration work BUT may also negatively impact behaviour of other network devices (ex their autoconfiguration) that rely on DHCP option 15.
- You can import your own CA root cert hash into ME FW (with USB local preconfiguration) of every Intel AMT based system (it requires locall access during POST) and then self issue AMT RCFG cert signed by your own CA.
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately your idea will not work as Public CA's will not issue certificates with CN or SAN that can't be verified for domain ownership.
This issue used to be Intel AMT Remote Configuration showstopper for a long time but ...not anylonger
Possible sollutions from the most ready/easy to use:
- Use the latest McAfee ePO Deep Command - it has incorporated pseudo DHCP server that "spoofs" Intel AMT that it is in ... your external registered domain - just for configuration proces time.
- Create DHCP reservations in your DHCP server for Intel AMT based systems to be configured with Reservation (only) Option 15 equal your external/registered domain name.
- Change just DHCP server Option 15 to = your external/registered domain name. This will make AMT Remote Configuration work BUT may also negatively impact behaviour of other network devices (ex their autoconfiguration) that rely on DHCP option 15.
- You can import your own CA root cert hash into ME FW (with USB local preconfiguration) of every Intel AMT based system (it requires locall access during POST) and then self issue AMT RCFG cert signed by your own CA.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the answers, it helps and leads to some more questions.
Points 2 and 3 sound similar, it the difference just that 2 restricts the change to option 15 to a subnet? We were discussing this as an option but haven't found out if anyone has successfully implemented this, easy to test for a few hosts or subnet.
Point 3 our company purchased multiple (100+) TLDs for our domain name. So it seems sensible to use one of these for the internal domain, would this be a good route?
Point 4 I was searching for a way to insert a thumbprint hash using a USB stick but have only found the error prone method of typing in 40 hex digits.What software would we need to use insert the hash into the BIOS?
Many thanks
Duncan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Duncan,
Point 4 - USBFile.exe tool allows to create setup.bin file with various AMT configuration/pre-configuration options. -hash option allows to create setup.bin file containing your own Root Certificate hash and then add it into Intel ME FW. if you like to see other possible usage options listed just run USBFile /?
USBFile.exe is part of Inel AMT SDK available at http://software.intel.com/en-us/articles/download-the-latest-intel-amt-software-development-kit-sdk http://software.intel.com/en-us/articles/download-the-latest-intel-amt-software-development-kit-sdk in \Windows\Intel_AMT\Bin\Configuration\USBFile folder.
See also https://downloadcenter.intel.com/download/20979/Intel-vPro-Use-Case-Reference-Design-Local-Setup-and-Configuration-Using-a-USB-Flash-Drive Download Intel® vPro™ Use Case Reference Design - Local Setup and Configuration Using a USB Flash Drive.
Point 3 - TLDs - some TLDs like .com, .net and also some country domains allow to use single Intel AMT Provisioning certificate for subdomains - please see for details -https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments/pkicertificateverificationmethods.htm https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments/pkicertificateverificationmethods.htm
Points 2 and 3 - DHCP Option 15 change is needed only for a subnet/segment where unconfigured Intel vPro based systems are located (or DHCP Reservation per such single unconfigured system) and only for the time of Intel AMT first configuration (from unconfigured state).
Once Intel AMT is configured you can move those systems to different segment/DHCP scope with original internal domain name configured as DHCP Option 15 or delete Reservation.v
Until you will do Full Unprovision or Intel AMT (or its reset to factory defaults) you can change/reload AMT configuration from the RCS server (via ACUConfig script or SCS Jobs).
Rgds
darek
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page