Hi vpro Experts,
I have 100+ vpro clients with a mix of AMT 6 and AMT 7 machines. All of them have already been provisioned using the basic SMB / Manual configuration method and are now part of the corporate domain.
I now wish to capitalize on the AMT features like KVM, IDER, SOL, FCFH by securely and remotely managing these provisioned vpro systems using MTLS / TLS kerberos based communication with VNC as my management console. My current setup is windows server 2008 with roles of ADS, DNS , DHCP, IIS, ADCS along with SCS 8.0 and VNC Plus. I am able to perform most of the AMT features without TLS using the digest MeBX account, however for security reasons my objective is to integrate kerberos based authentication and MTLS/TLS communication between the Managament console (VNC) and the vpro clients.
Could you help me with a high level breakup on how to achieve the same.
In order to achieve the above objectives please clarify on the following as well:
>Do I need to create / purchase any SSL certificates for this purpose?
>If yes, What certificate do I need for implementing MTLS communcation for remotely managing the vpro clients for performing jobs like KVM, IDER,SOL, FCFH?
>How can I create a SSL certificate from our internal root CA using the ADCS running on one of the domain controllers for MTLS?TLS communication?
>Am I correct to say that the certificate hashes that are already embedded into the MeBX (like GoDaddy, verisign, Comodo etc), are only used for initial provisioning? Which further means that these external SSL certificates are of no use to me since all my vpro clients are already SMB / Manually provisioned as stated above?
Have you had a chance to read the User Guide?
Appendix A & B Has all the information on setting up your CA and working with the certificates that is needed for Remote Configuration, Creating templates and Creating and installing your own certificate.
How is it going? Hope all is well at your end. Well, I am still working on it. The user guides are really helpful as I found it to be an improved version of the earlier documents. However for some reason I have had to stall the remote configuration testing for a while. I am trying to get my head around using MTLS/TLS kerberos based authentication and communication for security reasons which I found in the pages 66-70 of the user guide.
Q: Does that mean, for MTLS/TLS you dont really have to create a certificate? Do you?
Q: Is setting up a CA and Issuing a customised certifcate template to the AD (page 170) is all you got to do for using MTLS/TLS?
Thanks in advance
Yes you need to have a certificate for TLS communication
When doing remote configuration you will need a third party certificate for provisioning (Go Daddy, Verisign, ect) or create your own as explained on pages 178 - 183.