Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2995 Discussions

Intel EMA - Provision a machine so you can access it via its IP address

Jools86
New Contributor II
‎06-19-2023 07:31 AM
2,947 Views
Solved Jump to solution

I raised a previous ticket asking how we could provision an AMT chip to be accessed via IP address using Intel EMA.

 

We received the following from this forum that it was not possible: Connect to an EMA provisioned machine by IP address - Intel Community. It is in fact possible:

 

Use "Use Intel AMT CIRA unless on a specified network" and add your domain below:

 

Jools86_0-1687184764269.png

 

Machines then become connectable via IP and via Mesh Commander:

v3.pngJools86_1-1687184922609.png

 

Can you find out from your engineering team whether this is expected and supported behaviour.

 

If so, can you let us know how to get TLS working correctly for a machine provisioned via AMT Profile this way, as we see the following when trying to connect to a machine using IMC:

Jools86_2-1687184990341.png

Mesh Commander and Web connection via TLS (16993) work but connection is untrusted, what certs do we have to install and where for a TLS connection of this type to succeed properly.

 

 

 

 

0 Kudos
1 Solution
MichaelA_Intel
Employee
‎07-06-2023 10:20 AM
2,669 Views
Solved Jump to solution

Jools86,


You are correct, it is possible if you use TLS relay in EMA whether it's in admin or client control mode.


To get it to work with mesh commander, you have to import the ema mesh certificate onto the local system and in the trusted root for mesh to trust, or under the security menu in meshcommander, you can select ignore certificate.


Unfortunately, there is no way to select ignore certificate in manageability commander.



View solution in original post

0 Kudos
Copy link

Link Copied

10 Replies
Victor_G_Intel
Employee
‎06-20-2023 08:24 AM
2,914 Views
Solved Jump to solution

Hello Jools86,

 

Thank you for posting on the Intel® communities.

 

Please let me review this information internally, and kindly wait for an update.

 

Once we have more information to share, we will post it on this thread.

 

Regards,

 

Victor G.

Intel Technical Support Technician 


0 Kudos
Copy link
Victor_G_Intel
Employee
‎06-20-2023 09:39 AM
2,904 Views
Solved Jump to solution

Hello Jools86,

 

Thank you for posting on the Intel® communities.

 

To investigate this further on our end can you please clarify if you moved the systems out of EMA to do this current testing? We’re asking because as per your old thread, you were using an EMA provisioned endpoint in ACM.


Additionally, can you describe in more detail the step by step that you did to get the results you got on this new thread?


Best regards,

 

Victor G.

Intel Technical Support Technician


0 Kudos
Copy link
Victor_G_Intel
Employee
‎06-26-2023 11:57 AM
2,852 Views
Solved Jump to solution

Hello Jools86,

 

Were you able to check the previous message we sent?  


Please let us know if you need further assistance.

 

Best regards,

 

Victor G.

Intel Technical Support Technician


0 Kudos
Copy link
Jools86
New Contributor II
‎06-27-2023 02:06 AM
2,842 Views
Solved Jump to solution
In response to Victor_G_Intel

Hi Victor,

 

Apologies, I missed this.

 

The machines were still in EMA. What we did was the following:

 

1. Create a new AMT Profile as follows: 

Jools86_0-1687856584857.png

 

2. Create a new Endpoint group, with this AMT profile assigned.

3. Deploy EMA Agent to a machine, AMT AutoSetup via EMA Agent then uses the above profile

3. Machines now can be connected directly via 16992 or 16993.

 

Note: As Intel EMA Console seems to force CIRA when trying to connect via HW Manageability a machine configured as above cannot be connected to via EMA console, we have to connect via MeshCommander or Intel Manageability Commander to the machines via those ports.

 

In response to Victor_G_Intel
0 Kudos
Copy link
Victor_G_Intel
Employee
‎06-27-2023 09:13 AM
2,832 Views
Solved Jump to solution

Hello Jools86,

 

Thank you for your response.

 

Please allow us some more time to look into this.

 

Once we have more information to share, we will post it on this thread.

 

Regards,

 

Victor G.

Intel Technical Support Technician 


0 Kudos
Copy link
Victor_G_Intel
Employee
‎06-27-2023 02:20 PM
2,826 Views
Solved Jump to solution

Hello Jools86,

 

Thank you for your response.


Please bear in mind that once the endpoints have been connected to Intel EMA in ACM the connections are secured and this would prevent other tools from connecting to the endpoint as expected.

 

Additionally, using mesh commander (3rd patty tool) would not be able to trust the connection because the systems are configured/provisioned in ema, if you remove the EMA provision and then provision the device with mesh commander in ACM you should have a secure connection with mesh but other tools would fail to secure the connection.


Best regards,

 

Victor G.

Intel Technical Support Technician


0 Kudos
Copy link
Jools86
New Contributor II
‎06-28-2023 02:27 AM
2,800 Views
Solved Jump to solution
In response to Victor_G_Intel

Thanks Victor. 

 

Please bear in mind that once the endpoints have been connected to Intel EMA in ACM the connections are secured and this would prevent other tools from connecting to the endpoint as expected.

 

The above doesn't hold up in our testing as an EMA machine provisioned using the AMT Profile below can be connected via MeshCommander after it has been provisioned by EMA. This might be a bug / lop

 

Jools86_0-1687943959829.png

 

 

Understood pertaining to TLS not working with an EMA provisioned machine.

 

In response to Victor_G_Intel
0 Kudos
Copy link
Victor_G_Intel
Employee
‎06-28-2023 09:07 AM
2,789 Views
Solved Jump to solution

Hello Jools86,

 

Thank you for your response.

 

We will check this further on our end and we will reach out as soon as possible.

 

Regards,

 

Victor G.

Intel Technical Support Technician


0 Kudos
Copy link
MichaelA_Intel
Employee
‎07-06-2023 10:20 AM
2,670 Views
Solved Jump to solution

Jools86,


You are correct, it is possible if you use TLS relay in EMA whether it's in admin or client control mode.


To get it to work with mesh commander, you have to import the ema mesh certificate onto the local system and in the trusted root for mesh to trust, or under the security menu in meshcommander, you can select ignore certificate.


Unfortunately, there is no way to select ignore certificate in manageability commander.



0 Kudos
Copy link
Jools86
New Contributor II
‎07-06-2023 10:41 AM
2,660 Views
Solved Jump to solution
In response to MichaelA_Intel

Thanks a lot Michael. I had played around with the Mesh cert with no luck, but will try again.

In response to MichaelA_Intel
0 Kudos
Copy link
Reply

Community support is provided Monday to Friday. Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.