- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Intel Staff,
I had more of a general question in regards to the environment to set up an on-prem Intel EMA server.
I have installed the Intel EMA software on a test bare metal MS 2019 server (with IIS and MS SQL Server installed). I am using an Intel NUC 12 Pro model with vPro built in that has Windows 11 installed (using this as my test endpoint/client). They both have static IP's and are on the same subnet & vlan (wired network). I am able to set up the test server with the EMA software and set up the EMA local website and add the device with the agent files. I am able to connect to the remote desktop through the local Intel EMA webpage. However, I am not able to power on/wake the device when it is powered off (I am able to send a power off command via the EMA webpage and it works, just not power on), I am also not able to view the Hardware manageability section (I believe this is where the Out of Band management GUI is if I understand correctly?). The device is provisioning into client control mode which is due to the lack of a cert in the AMT profile that I have set up from what I have read here - which is also why I'm assuming I can not get the CIRA connection to connect in the web page - is this what allows me to wake the device if it is powered off?
From the research I have done from the Intel setup guide pdf and from this forum I am seeing it is easier to install an AMT PKI cert from a 3rd party vendor (godaddy, digicert, etc.). The way our organization is set up is kind of challenging/makes this kind of difficult. We wouldn't have a public facing IP/Domain dedicated to this and I believe 3rd party vendors will not fulfill cert requests with just the name of the local server.
Would it be feasible to host an internal webserver with all of these components and set up the Intel EMA server with IIS and MS SQL? We would have around 5-10 local locations that would be able to reach the internal IP of the host server (Intel EMA, IIS, MS SQL) and make it more of an intranet site. Would the only way for me to achieve this setup be through setting up an internal CA? I know that is a long process to setup and I would have to manually configure each endpoint(we would have about 300), but I just wanted to see my options or next steps I would have to take.
Thank you so much for your help!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Ceta,
Thank you for posting on the Intel® communities
In regard to your inquiries please take a look at the following information:
I had more of a general question in regards to the environment to set up an on-prem Intel EMA server.
I have installed the Intel EMA software on a test bare metal MS 2019 server (with IIS and MS SQL Server installed). I am using an Intel NUC 12 Pro model with vPro built in that has Windows 11 installed (using this as my test endpoint/client). They both have static IP's and are on the same subnet & vlan (wired network). I am able to set up the test server with the EMA software and set up the EMA local website and add the device with the agent files. I am able to connect to the remote desktop through the local Intel EMA webpage. However, I am not able to power on/wake the device when it is powered off (I am able to send a power off command via the EMA webpage and it works, just not power on), I am also not able to view the Hardware manageability section (I believe this is where the Out of Band management GUI is if I understand correctly?). The device is provisioning into client control mode which is due to the lack of a cert in the AMT profile that I have set up from what I have read here - which is also why I'm assuming I can not get the CIRA connection to connect in the web page - is this what allows me to wake the device if it is powered off?
R/In order to use CIRA you will need to have a PKI certificate either from a vendor or by creating a self-sign certificate. If you decide not to use a cert for whatever reason you will still be able to use EMA but all the endpoints you have experienced will be provisioned in CCM and will have limitations (user consent). In regards to the wake-up command please bear in mind that when you use TLS you need at least two endpoints fully provisioned, and one of them must be turned on per subnet with the Intel EMA agent running, if both endpoints or for this matter all endpoints are off, EMA will not be able to manage them with AMT.
Please refer to the following series of videos to learn more about the provisioning process.
Remote Endpoint Management with Intel® AMT EMA (1 of 3) | Intel Business
https://www.youtube.com/watch?v=WKi4C8_r1XE
Remote Endpoint Management with Intel® AMT EMA (2 of 3) | Intel Business
https://www.youtube.com/watch?v=1z9e2T3wDqI
Remote Endpoint Management with Intel® AMT EMA (3 of 3) | Intel Business
https://www.youtube.com/watch?v=iLU17jNADV8
From the research I have done from the Intel setup guide pdf and this forum, I am seeing it is easier to install an AMT PKI cert from a 3rd party vendor (godaddy, digicert, etc.). The way our organization is set up is kind of challenging/makes this kind of difficult. We wouldn't have a public-facing IP/Domain dedicated to this and I believe 3rd party vendors will not fulfill cert requests with just the name of the local server.
R/We wouldn’t be able to know if the vendors will fulfill this type of request or not; however, you are more than welcome to ask them directly, their information can be found in the following link at the bottom of the page.
Intel® Active Management Technology Implementation
Would it be feasible to host an internal web server with all of these components and set up the Intel EMA server with IIS and MS SQL? We would have around 5-10 local locations that would be able to reach the internal IP of the host server (Intel EMA, IIS, MS SQL) and make it more of an intranet site. Would the only way for me to achieve this setup be through setting up an internal CA? I know that is a long process to set up and I would have to manually configure each endpoint(we would have about 300), but I just wanted to see my options or next steps I would have to take.
R/As long as you keep your EMA instance as it is and you don’t use a cert you will be able to use TLS which is used for instances where all the endpoints are in the same network as the EMA server. If you use a PKI cert that you create or a self-sign certificate for that matter you will be able to provision the endpoints in ACM (admin control mode/ no user consent needed), but you will need to deal with a more time-consuming process since you will need to add the hash manually to every system’s MEBx. You can find more information about that process in the link below.
How to Create a Self-Certificate Hash for Intel® Active Management Technology (Intel® AMT) Version 14 or Higher
https://www.intel.com/content/www/us/en/support/articles/000059996/software.html
Best regards,
Victor G.
Intel Technical Support Technician
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Ceta,
Thank you for posting on the Intel® communities
In regard to your inquiries please take a look at the following information:
I had more of a general question in regards to the environment to set up an on-prem Intel EMA server.
I have installed the Intel EMA software on a test bare metal MS 2019 server (with IIS and MS SQL Server installed). I am using an Intel NUC 12 Pro model with vPro built in that has Windows 11 installed (using this as my test endpoint/client). They both have static IP's and are on the same subnet & vlan (wired network). I am able to set up the test server with the EMA software and set up the EMA local website and add the device with the agent files. I am able to connect to the remote desktop through the local Intel EMA webpage. However, I am not able to power on/wake the device when it is powered off (I am able to send a power off command via the EMA webpage and it works, just not power on), I am also not able to view the Hardware manageability section (I believe this is where the Out of Band management GUI is if I understand correctly?). The device is provisioning into client control mode which is due to the lack of a cert in the AMT profile that I have set up from what I have read here - which is also why I'm assuming I can not get the CIRA connection to connect in the web page - is this what allows me to wake the device if it is powered off?
R/In order to use CIRA you will need to have a PKI certificate either from a vendor or by creating a self-sign certificate. If you decide not to use a cert for whatever reason you will still be able to use EMA but all the endpoints you have experienced will be provisioned in CCM and will have limitations (user consent). In regards to the wake-up command please bear in mind that when you use TLS you need at least two endpoints fully provisioned, and one of them must be turned on per subnet with the Intel EMA agent running, if both endpoints or for this matter all endpoints are off, EMA will not be able to manage them with AMT.
Please refer to the following series of videos to learn more about the provisioning process.
Remote Endpoint Management with Intel® AMT EMA (1 of 3) | Intel Business
https://www.youtube.com/watch?v=WKi4C8_r1XE
Remote Endpoint Management with Intel® AMT EMA (2 of 3) | Intel Business
https://www.youtube.com/watch?v=1z9e2T3wDqI
Remote Endpoint Management with Intel® AMT EMA (3 of 3) | Intel Business
https://www.youtube.com/watch?v=iLU17jNADV8
From the research I have done from the Intel setup guide pdf and this forum, I am seeing it is easier to install an AMT PKI cert from a 3rd party vendor (godaddy, digicert, etc.). The way our organization is set up is kind of challenging/makes this kind of difficult. We wouldn't have a public-facing IP/Domain dedicated to this and I believe 3rd party vendors will not fulfill cert requests with just the name of the local server.
R/We wouldn’t be able to know if the vendors will fulfill this type of request or not; however, you are more than welcome to ask them directly, their information can be found in the following link at the bottom of the page.
Intel® Active Management Technology Implementation
Would it be feasible to host an internal web server with all of these components and set up the Intel EMA server with IIS and MS SQL? We would have around 5-10 local locations that would be able to reach the internal IP of the host server (Intel EMA, IIS, MS SQL) and make it more of an intranet site. Would the only way for me to achieve this setup be through setting up an internal CA? I know that is a long process to set up and I would have to manually configure each endpoint(we would have about 300), but I just wanted to see my options or next steps I would have to take.
R/As long as you keep your EMA instance as it is and you don’t use a cert you will be able to use TLS which is used for instances where all the endpoints are in the same network as the EMA server. If you use a PKI cert that you create or a self-sign certificate for that matter you will be able to provision the endpoints in ACM (admin control mode/ no user consent needed), but you will need to deal with a more time-consuming process since you will need to add the hash manually to every system’s MEBx. You can find more information about that process in the link below.
How to Create a Self-Certificate Hash for Intel® Active Management Technology (Intel® AMT) Version 14 or Higher
https://www.intel.com/content/www/us/en/support/articles/000059996/software.html
Best regards,
Victor G.
Intel Technical Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Ceta,
Were you able to check the previous message we sent?
Please let us know if you need further assistance.
Best regards,
Victor G.
Intel Technical Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Ceta,
We have not heard back from you.
If you need any additional information, please submit a new question as this thread will no longer be monitored.
Regards,
Victor G.
Intel Technical Support Technician
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page