Community
cancel
Showing results for 
Search instead for 
Did you mean: 
mrobe9
Novice
3,710 Views

Mesh Commander (Remote Desktop works over LAN only)

Hi,

I am using Mesh Commander 0.5.7 for Mac. I can connect over LAN and use the "Remote Desktop" feature with no problem, however when trying to connect using public IP, despite being able to connect and view system status, hardware information etc., when I try to use "Remote Desktop" it displays connecting, but never connects.

Am I missing something? It works over LAN so not sure why it does not work the same over public IP despite a successful connection - I wonder, is there a different port for the "Remote Desktop" function and I need to forward that also?

I have also tried this on a Windows PC, but no luck.

Thanks,

Matt

Tags (1)
14 Replies
idata
Community Manager
1,190 Views

Hello Matthew,

 

 

Could you please provide us with more details on how you are trying to connect via Public IP.

 

 

Did this connection over Public IP work before?

 

 

Have you tried to ping the Public IP and get a response?

 

 

If you have any more questions, please let me know.

 

 

Best regards,

 

 

Caesar B_Intel.
mrobe9
Novice
1,190 Views

Hi,

I am not sure what specific details are required - I am connecting from outside the local area network using mesh commander, from a different physical location.

I have pinged the public IP and I am able to get a response on ports 16992 and 16993 used by intel AMT:

$ nc -z XX.XX.XX.XXX 16992

Connection to XX.XX.XX.XXX port 16992 [tcp/amt-soap-http] succeeded!

$ nc -z XX.XX.XX.XXX 16993

Connection to XX.XX.XX.XXX port 16993 [tcp/amt-soap-https] succeeded!

The connection seems to work correctly in mesh commander. However, the remote desktop feature does not. I have never had the remote desktop feature working from outside the LAN.

The remote desktop feature (and all features I have tried) work when I connect from within the local area network, but not from outside.

I am not sure what details to provide, but please let me know and I can give more information.

Thanks again

Dariusz_W_Intel
Employee
1,190 Views

Matt,

TCP Ports 16992 (http) and 16993 (https) are Intel AMT ports for every Intel AMT features except Redirections -which includes AMT HW KVM.

 

Intel AMT Redirection operations SOL, IDE-R/USB-R and KVM use AMT redirection port that is :

16994 if you have not configured TLS encryption,

 

16995 for TLS AMT setup.

 

With Mesh Commander you can enable Non TLS redirection port in addition to TLS encrypted port (in AMT Security section).

You will have to open those ports to firewall config (I guess you will need to add them to public IP to private IP port mapping list).

 

Please note if you expose Intel AMT over public IP it is strongly recommended to use strong and complex Intel AMT passwords and enable TLS.

 

You may consider also moving to MTLS setup but it is more complex.

rgds

Dariusz Wittek

 

Intel EMEA Biz Client Technical Sales Specialist
mrobe9
Novice
1,190 Views

Dariusz,

I cannot thank you enough - after opening ports 16994 and 16995 I can now use Remote Desktop from outside the local network. I had problems with IDE-R too, but it sounds like this might solve that issue also - I will test this tomorrow.

I have been planning to implement MTLS as well, as you advise. I have followed Ylian's very clear video tutorial, and I believe I have correctly issued a certificate - now with the above ports open and certificate issued I thought that TLS might be possible - however, I receive a timeout error when trying to connect - I have tried issuing a certificate using a dummy root and from a trusted root certificate in the certificate manager, but have had no luck with either.

If I can resolve this final issue then that would be everything sorted - I would be very much appreciative of any hints.

Thank you again,

Matt

mrobe9
Novice
1,190 Views

I noticed another one of your posts:

"SMB mode does not support TLS - it was intended for ...Small and Medium Businesses not having PKI CA and certs skills. Unfortunately you have to unprovision Intel AMT 5.x completely in order to configure it again in Enterprise mode. SMB mode is mutually exclusive to Enterprise mode."

but also:

"Last but not least - in Intel AMT 6.0 or newer SMB mode and Enterprise mode have been merged into single configuration mode - so you can use MEBx or USB to configure Intel AMT then use RCS or Mesh Commander/Director to add TLS setup to it."

I wonder if something like this might be the problem? I have Intel® ME v7.1.3, perhaps the second extract suggests this is no longer an issue, if so what could cause the timeout error?

Thanks,

Matt

idata
Community Manager
1,190 Views

Hello Matthew,

We are glad to hear Dariusz Wittek response was helpful and after opening ports 16994 and 16995 you were able to use Remote Desktop from outside the local network.

Please let us know about the problem with the "IDE-R". Additionally, please let us know if you are still experiencing difficulties implementing MTLS.

If you have any more questions, please let me know.

Best regards,

Caesar B_Intel.

mrobe9
Novice
1,190 Views

Hi Caesar,

Still having troubles with TLS and MTLS unfortunately - are there any basic requirements I must check to make sure it is possible to activate?

Edit: I have tried this from a Windows based PC at work and have been able to enable TLS (IDE-R works but slow) - perhaps it is a problem with the Mac version of Mesh commander? I have gone back to the Mac and TLS still does not work.

For the IDE-R, it seems the upload is too slow to allow the boot - I can start the process but so far have only got up to 160000 bytes. I am trying to load the Ubuntu mini.iso, ~63 mb, but even that is too big it seems, and my connection is not slow.

I have not been able to is set up MTLS, even on the Windows PC - I have applied the trusted root and tls cert as below:

When selecting mutual-auth and adding the correct remote CN name, it says Applying new security settings... but it is never applied (leaving only Server-auth and non-TLS).

I have selected "Use for TLS console authentication" in the certificate issued for the commander in the certificate manager also.

Thanks,

Matt

idata
Community Manager
1,190 Views

Hello Matthew,

 

 

Let me look into this issue and I will provide you with more information as soon as possible.

 

 

Sincerely,

 

Caesar B_Intel.
mrobe9
Novice
1,190 Views

Thanks,

I now tried using two stage boot, but even uploading the small 4mb .iso is too slow.

Matt

idata
Community Manager
1,190 Views

Hello Matthew Robers matthewroberts123 ,

We have escalated your case to our engineering department. Once we have an update we will be posting it immediately.

If you have any more questions, please let us know.

Best regards,

Caesar B_Intel.

idata
Community Manager
1,190 Views

Hi Matt,

 

 

Hoping to help out a bit here. Mesh Commander is not a product that Intel supports, though we provide our best efforts with it. In your case of wanting to use Mesh Commander for issuing TLS/MTLS certs, it's a little more complex for me via Mesh Commander. I have sent an e-mail to the developer to take a look at the thread. That said, when wanting to use TLS, our method is to use SCS and select it as an option in the profile editor but I did not see any reference to SCS in your posts.

 

 

Second question, ultimately, are you wanting this to work with your Mac or Windows or both?

 

 

If you haven't already done so, you can take a look at the Setup and Configuration Software User Guide and you can launch here:

 

https://www.intel.com/content/dam/support/us/en/documents/software/Intel_SCS_User_Guide.pdf

 

 

Section 5.10 details for both TLS and MTLS. Once this is done via the SCS process, it's pretty straight forward to configure your endpoints in mesh commander to connect via TLS. Hope this helps.

 

 

There is also contact information off of the Mesh Commander website:

 

http://www.meshcommander.com/meshcommander

 

 

Regards,

 

Michael
idata
Community Manager
1,190 Views

Hi Matthew, checking in to see if you needed anything further from us as I have not heard back from you.

 

 

Regards,

 

Michael
mrobe9
Novice
1,190 Views

Hi Michael,

Thanks for your reply - I have been away so no had chance to try anything further yet I am afraid.

I followed the TLS video (https://www.youtube.com/watch?v=PNpQV6C0Gb8 MeshCommander - TLS & Mutual-TLS - YouTube) for mesh commander, and the certificate is issued using the software for TLS, so I assumed it would work for MTLS also. I did not realise anything further was required (the video i used to successfully set up TLS doesn't suggest anything further) - I'll have a look at the document you link to when I get chance and see if I can find a solution.

Ultimately, I would like this to work on the Mac - I have it working on a Windows machine at the moment, but the Mac is what I use day to day.

Best regards,

Jon.

idata
Community Manager
1,190 Views

Hi Jon,

 

 

Apologies, for some reason, showed as "Matthew". Thank you for getting back to me on this. Unfortunately, I actually have no opportunity to work with a Mac as for now, the demand for this hasn't justified me to be able to get one. To get it ultimately (and hopefully) working on your Mac, my suggestion would be to send a message in the link I had shared:

 

 

"There is also contact information off of the Mesh Commander website:

 

http://www.meshcommander.com/meshcommander http://www.meshcommander.com/meshcommander"

 

 

Just so that you don't have to repeat yourself, I will forward the details of this case to the developers.

 

 

Regards,

 

Michael
Reply