Community
cancel
Showing results for 
Search instead for 
Did you mean: 
SWood7
Novice
2,519 Views

What's the secret to getting IDE-Redirect / Serial Connection 'active' in SCCM?

I've gotten my vPro systems Provisioned and can connect and restart them in my SCCM OOB mgmt console. I can also open the workstation web pages. I cannot however get the Serial or IDE Redirect to be active. Is there a trick to activating them on the client-side for use with SCCM?

0 Kudos
24 Replies
Matthew_R_Intel
Employee
212 Views

Something to Try...

http://communities.intel.com/docs/DOC-1627 http://communities.intel.com/docs/DOC-1627

Symptom: Not able to perform an IDER or SOL session on and AMT client from the SCCM Out Of Band Management Console.

 

Potential Root cause(s):

  • The OOBConsole.log states the following error "IMR_SOLOpenTCPSession2 with user = <user> fail with result:0x20, description:Failed to Establish TLS Connection" and your AMT Web Certificates are being issued from a Subordinate Certificate Authority.
    • Full certificate chain is not being pass correctly during a SOL/IDER session within SCCM. Place a copy of the Subordinate Certificate Authority certificate in the Local Computer - "Trusted Root Certificate Authorities" of the server or workstation that the Out Of Band Management Console is run from.

       

--Matt Royer

SWood7
Novice
212 Views

Thanks for the link. I tried what it suggested and I'm still 'Inactive'. Here's a bit from my OOBConsole.log

[1][1/7/2009 1:13:11 PM] :Launch terminal with "127.0.0.1 49790 -t ansi" fail.

 

[1][1/7/2009 1:13:11 PM] :System.ComponentModel.Win32Exception\r\nThe system cannot find the file specified\r\n at System.Diagnostics.Process.StartWithCreateProcess(ProcessStartInfo startInfo)

 

at System.Diagnostics.Process.Start()

 

at System.Diagnostics.Process.Start(ProcessStartInfo startInfo)

 

at Microsoft.ConfigurationManagement.AdminConsole.OobConsole.SerialConnectionPage.CreateTelnetClient()\r\n

 

[11][1/7/2009 1:13:11 PM] :System.Net.Sockets.SocketException\r\nA blocking operation was interrupted by a call to WSACancelBlockingCall\r\n at System.Net.Sockets.Socket.Accept()

 

at Microsoft.ConfigurationManagement.AdminConsole.OobConsole.Utilities.SolManager.Open()

 

at Microsoft.ConfigurationManagement.AdminConsole.OobConsole.Utilities.AmtDevice.RefreshAmtSerialOverLan(Object sender, DoWorkEventArgs e)

 

at System.ComponentModel.BackgroundWorker.OnDoWork(DoWorkEventArgs e)

 

at System.ComponentModel.BackgroundWorker.WorkerThreadStart(Object argument)\r\n
idata
Community Manager
212 Views

Sandy,

There are issues with using the OOB management console on Windows Vista. Are you using this platform for the console?

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

SWood7
Novice
212 Views

Yes. Vista Enterprise.

Matthew_R_Intel
Employee
212 Views

Sandy,

Can you confirm that you have telent.exe installed on the OS you are running the OOBC from?

--Matt Royer

SWood7
Novice
212 Views

You know, it's not installed. Let me add it and see what happens! Thanks!

idata
Community Manager
212 Views

Installing the telnet client did not resolve my issues. I also just reimaged my laptop last Friday, and tried again, and it still didn't work. I have had a ticket open regarding this issue with Microsoft since November. I haven't had any recent activity on it though.

Additionally, the Intel AMT Commander tool included with the DTK does not work with Serial-over-LAN on Windows Vista.

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

SWood7
Novice
212 Views

Trevor,

Installing the Telnet Client got me the beautiful black SOL display, so got a bit further that where I was before. I did a plain Reboot and now I'm stuck at

I imagine I need to go one step further somehow. I saw your post on the Intel AMT Commander as well as the YouTube video which really intrigued me. I'd like to use RD to get this functionality.

idata
Community Manager
212 Views

Sandy,

Interesting. I'm glad to see you got SoL working in Vista (is it Vista SP1 BTW?). If it's not SP1, that could be the difference between my problem, and your success.

Just FYI, Serial-over-LAN will only give you a text-based GUI, so once your AMT client boots into a graphical environment of any sort, SoL will be bypassed, as you see in your screenshot.

If you would like to get remote desktop working over Serial-over-LAN, you will have to take advantage of the TCP redirection feature. Download the Intel AMT Developer Toolkit to get started. You can get that here: http://www.intel.com/software/amt-dtk/ http://www.intel.com/software/amt-dtk/

Enabling Remote Desktop over SoL

AMT System

1. Install the Intel AMT DTK on the AMT client

2. Run the AMT Outpost Control Panel tool

3. Install the Outpost Service

4. Enable serial-over-LAN functionality

Management Workstation

1. Install the Intel AMT DTK

2. Run the Intel AMT Commander tool

3. Connect to the AMT client (use the FQDN of the client, and Domain\User syntax for the userID)

4. Go to the remote control tab, and press "Take Control"

5. In the terminal window that opens, choose TCP Redirection from the menu on the right

6. Add a TCP Redirection rule using a random local port (eg. 65001), and 3389 as the destination port

7. Open the RDP client and connect to localhost:65001

The directions above are not exact, because I am not in front of my work laptop at the moment, but this should give you a good idea of how to get it done. If necessary, I will revise the directions when I'm on my work laptop again. Let me know if you need any more assistance to get this working.

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

SWood7
Novice
212 Views

Trevor,

Yes, it looks like I may have gotten lucky with enabling SOL. At least I feel good that it is working and that the screenshot is expected behavior. Yes, I'm on Vista SP1 and I had to add the Telnet Client this afternoon to get it running.

Thanks for the Intel AMT DTK info - I've downloaded it and installed on my Vista Workstation but have not had the chance to dive in. Your instructions will go a long way to help. So, installing the DTK on the AMT client.......do you have this going in production? Is there any noticable performance hit with it installed? Do you install the entire DTK or is there a basic subset of bits that will enable client functionality?

idata
Community Manager
212 Views

Sandy,

The Intel AMT DTK is built on Microsoft .NET, and all of the tools are already compiled. The source code is available (as a separate download) too, and very helpful for understanding how the vPro technology is architected. Anyway, you shouldn't have to actually "install" the DTK on all your AMT systems. Simply install it on your own system, and then copy over the necessary tools (and supporting libraries) to the remote machine. They ought to work just fine, and in fact, that is how I'm using a couple tools on a server, in which I did not install the DTK. I just copied the files over, and they work fine.

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

SWood7
Novice
212 Views

Trevor,

Thanks, the footprint on an AMT sounds a bit better; I'd really like to consider this as an option for all our 900+ machines. I've loved the idea of an 'iLO-like' interface for our pcs and know that our support staff / Help Desk folks would too. Remote Desktop and SCCM Remote Tools only go so far for us.

With all the focus on getting SOL up, I still haven't solved the riddle of activating IDE-Redirect on my AMT clients. My guess, initially is that if I didn't have a Default *.ISO image configured in the AMT component in SCCM, perhaps IDE-Redirect would not show Activated. However, I plugged one in and it still doesn't show activated. I don't need to use it but it would be nice to have the option. Have you gotten it to work on your end?

idata
Community Manager
212 Views

Sandy,

I'm not sure where your issue lies. Are you saying that you can't use IDE-Redirect using the Microsoft OOB Management Console from Windows Vista SP1? If that is correct, then please try performing the operation from a Windows XP SP2 or Windows Server 2003.

I have successfully used IDE-R with the Microsoft OOB Management console on Windows XP SP2 and Windows Server 2003. I just gave a demo yesterday, in fact, from a Windows Server 2003 SP2 ConfigMgr site server.

FYI, you do not need to configure a default ISO image in the OOB Mangement Component Configuration.

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

SWood7
Novice
212 Views

Trevor,

Yes, I'm not sure where my issue is either. I'll check an XP workstation and see that's the issue. My OOB Console window looks like the image.

idata
Community Manager
212 Views

Here are the messages I'm getting within my OOBconsole.log file in the AdminUiLog folder:

[11][1/9/2009 1:57:39 PM] :IMR_SOLOpenTCPSession2 with user = VPRODEMO\vprouser fail with result:0x20, description:Failed to Establish TLS Connection

 

[11][1/9/2009 1:57:39 PM] :IMR_SOLOpenTCPSession fail with result:0x00000020.

 

[11][1/9/2009 1:57:41 PM] :IMR_SOLOpenTCPSession2 with user = VPRODEMO\vprouser fail with result:0x20, description:Failed to Establish TLS Connection

 

[11][1/9/2009 1:57:41 PM] :IMR_SOLOpenTCPSession fail with result:0x00000020.

 

[11][1/9/2009 1:57:42 PM] :IMR_SOLOpenTCPSession2 with user = VPRODEMO\vprouser fail with result:0x20, description:Failed to Establish TLS Connection

 

[11][1/9/2009 1:57:42 PM] :IMR_SOLOpenTCPSession fail with result:0x00000020.

 

[11][1/9/2009 1:57:44 PM] :IMR_SOLOpenTCPSession2 with user = VPRODEMO\vprouser fail with result:0x20, description:Failed to Establish TLS Connection

 

[11][1/9/2009 1:57:44 PM] :IMR_SOLOpenTCPSession fail with result:0x00000020.

 

[11][1/9/2009 1:57:46 PM] :IMR_SOLOpenTCPSession2 with user = VPRODEMO\vprouser fail with result:0x20, description:Failed to Establish TLS Connection

 

[11][1/9/2009 1:57:46 PM] :IMR_SOLOpenTCPSession fail with result:0x00000020.

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

SWood7
Novice
212 Views

I know this is a dumb question, and I apologize for it, but did you copy the SCCM / AMT server cert to your workstation's local cert store?

idata
Community Manager
212 Views

Sandy,

I don't fully understand your question. I think what you are asking is: Did I place the public key (and private key?) of my AMT Provisioning Certificate into the computer's Personal certificate store of the Vista system running the OOB console?

If so, that's not a dumb question. I wasn't aware that this needed to be done .... is it documented somewhere, and I just missed it, or what? Due to all the variables though, I'd appreciate a little clarification on exactly what needs to be done ... do I need the public key and the private key, and which certificate store do I put it in? The computer's personal store? The user's personal store?

BTW, just for reference ... and I can double-check if necessary, but ... I am relatively sure that I used the OOB console successfully on a Windows XP client without installing the provisioning certificate on it.

Thanks for your help!

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

SWood7
Novice
212 Views

Trevor,

Look at Matt's answer to my question in this thread, it's the second post in the thread. Here's what he says....

 

Potential Root cause(s):

  • The OOBConsole.log states the following error "IMR_SOLOpenTCPSession2 with user = <user> fail with result:0x20, description:Failed to Establish TLS Connection" and your AMT Web Certificates are being issued from a Subordinate Certificate Authority.
    • Full certificate chain is not being pass correctly during a SOL/IDER session within SCCM. Place a copy of the Subordinate Certificate Authority certificate in the Local Computer - "Trusted Root Certificate Authorities" of the server or workstation that the Out Of Band Management Console is run from.

       

Hope this helps!

idata
Community Manager
212 Views

Sandy,

Thanks. I don't know how I missed that.

Trevor

SWood7
Novice
150 Views

The only way I caught mine was to read Matt's post. I don't know about you but this whole AMT cert configuration has been quite a bit to get my head around. I've never been very cert-savvy and this has all been a wake-up call for me to become cert aware. I've been working with vPro now for about a year and a half and still don't seem to have gotten what-needs-to-go-where all down and figured out. I'm learning as I go.

This morning I just found one of my XP admin workstations that couldn't connect to a provisioned vPro system and with Matt's help I realized that the admin workstation did not have our domain root cert on it, in the Trusted Store. I always thought that was automatic in a Win2K domain but it looks like I'm still figuring all this stuff out!

Reply