1. Manuals
  2. Brands
  3. Symantec Manuals
  4. Software
  5. ALTIRIS OUT OF BAND MANAGEMENT COMPONENT 7.0 SP3 -...
  6. Implementation manual

Symantec ALTIRIS OUT OF BAND MANAGEMENT COMPONENT 7.0 SP3 - IMPLEMENTATION GUIDE V1.0 Implementation Manual

Hide thumbs Also See for ALTIRIS OUT OF BAND MANAGEMENT COMPONENT 7.0 SP3 - IMPLEMENTATION GUIDE V1.0:
Table of Contents

Advertisement

Quick Links

Download this manual
Altiris Out of Band
Management Component
from Symantec
Implementation Guide
Version 7.0 SP3 MR1

Advertisement

Table of Contents
loading

Related Manuals for Symantec ALTIRIS OUT OF BAND MANAGEMENT COMPONENT 7.0 SP3 - IMPLEMENTATION GUIDE V1.0

Summary of Contents for Symantec ALTIRIS OUT OF BAND MANAGEMENT COMPONENT 7.0 SP3 - IMPLEMENTATION GUIDE V1.0

  • Page 1 Altiris Out of Band Management Component from Symantec Implementation Guide Version 7.0 SP3 MR1...
  • Page 2 Legal Notice Copyright © 2010 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, Altiris, and any Altiris or Symantec trademarks used in the product are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

  • Page 3: Technical Support

    Global support purchased on a regional business hours or 24 hours a day, 7 days a week basis Premium service offerings that include Account Management Services For information about Symantec s support offerings, you can visit our Web site at the following URL: www.symantec.com/business/support/ All support services will be delivered in accordance with your support agreement and the then-current enterprise technical support policy.
  • Page 4 Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes Licensing and registration If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: www.symantec.com/business/support/ Customer service Customer service information is available at the following URL: www.symantec.com/business/support/...
  • Page 5 Support agreement resources If you want to contact Symantec regarding an existing support agreement, please contact the support agreement administration team for your region as follows: Asia-Pacific and Japan customercare_apac@symantec.com Europe, Middle-East, and Africa semea@symantec.com North America and Latin America...

  • Page 7: Table Of Contents

    What s new in Out of Band Management Component ......15 How Out of Band Management Component works ......15 About the Symantec Management Console ........16 About Intel AMT ..............16 About Intel AMT Setup and Configuration Service ....... 17 About Intel AMT versions and features ........
  • Page 8 Contents Installing and configuring CA ............36 About installing .NET Framework on an OOB site server ...... 38 About planning OOB site servers hierarchy ........38 Configuring a firewall to allow Intel SCS and SQL server connections ................39 About ports used by Intel AMT ............40 About installing Out of Band Management Component in a lab environment .................
  • Page 9 Contents Chapter 6 Configuring Intel AMT computers for out-of-band management ..............57 About configuring Intel AMT computers for out-of-band management ................. 57 About Intel AMT initialization ..........58 About Intel AMT setup and configuration ........59 Prerequisites for Intel AMT configuration ........61 Configuring Intel AMT computers for out-of-band management ...
  • Page 10 Contents Collecting ASF/DASH configuration and hardware inventory ..............113 Configuring ASF/DASH computers for out-of-band management ..............115 What to do next ................. 115 Chapter 9 Deploying OOB site servers ..........117 About site services ..............117 About OOB site servers ..............118 Prerequisites for OOB site server installation ........
  • Page 11 Contents Setup and configuration profile: Power Policy tab ....... 139 Setup and configuration profile: Domains tab ......140 Setup and configuration profile: Remote Access tab ....141 DNS configuration page ............... 142 General page ................142 Select Active Directory Organizational Unit dialog box ....144 Maintenance page ..............
  • Page 12 Contents Appendix B Reference topics ..............177 About passwords used with Intel AMT ..........177 About populating filters ............... 178 How Resource Synchronization policy works ........181 Remote Configuration certificate requirements ........ 182 Remote Configuration certificate – differences between releases ..182 Intel AMT Release 2.2 ............

  • Page 13: Introducing Out Of Band Management Component

    Chapter Introducing Out of Band Management Component This chapter includes the following topics: About Out of Band Management Component What s new in Out of Band Management Component How Out of Band Management Component works What you can do with Out of Band Management Component Where to get more information About Out of Band Management Component Altiris Out of Band Management Component software (formerly known as Altiris...

  • Page 14: About Out-Of-Band Management

    Introducing Out of Band Management Component About Out of Band Management Component Out of Band Management Component features Figure 1-1 About out-of-band management Remote management of client computers often requires the managed computer to be turned on with an operating system running. When a computer is turned on with a running operating system, the computer is considered in-band.

  • Page 15: Altiris Products That Can Manage Computers Out Of Band

    Boot a computer from a remote disk or an image on a server and run the operating system repair or reinstall. Start a remote control session from the Symantec Management Console and access BIOS to view and change settings (Intel AMT only).

  • Page 16: About The Symantec Management Console

    You can start the console remotely by typing the following URL into the Internet Explorer's address bar: http://<Notification_Server_name>/altiris/console For more information on the console, see the Symantec Management Platform Help, which can be accessed through the console's Help menu. About Intel AMT...

  • Page 17: About Intel Amt Setup And Configuration Service

    Intel AMT computer that you set up and configure with Out of Band Management Component. Out of Band Management Component integrates Intel SCS into the Symantec Management Platform and provides the interface for Intel SCS in the Symantec Management Console.

  • Page 18: About Intel Amt Configuration Modes

    Introducing Out of Band Management Component How Out of Band Management Component works Intel AMT versions and features (continued) Table 1-1 Feature Agent presence checking and alerting System isolation and recovery Enterprise mode with TLS\Kerberos Upgradeable remote firmware Remote configuration Wireless support (802.11i, VPN) 802.1x native support CIRA (Client Initiated Remote Access)
  • Page 19 “About TLS” on page 95. Use Out of Band Management Component to control the process of enterprise mode Intel AMT configuration from the Symantec Management Console. “About configuring Intel AMT computers for out-of-band management” on page 57. Comparison of Intel AMT small business and enterprise mode Intel AMT small business configuration mode is easy to set up and is recommended when you have a few Intel AMT computers.

  • Page 20: About Intel Amt Security

    Introducing Out of Band Management Component How Out of Band Management Component works Differences between Intel AMT small business and enterprise modes Table 1-2 Feature Small-business mode Enterprise mode Setup and configuration Not needed Required and provided application (Out of Band through Intel SCS, which is Management Component) installed with the solution...
  • Page 21 Introducing Out of Band Management Component How Out of Band Management Component works Intel AMT security features Table 1-3 Feature Description Intel AMT The user name and the password that you use to connect to the Intel credentials AMT device remotely. These credentials should not be confused with the MEBx credentials, which by default share the same user name and password as the remote access Intel AMT credentials.

  • Page 22: About Intel Amt Related Credentials

    Intel AMT settings. The Intel AMT administrative credentials control remote access to the Intel AMT settings (for example, when you run an out-of-band task from the Symantec Management Console, or access the Intel AMT Web UI).
  • Page 23 Used to access Intel SCS that is running on the OOB site server computer (by default, the Notification Server computer). At the time of Out of Band Management Component installation, all users in the Symantec Administrators group are added to the list of the Intel SCS users. “Users page”...

  • Page 24: About Intel Amt Wireless Support

    Introducing Out of Band Management Component How Out of Band Management Component works Out of Band Management Component credentials (continued) Table 1-4 Credentials Description PID-PPS security key A pair of security keys that are used to ensure secure pair (Enterprise mode communications between the configuration server and the Intel only) AMT computer.

  • Page 25: About Dash

    Introducing Out of Band Management Component How Out of Band Management Component works “Configuring ASF/DASH computers for out-of-band management” on page 111. “About ASF tasks” on page 27. About DASH DASH (Desktop and Mobile Architecture for System Hardware) is a Web services-based management technology that enables IT professionals to remotely manage desktop and mobile computers from anywhere in the world.

  • Page 26: What You Can Do With Out Of Band Management Component

    Introducing Out of Band Management Component What you can do with Out of Band Management Component Intel AMT, ASF, and DASH comparison (continued) Table 1-5 Feature Intel AMT DASH Standards Non-standards based. Based on an open Based on an open standard that is standard that is developed through...

  • Page 27: About Asf Tasks

    Introducing Out of Band Management Component Where to get more information View and manage the entries that identify each Intel AMT computer that is configured or not configured. Remotely reset or re-configure Intel AMT computers, synchronize clocks, change power-saving policies, and so on. Control the list of users that have access to the Intel SCS console and to the Intel AMT devices and the permissions they have.
  • Page 28 User Guide Information about how to use this product, The Documentation Library, which is including detailed technical information and available in the Symantec Management instructions for performing common tasks. Console on the Help menu. The Product Support page, which is This information is available in PDF format.
  • Page 29 Altiris information resources Table 1-7 Resource Description Location Knowledge base Articles, incidents, and issues about Altiris http://kb.altiris.com/ products. Symantec Connect An online magazine that contains best http://www.symantec.com/connect practices, tips, tricks, forums, and articles /endpoint-management-virtualization (formerly Altiris Juice) for users of this product.
  • Page 30 Introducing Out of Band Management Component Where to get more information...

  • Page 31: Planning For Out Of Band Management Component Installation

    Chapter Planning for Out of Band Management Component installation This chapter includes the following topics: About environment requirements About configuring DNS About configuring DHCP About configuring SQL server About integrating with Microsoft Active Directory About installing Microsoft IIS Installing and configuring CA About installing .NET Framework on an OOB site server About planning OOB site servers hierarchy Configuring a firewall to allow Intel SCS and SQL server connections...

  • Page 32: About Environment Requirements

    Planning for Out of Band Management Component installation About environment requirements About environment requirements The environment requirements for Out of Band Management Component are as follows: Before you install Out of Band Management Component, you must configure the SQL server that you want Intel SCS to use in mixed authentication mode (Windows Authentication and SQL Server Authentication).

  • Page 33: About Configuring Dns

    Planning for Out of Band Management Component installation About configuring DNS Out of Band Management Component environment requirements Table 2-1 for Intel AMT features (continued) Prerequisites Simple Kerberos users TLS with mutual Remote enterprise mode authentication, Configuration Intel AMT setup 802.1x profiles configuration Enterprise...

  • Page 34: About Configuring Dhcp

    Intel SCS requires Microsoft SQL Server 2005. Microsoft SQL Server 2008 is not currently supported. If you already installed Symantec Management Platform on Microsoft SQL Server 2008, you can install Microsoft SQL Server 2005 on another computer in your network, and then configure Out of Band Management Component settings.

  • Page 35: About Integrating With Microsoft Active Directory

    Planning for Out of Band Management Component installation About integrating with Microsoft Active Directory intensive, consider using a two-server configuration—one computer for Notification Server and one for SQL server. SQL server installation guidelines Table 2-2 Factor One-server Two-server configuration configuration Maximum number of computers to 2000 5000...

  • Page 36: About Installing Microsoft Iis

    Planning for Out of Band Management Component installation About installing Microsoft IIS About installing Microsoft IIS Notification Server, Intel SCS software, and Microsoft certification authority (if used) all require Microsoft Internet Information Services (IIS) version 6. Microsoft IIS is a prerequisite for Notification Server installation, and it is already installed on the Notification Server computer.
  • Page 37 Planning for Out of Band Management Component installation Installing and configuring CA performs the installation must be a member of the domain and have sufficient administration privileges. For example, the user must be a member of the Domain Admins group. Make sure the CA that you installed is configured to generate certificates automatically (this is the default setting) so that Intel SCS can request a certificate each time it performs a setup of an Intel AMT device.

  • Page 38: About Installing .Net Framework On An Oob Site Server

    Planning for Out of Band Management Component installation About installing .NET Framework on an OOB site server To configure the CA to automatically issue certificates On the computer with CA installed, click the Windows Start button, and then click Administrative Tools > Certification Authority. In the Certification Authority window, right-click the first sub-branch and click Properties.

  • Page 39: Configuring A Firewall To Allow Intel Scs And Sql Server Connections

    Planning for Out of Band Management Component installation Configuring a firewall to allow Intel SCS and SQL server connections It is possible that Intel AMT computers in your environment are located in multiple subnets, domains, or geographic locations, and cannot contact the only OOB site server directly (for example, due to network issues).

  • Page 40: About Ports Used By Intel Amt

    Planning for Out of Band Management Component installation About ports used by Intel AMT Click OK. Click OK. To configure a firewall to allow SQL server connections Open the Control Panel on the computer with SQL Server installed, and then click Windows Firewall.

  • Page 41: About Managing Intel Amt Computers Without The Altiris Agent Installed

    Planning for Out of Band Management Component installation About managing Intel AMT computers without the Altiris Agent installed get a feel for configuring computers and performing basic tasks. In a lab environment, you can install the SQL server and the OOB site server on the same computer where you installed Notification Server.
  • Page 42 AMT. Initialize computers with Intel AMT 3.0 and later using the Remote Configuration feature. To create computer resources for agentless Intel AMT computers in the Symantec Management Console, run the Resource Synchronization policy. “Synchronizing Intel SCS and Notification Server resources”...

  • Page 43: Installing Out Of Band Management Component

    About Out of Band Management Component requirements Out of Band Management Component requires the following: Symantec Management Platform 7.0 SP4. When you install Out of Band Management Component through Symantec Installation Manager, Symantec Management Platform is installed or upgraded automatically.

  • Page 44: About Client Computer Software And Hardware Requirements

    Installing Out of Band Management Component System requirements “Where to get more information” on page 27. Microsoft SQL Server 2005. “About configuring SQL server” on page 34. SQL server is configured in mixed authentication mode. “About configuring SQL server” on page 34. Out of Band Management Component also requires that you configure your environment, such as DNS, DHCP, and so on.

  • Page 45: Installing The Out Of Band Management Component Product

    Installing the Out of Band Management Component product Installing the Out of Band Management Component product Use Symantec Installation Manager to install Out of Band Management Component. For more information on installing products, see the Symantec Installation Manager documentation. “Where to get more information”...

  • Page 46: Uninstalling The Out Of Band Task Agent

    Management Component is uninstalled, there is no automated way to uninstall the agents. To uninstall the Out of Band Task Agent In the Symantec Management Console, on the Actions menu, click Agents/Plug-ins > Rollout Agents/Plug-ins. In the left pane, click Remote Management > Out of Band Management >...

  • Page 47: Uninstalling Out Of Band Management Component From Notification Server

    Installing Out of Band Management Component Uninstalling Out of Band Management Component Uninstalling Out of Band Management Component from Notification Server Use Symantec Installation Manager to uninstall Out of Band Management Component. For more information on uninstalling products, see the Symantec Installation Manager documentation.
  • Page 48 Installing Out of Band Management Component Uninstalling Out of Band Management Component...

  • Page 49: Preparing Target Computers For Management

    Chapter Preparing target computers for management This chapter includes the following topics: Preparing target computers for management Preparing target computers for management Before you can use Out of Band Management Component, you must prepare the computers that you want to manage. Process for preparing target computers for management Table 4-1 Step...
  • Page 50 Preparing target computers for management Preparing target computers for management Process for preparing target computers for management (continued) Table 4-1 Step Action Description Step 2 Install the Altiris Agent to target The Altiris Agent lets Notification computers. Server get information from and interact with the client computers.

  • Page 51: Discovering Computers

    On the Altiris Agent Installation page, install the Altiris Agent to computers in your environment. For more information on how to install the Altiris Agent, see the Symantec Management Platform Help (Press F1 or click Help > Context in the Symantec...

  • Page 52: Configuring The Altiris Agent Settings For Evaluation Use

    49. To configure the Altiris Agent for evaluation use In the Symantec Management Console, on the Settings menu, click Agents/Plug-ins > Targeted Agent Settings. In the left pane, under Policy Name, click the policy that applies to the computers that you want to configure.

  • Page 53: Installing The Out Of Band Task Agent

    On. Click Save changes. To view the list of the out-of-band capable computers In the Symantec Management Console, on the Manage menu, click Filters. In the left pane, click Out of Band Management. Click one of the following filters:...
  • Page 54 Preparing target computers for management Preparing target computers for management (Optional) By default, the policy is configured to run on all Windows computers, which the Out of Band Discovery policy has detected as out-of-band capable. If you want to run the policy on a different set of computers, under Applied to, change the resource targets.

  • Page 55: Configuring Out Of Band Management Component

    Chapter Configuring Out of Band Management Component This chapter includes the following topics: Integrating Intel SCS with Active Directory Integrating Intel SCS with Active Directory (Intel AMT only) Microsoft s Active Directory (AD) is a directory service that integrates with Windows 2003 Server.
  • Page 56 Later, when you assign configuration profiles to Intel AMT devices, you can specify the organizational unit where the configured Intel AMT devices are registered. In the Symantec Management Console, on the Settings menu, click All Settings. In the left pane, click Remote Management > Out of Band Management >...

  • Page 57: Configuring Intel Amt Computers For Out-Of-Band

    Chapter Configuring Intel AMT computers for out-of-band management This chapter includes the following topics: About configuring Intel AMT computers for out-of-band management Prerequisites for Intel AMT configuration Configuring Intel AMT computers for out-of-band management About resending Hello messages Configuring Intel AMT computers in small business mode About configuring Intel AMT computers for out-of-band management Before you can manage Intel AMT computers out of band, you must configure the...

  • Page 58: About Intel Amt Initialization

    Configuring Intel AMT computers for out-of-band management About configuring Intel AMT computers for out-of-band management Setup Initialized computers enter the setup mode and start requesting configuration by sending Hello messages to the computer with the ProvisionServer host name. The ProvisionServer computer is the OOB site server that you installed in your environment.

  • Page 59: About Intel Amt Setup And Configuration

    Configuring Intel AMT computers for out-of-band management About configuring Intel AMT computers for out-of-band management Manual If you cannot purchase a remote configuration certificate, or if you initialization have computers with Intel AMT versions that do not support Remote Configuration, you must visit the physical location of each Intel AMT computer and initialize them manually.
  • Page 60 Configuring Intel AMT computers for out-of-band management About configuring Intel AMT computers for out-of-band management Intel AMT setup and configuration process Figure 6-1 The setup and configuration goes through the following steps: An initialized Intel AMT device on the client computer requests an IP address from a DHCP server.

  • Page 61: Prerequisites For Intel Amt Configuration

    Configuring Intel AMT computers for out-of-band management Prerequisites for Intel AMT configuration If you use TLS to secure communications, Intel SCS requests a certificate for Intel AMT from a Microsoft certification authority (CA) server. If you enabled integration with Active Directory, Intel SCS defines the device as an AMT object in the Microsoft Active Directory domain controller.

  • Page 62: Creating Intel Amt Configuration Profiles

    Configuring Intel AMT computers for out-of-band management Configuring Intel AMT computers for out-of-band management Process for configuring Intel AMT computers for out-of-band Table 6-1 management Step Action Description Step 1 Create a configuration profile. Configuration profiles contain Intel AMT configuration parameters. “Creating Intel AMT configuration profiles”...
  • Page 63 “Configuring Intel AMT computers for out-of-band management” on page 61. To create a new configuration profile In the Symantec Management Console, on the Settings menu, click All Settings. In the left pane, click Remote Management > Out of Band Management >...

  • Page 64: Configuring The Automatic Intel Amt Configuration Profile Assignment

    “Creating Intel AMT configuration profiles” on page 62. To create a wireless profile In the Symantec Management Console, on the Settings menu, click All Settings. In the left pane, click Remote Management > Out of Band Management > Configuration Service Settings > Auxiliary Profiles > Wireless Profiles.

  • Page 65: Initializing Intel Amt Computers Using The Remote Configuration Feature

    “Configuring Intel AMT computers for out-of-band management” on page 61. To configure automatic profile assignment In the Symantec Management Console, on the Settings menu, click All Settings. In the left pane, click Remote Management > Out of Band Management >...
  • Page 66 Configuring Intel AMT computers for out-of-band management Configuring Intel AMT computers for out-of-band management “Initializing Intel AMT computers manually ” on page 76. Computers with Intel AMT 3.0 and later support bare-metal Remote Configuration (configuration without the need for an operating system). Note: Computers with Intel AMT 2.2 and 2.6 are also capable of automatic remote configuration, but require a software agent to initiate the Remote Configuration process.
  • Page 67 Configuring Intel AMT computers for out-of-band management Configuring Intel AMT computers for out-of-band management About the Intel AMT Remote Configuration feature An Intel AMT device is prepared for remote configuration by having security certificate hashes added to the Intel AMT firmware. There are two sources of hashes within the Intel AMT firmware: Certificate These hashes correspond to certificates from commercial SSL certificate...
  • Page 68 Configuring Intel AMT computers for out-of-band management Configuring Intel AMT computers for out-of-band management The Intel AMT computer is connected to the network and plugged-in for the first time. The Intel AMT device opens its network interface for 24 hours, and starts sending Hello messages.
  • Page 69 Configuring Intel AMT computers for out-of-band management Configuring Intel AMT computers for out-of-band management Prerequisites for using the Remote Configuration feature Before you can use the Remote Configuration feature, the following requirements must be met: Active Directory is present in your environment. Enterprise certification authority installed in your environment.
  • Page 70 Configuring Intel AMT computers for out-of-band management Configuring Intel AMT computers for out-of-band management Process for configuring your OOB site server computer for Remote Table 6-3 Configuration (continued) Step Action Description Step 2 Issue the new template. You must publich the certificate template so that a certification authority (CA) can issue certificates based on it.
  • Page 71 For more information about the Notification Server s Application Identity account, see the Symantec Management Platform Help. On the Extensions tab, click Application Policies, and then click Edit. In the Edit Application Policies Extension dialog box, click Add, click Server Authentication, and then click OK.
  • Page 72 Application Identity Account. For more information about the Notification Server s Application Identity account, see the Symantec Management Platform Help. From the OOB site server computer (by default, the Notification Server computer), open the Certificate Services Web page of your certification authority (CA) (http://<ca_server_name>/certsrv/) in the Internet Explorer.
  • Page 73 Configuring Intel AMT computers for out-of-band management Configuring Intel AMT computers for out-of-band management From the Certificate Template drop-down list, click the template that you prepared and issued earlier (in this example, click AMT Remote Configuration). “Preparing a certificate template for Remote Configuration” on page 70.
  • Page 74 Logon to the OOB site server computer (by default, the Notification Server computer) using the Application Identity Account. For more information about the Notification Server s Application Identity account, see the Symantec Management Platform Help. Double-click the .cer file to open the certificate. Click Install Certificate and follow the wizard.
  • Page 75 “Initializing Intel AMT computers using the Remote Configuration feature” on page 65. To enable the Remote Configuration feature In the Symantec Management Console, on the Settings menu, click All Settings. In the left pane, click Remote Management > Out of Band Management >...

  • Page 76: Initializing Intel Amt Computers Manually

    Configuring Intel AMT computers for out-of-band management Configuring Intel AMT computers for out-of-band management After you plugged in an Intel AMT computer for the first time, it sends Hello messages to the OOB site server computer (by default, the Notification Server computer) only for the first 24 hours.
  • Page 77 “Initializing Intel AMT computers manually ” on page 76. To import security keys supplied by an OEM In the Symantec Management Console, on the Settings menu, click All Settings. In the left pane, click Remote Management > Out of Band Management >...
  • Page 78 “Initializing Intel AMT computers manually ” on page 76. To initialize Intel AMT manually using the USB key In the Symantec Management Console, on the Settings menu, click All Settings. In the left pane, click Remote Management > Out of Band Management >...
  • Page 79 Configuring Intel AMT computers for out-of-band management Configuring Intel AMT computers for out-of-band management If you want to generate new keys, click Generate keys before export, and then specify the following options for generating the key file: Number of security keys to Type a number equal or greater than the number of generate Intel AMT computers you want to initialize with the...
  • Page 80 “Initializing Intel AMT computers manually ” on page 76. To manually initialize Intel AMT through MEBx In the Symantec Management Console, on the Settings menu, click All Settings. In the left pane, click Remote Management > Out of Band Management >...
  • Page 81 Configuring Intel AMT computers for out-of-band management Configuring Intel AMT computers for out-of-band management On the Security Keys page, click the Generate security keys symbol. In the Generate Security Keys dialog box, specify the following, and then click OK when done: Number of security keys to Type a number equal or greater than the number generate...

  • Page 82: Setting Up And Configuring Initialized Intel Amt Computers

    SCS port (the port that Intel SCS is listening to for Hello messages). By default, the port is 9971. To view the port, in the Symantec Management Console, click Settings > All Settings > Remote Management > Out of Band Management > Configuration Service Settings >...
  • Page 83 “About assigning a configuration profile” on page 85. Step 3 Watch the Intel AMT computers The Intel SCS pages in the Symantec getting configured. Management Console let you view the status of Intel AMT devices. “About monitoring the setup and configuration process”...
  • Page 84 88. Understanding the Intel SCS interface Out of Band Management Component displays the Intel SCS interface in the Symantec Management Console. To watch and troubleshoot the setup and configuration process, you need the following two lists of Intel AMT devices:...
  • Page 85 Configuring Intel AMT computers for out-of-band management Configuring Intel AMT computers for out-of-band management To view the Intel AMT Systems list In the Symantec Management Console, on the Settings menu, click All Settings. In the left pane, click Remote Management > Out of Band Management >...
  • Page 86 Configuring Intel AMT computers for out-of-band management Configuring Intel AMT computers for out-of-band management Assigning a profile to a single computer manually By assigning a profile to an Intel AMT resource that is known to Intel SCS, but is in an unconfigured state, you initiate the setup and configuration process. You can also assign a new profile to a device, that is already configured with another profile.
  • Page 87 Configuring Intel AMT computers for out-of-band management Configuring Intel AMT computers for out-of-band management “Preparing target computers for management” on page 49. “About assigning a configuration profile” on page 85. To assign a profile to multiple computers manually Open the Intel AMT Systems page. “Understanding the Intel SCS interface”...
  • Page 88 “Setting up and configuring initialized Intel AMT computers” on page 82. To run the Resource Synchronization policy In the Symantec Management Console, on the Settings menu, click All Settings. In the left pane, click Remote Management > Out of Band Management >...

  • Page 89: About Resending Hello Messages

    Configuring Intel AMT computers for out-of-band management About resending Hello messages About resending Hello messages When you power-on an Intel AMT computer for the first time, the Intel AMT device starts sending configuration requests to the OOB site server computer (by default, the Notification Server computer) for 6 hours (24 hours for Intel AMT 3.0 and later).

  • Page 90: Resending Hello Messages With The Send Intel Amt Hello Message Task

    Intel AMT Systems > Delayed Setup and Configuration. In the right pane, configure and enable the Delayed Setup and Configuration policy. For help, in the Symantec Management Console, on the Help menu, click Context. “Delayed Setup and Configuration page” on page 149.

  • Page 91: Configuring Intel Amt Computers In Small Business Mode

    After you configure the Intel AMT computer in small business mode, it is ready for out-of-band management with Altiris solutions. To run out-of-band management tasks on this computer from the Symantec Management Console, a computer resource representing the computer must be created in the CMDB . If there is no such resource in the CMDB , simply install the Altiris Agent on the client computer.
  • Page 92 Configuring Intel AMT computers for out-of-band management Configuring Intel AMT computers in small business mode To configure Intel AMT devices in small business mode Go to the physical location of the Intel AMT computer, and then connect the cables, a monitor, and a keyboard. Turn on the computer and press Ctrl+P during POST to enter the Management Engine BIOS Extension (MEBx).
  • Page 93 Intel AMT computers that are configured in small business mode. To configure a connection profile In the Symantec Management Console, on the Settings menu, click All Settings. In the left pane, click Monitoring and Alerting > Protocol Management >...
  • Page 94 Under Runtime credentials, in the drop-down list, click or browse for the credentials that you just configured. In this example, click My AMT Click OK. For more information, view topics about using connection profiles and credential manager in the Symantec Management Platform Help.

  • Page 95: Configuring Tls

    Chapter Configuring TLS This chapter includes the following topics: About TLS About configuring and enabling TLS Configuring TLS Configuring TLS with mutual authentication About TLS Transport Layer Security (TLS) provides communications security and privacy over the Internet and enterprise networks. The TLS protocol establishes a secure channel of communication between the Intel AMT device and Notification Server.

  • Page 96: Configuring Tls

    Configuring TLS Configuring TLS TLS with mutual When your Intel AMT computers are configured to use TLS with authentication mutual authentication, the server requests a certificate from the client, and the client requests a certificate from the server. “Configuring TLS with mutual authentication” on page 100.

  • Page 97: Exporting The Ca Root Certificate For The Altiris Real-Time System Manager Software

    Configuring TLS Configuring TLS Exporting the CA Root Certificate for the Altiris Real-Time System Manager software (Optional) To use the SOL/IDE-R functionality of Intel AMT with Real-Time System Manager, you must export the CA root certificate to a file, and then configure the connection profile to use this file.

  • Page 98: Configuring Intel Amt Computers To Use Tls

    “Configuring TLS” on page 96. To configure the connection profile to use TLS In the Symantec Management Console, on the Settings menu, click All Settings. In the left pane, click Monitoring and Alerting > Protocol Management > Connection Profiles > Manage Connection Profiles.
  • Page 99 Configuring TLS Configuring TLS To modify the configuration profile to use TLS In the Symantec Management Console, on the Settings menu, click All Settings. In the left pane, click Remote Management > Out of Band Management > Configuration Service Settings > Configuration Profiles.

  • Page 100: Configuring Tls With Mutual Authentication

    Configuring TLS Configuring TLS with mutual authentication Configuring TLS with mutual authentication TLS with mutual authentication adds more security to communications with Intel AMT devices. Mutual authentication, also known as two-way authentication, is a process whereby two parties, typically a client and a server, authenticate each other in such a way that both parties are assured of the identity of the other.
  • Page 101 Configuring TLS Configuring TLS with mutual authentication Process for creating and installing a client certificate using an Table 7-3 Enterprise CA Step Action Description Step 1 Create a new template. Certificate template defines the format and content of a certificate. “Creating a new template for mutual authentication”...
  • Page 102 Configuring TLS Configuring TLS with mutual authentication To create a new certificate template On the computer with the certification authority installed, click Start > Run. In the Open box, type , and then click OK. In the Microsoft Management Console, click File > Add/Remote Snap-in. Click Add.
  • Page 103 “Creating and installing a client certificate using an Enterprise CA” on page 100. To request and install the certificate with a task In the Symantec Management Console, on the Manage menu, click Jobs and Tasks. In the left pane, click Samples > Remote Management > Intel SCS Tasks and...
  • Page 104 Configuring TLS Configuring TLS with mutual authentication Under Certificate enrollment settings, click Manually define all parameters. Browse to your CA and the template that you created (AMTMutual). Click Save changes. Run this task on the Notification Server computer and on each of the OOB site server computers in your environment.
  • Page 105 Configuring TLS Configuring TLS with mutual authentication Installing the new mutual authentication certificate into the local computer certificate store Altiris solutions that manage Intel AMT computers require that the mutual authentication certificate is also installed in the local computer certificate store. Note: Perform this procedure on the Notification Server computer.
  • Page 106 Configuring TLS Configuring TLS with mutual authentication Then you must configure a connection profile to use this certificate. You can use this connection profile to launch an SOL or IDE-R session on an Intel AMT computer that is configured in enterprise mode with TLS Mutual Authentication. To prepare the mutual certificate for use in the connection profiles, complete the following steps.
  • Page 107 Remember the PEM pass phrase for later use. To configure a connection profile In the Symantec Management Console, on the Settings menu, click All Settings. In the left pane, click Monitoring and Alerting > Protocol Management > Connection Profiles > Manage Connection Profiles.

  • Page 108: Configuring Intel Amt Computers To Use Tls Mutual Authentication

    “Configuring TLS with mutual authentication” on page 100. To enable TLS mutual authentication in the configuration profile In the Symantec Management Console, on the Settings menu, click All Settings. In the left pane, click Remote Management > Out of Band Management >...
  • Page 109 CA certificate. To reconfigure Intel AMT computers with the new profile In the Symantec Management Console, on the Settings menu, click All Settings. In the left pane, click Remote Management > Out of Band Management >...
  • Page 110 Configuring TLS Configuring TLS with mutual authentication...

  • Page 111: Configuring Asf/Dash Computers For Out-Of-Band

    Chapter Configuring ASF/DASH computers for out-of-band management This chapter includes the following topics: Configuring ASF/DASH computers for out-of-band management What to do next Configuring ASF/DASH computers for out-of-band management The Out of Band Task Agent that you install on the target computers lets you configure ASF or DASH capable computers for out-of-band management.
  • Page 112 Configuring ASF/DASH computers for out-of-band management Configuring ASF/DASH computers for out-of-band management Process for configuring ASF/DASH computers for out-of-band Table 8-1 management Step Action Description Step 1 Enable ASF or DASH in the client For instructions on how to enable ASF computer s BIOS.

  • Page 113: Installing The Broadcom Asf Management Software

    Configuring ASF/DASH computers for out-of-band management Configuring ASF/DASH computers for out-of-band management Process for configuring ASF/DASH computers for out-of-band Table 8-1 management (continued) Step Action Description Step 7 (Optional) Collect the ASF/DASH If you want, you can collect current configuration inventory. configuration inventory from the client computers.
  • Page 114 “Configuring ASF/DASH computers for out-of-band management” on page 111. To collect ASF or DASH inventory In the Symantec Management Console, on the Manage menu, click Jobs and Tasks. In the left pane, click Samples > Remote Management > ASF/DASH Tasks >...

  • Page 115: Configuring Asf/Dash Computers For Out-Of-Band Management

    “Configuring ASF/DASH computers for out-of-band management” on page 111. To configure ASF or DASH settings In the Symantec Management Console, on the Manage menu, click Jobs and Tasks. In the left pane, click Samples > Remote Management > ASF/DASH Tasks >...
  • Page 116 Configuring ASF/DASH computers for out-of-band management What to do next “Altiris products that can manage computers out of band” on page 15.

  • Page 117: Deploying Oob Site Servers

    Middleware components are installed on computers other than the Notification Server computer, and they act as the first point of contact for the Symantec Management Agents, thus reducing the load on Notification Server.

  • Page 118: About Oob Site Servers

    Site services take advantage of the sites and the subnets that you have set up to efficiently perform tasks across your network. For example, you can distribute packages quickly to your Symantec Management Agents by setting up multiple package servers. The package servers handle most of the package distribution functions, which frees up Notification Server to perform other activities.

  • Page 119: Installing An Oob Site Server

    “Rolling out the OOB site server” on page 120. Viewing potential OOB site server computers The Potential Out of Band Site Servers filter in the Symantec Management Console displays computers with an operating system capable of running Intel SCS. “Prerequisites for OOB site server installation”...

  • Page 120: Configuring The Oob Site Server Installation Settings

    119. To view the OOB site server candidate computers In the Symantec Management Console, on the Manage menu, click Filters. In the left pane, click Out of Band Management > Out of Band Site Service Filters > Potential Out of Band Site Servers.

  • Page 121: Uninstalling An Oob Site Server

    Deploying OOB site servers Uninstalling an OOB site server To install the OOB site server In the Symantec Management Console, on the Settings menu, click Notification Server > Site Server Settings. In the left pane, click Site Management > Site Servers.

  • Page 122: Configuring The Default Oob Site Server Location

    Out of Band Management Component. To set the default OOB site server In the Symantec Management Console, on the Settings menu, click All Settings. In the left pane, click Remote Management > Out of Band Management >...

  • Page 123: About Out Of Band Management Component

    Chapter About Out of Band Management Component pages This chapter includes the following topics: Auxiliary profiles: 802.1x Profiles page Auxiliary profiles: Management Presence Servers page Auxiliary profiles: Remote Access Policies page Auxiliary Profiles: Wireless Profiles page Trusted Root Certificates page Configuration Profiles page DNS configuration page General page...

  • Page 124: Auxiliary Profiles: 802.1X Profiles Page

    About Out of Band Management Component pages Auxiliary profiles: 802.1x Profiles page Resource Synchronization page Get ASF/DASH Configuration Inventory task Update ASF Configuration Settings task Update DASH Configuration Settings task OOB Site Service page Certificate Enrollment task Firewall Configuration task FQDN Synchronization task Install Intel Setup and Configuration Server task Install OOB Site Service agent task...
  • Page 125 About Out of Band Management Component pages Auxiliary profiles: 802.1x Profiles page Options on the Add 802.1x Profile dialog box Table 10-1 Option Description Profile name Type a name for the new 802.1x profile. Protocol Select from one of the available options. Client certificate The client authentication options require defining a source for a client certificate for authenticating an Intel AMT device to a...

  • Page 126: Select Certificate Generation Properties Dialog Box

    About Out of Band Management Component pages Auxiliary profiles: 802.1x Profiles page Options on the Add 802.1x Profile dialog box (continued) Table 10-1 Option Description Certificate subject type For Radius server domain verification, choose one of the following: Fully Qualified Domain Name - click if you entered the Radius server's FQDN into the Server certificate subject box.

  • Page 127: Select Certificate Template Dialog Box

    About Out of Band Management Component pages Auxiliary profiles: Management Presence Servers page Options on the Add Certificate Generation Properties dialog box Table 10-2 (continued) Option Description Template When working with an Enterprise CA, type the name of the Certificate Template to be used.

  • Page 128: Auxiliary Profiles: Remote Access Policies Page

    About Out of Band Management Component pages Auxiliary profiles: Remote Access Policies page Options on the Add Management Presence Server dialog box Table 10-3 Option Description Server FQDN or IP address Type the FQDN or the IP address of the Management Presence Server.

  • Page 129: Remote Access Policies: Create Remote Policy Dialog Box

    About Out of Band Management Component pages Auxiliary profiles: Remote Access Policies page through a Management Presence Server (MPS) that is located in the DMZ of the enterprise. The MPS appears as a proxy server to management console applications. The Intel AMT device establishes a Mutual Authentication TLS tunnel with the MPS.

  • Page 130: Auxiliary Profiles: Wireless Profiles Page

    About Out of Band Management Component pages Auxiliary Profiles: Wireless Profiles page Options on the Remote Access Policies: Create Remote Policy Table 10-4 dialog box (continued) Option Description Management Presence Servers Select the MPSs that apply to the policy (up to two).

  • Page 131: Trusted Root Certificates Page

    About Out of Band Management Component pages Trusted Root Certificates page Trusted Root Certificates page This page lists the trusted root certificates that you want Intel SCS to use. Click the Add symbol to add a certificate by selecting a certification authority that is found in your environment.
  • Page 132 Intel AMT runtime credentials. Then configure the task to use this connection profile. For more information, view topics about using connection profiles in the Symantec Management Platform Help. “About Intel AMT related credentials” on page 22.

  • Page 133: Setup And Configuration Profile: Network Tab

    About Out of Band Management Component pages Configuration Profiles page Setup and configuration profile: Network tab On this tab, define this profile's network settings. Options on the Network tab Table 10-7 Option Description Enable ping response Check if you want the Intel AMT device to respond to a ping. Web UI Administrators can use this browser-based UI (user interface) for management and maintenance of Intel AMT devices.
  • Page 134 About Out of Band Management Component pages Configuration Profiles page Options on the Network tab (continued) Table 10-7 Option Description Enable 802.1x for AMT Check to enable manageability traffic even if the host cannot even if host is not complete 802.1x authentication to the network. authorized for 802.1x Enable EAC Check to enable Endpoint Access Control.

  • Page 135: Setup And Configuration Profile: Tls Tab

    About Out of Band Management Component pages Configuration Profiles page Setup and configuration profile: TLS tab On this tab, configure if you want the Intel AMT devices to require a certificate when authenticating with other applications. Note: You must have a properly configured infrastructure (certification authority installed, proper certificates installed) to configure Intel AMT computers with TLS or TLS Mutual Authentication.
  • Page 136 About Out of Band Management Component pages Configuration Profiles page Options on the TLS tab (continued) Table 10-8 Option Description Trusted These are the issuers of the client certificates that the Intel AMT Certificates device recognizes as authentic. These certificates are stored in the database and then sent to the Intel AMT device during configuration.

  • Page 137: Setup And Configuration Profile: Acl Tab

    About Out of Band Management Component pages Configuration Profiles page Edit CRL: Add CRL Entry dialog box The Certificate Revocation List (CRL) is a list of entries which indicate which certificates have been revoked. The CRL contains certification authority URLs and the serial numbers of revoked certificates.

  • Page 138: Setup And Configuration Profile: Wireless Profiles Tab

    About Out of Band Management Component pages Configuration Profiles page Options on the Add ACL Entry dialog box Table 10-10 Option Description Active Directory user Select this option only if you have Active Directory integration enabled. “Integrating Intel SCS with Active Directory” on page 55.

  • Page 139: Setup And Configuration Profile: Power Policy Tab

    About Out of Band Management Component pages Configuration Profiles page Note: An Intel AMT notebook computer that is configured with a wireless profile offers full Intel AMT management functionality through the wireless connection, except for setup and configuration. Setup and configuration is possible only when the computer is connected to the wired network.

  • Page 140: Setup And Configuration Profile: Domains Tab

    About Out of Band Management Component pages Configuration Profiles page Options on the Power policy tab Table 10-12 Option Description Intel AMT is ON in This parameter defines the highest power state at which Intel AMT the following host will operate while the device is connected to AC power. Note that sleep states this includes operation in higher power states.

  • Page 141: Setup And Configuration Profile: Remote Access Tab

    About Out of Band Management Component pages Configuration Profiles page Options on the Add New Domain Entry dialog box (continued) Table 10-13 Option Description This domain is a home Checking this has the following effects: domain CIRA (Remote access): If the Intel AMT computer is not in a home domain, the computer will attempt to use CIRA to connect to the SCS (if CIRA is defined).

  • Page 142: Dns Configuration Page

    About Out of Band Management Component pages DNS configuration page DNS configuration page The computer with Intel SCS installed (the OOB site server computer) must be registered in DNS as ProvisionServer. This must be done in each DNS domain. Intel AMT devices send their Hello packets to this host name. This page lets you test if the DNS is configured correctly.
  • Page 143 About Out of Band Management Component pages General page Options on the General page Table 10-15 Option Description Listen port Each instance of Intel SCS listens for Hello messages from the Intel AMT devices on a defined TCP port. Type the TCP port that you want Intel SCS to use for listening.

  • Page 144: Select Active Directory Organizational Unit Dialog Box

    About Out of Band Management Component pages General page Options on the General page (continued) Table 10-15 Option Description Requireconfirmationbefore When the Intel SCS receives a Hello message from an Intel Intel AMT configuration AMT device, setup and configuration will proceed automatically, unless this option is checked.

  • Page 145: Maintenance Page

    About Out of Band Management Component pages Maintenance page Maintenance page This page lets you define the actions that Intel SCS performs periodically on all configured Intel AMT devices. On this page you configure the Intel SCS that you selected as default on the Service Location page.
  • Page 146 About Out of Band Management Component pages Security keys page installed both in the Intel AMT device and in the Intel SCS database. You can use the Security Keys page to manage the preshared keys and associated parameters. Each key has four elements: the key itself (PPS), an identifier that is sent in the clear by the Intel AMT device in the Hello message (called a PID), an initial MEBx password, and a replacement MEBx password.
  • Page 147 About Out of Band Management Component pages Security keys page Options on the Security keys page (continued) Table 10-17 Option Description Generate security Type the number of security keys to generate. Type a number equal keys or greater than the number of Intel AMT computers you want to initialize with the USB key.

  • Page 148: Service Location Page

    About Out of Band Management Component pages Service location page Options on the Security keys page (continued) Table 10-17 Option Description Import security keys Click to import a file of keys, which you have received from an OEM together with initialized Intel AMT capable computers, into the Intel SCS database.

  • Page 149: Delayed Setup And Configuration Page

    About Out of Band Management Component pages Delayed Setup and Configuration page Administrators with access to all Intel SCS features. If you want another user to access the Intel SCS interface, you must add that user to this list manually. “About Intel AMT related credentials”...

  • Page 150: Intel Amt Systems Page

    About Out of Band Management Component pages Intel AMT systems page Computers that entered the delayed configuration state appear in the All Intel AMT Computers in Delayed Configuration State filter. You can also use the Send Intel AMT Hello Message task to resume configuration. “About resending Hello messages”...
  • Page 151 About Out of Band Management Component pages Intel AMT systems page Options on the Intel AMT systems page Table 10-21 Option Description Authorize systems This operation authorizes configuration for the selected devices. This operation becomes available when you check Intel AMT requires authorization before configuration on the General page.
  • Page 152 About Out of Band Management Component pages Intel AMT systems page Options on the Intel AMT systems page (continued) Table 10-21 Option Description Assign profile This operation lets you assign an FQDN and a configuration profile to the selected Intel AMT device. Unconfigured device is configured using the supplied FQDN and profile the next time the Hello message is sent.

  • Page 153: Profile Assignments Page

    About Out of Band Management Component pages Profile assignments page Options on the Intel AMT systems page (continued) Table 10-21 Option Description Unconfigure This operation disables each Intel AMT device and leaves it without any Setup and Configuration parameters. Unconfiguration is possible in the following ways: Full: Deletes all data from each Intel AMT device.

  • Page 154: Resource Synchronization Page

    About Out of Band Management Component pages Resource Synchronization page “Configuring the automatic Intel AMT configuration profile assignment” on page 64. On the Profile Assignments page you can monitor and modify profile assignments. Options on the Profile assignments page Table 10-22 Option Description Lets you add a new UUID to FQDN mapping.

  • Page 155: Assign Profile Dialog Box

    About Out of Band Management Component pages Resource Synchronization page Options on the Resource Synchronization page Table 10-23 Option Description Override existing profile Check to assign the profile that is defined on this page assignments to the Intel AMT computers that already have a configuration profile assigned.

  • Page 156: Get Asf/Dash Configuration Inventory Task

    49. To get ASF or DASH inventory, run this task one time or on a schedule. For information on running tasks, see the Symantec Management Platform Help. Update ASF Configuration Settings task This task lets you enable ASF and configure ASF settings remotely on client...
  • Page 157 About Out of Band Management Component pages Update ASF Configuration Settings task Note: The Out of Band Task Agent must be installed on the client computers before you run the task. The client computer must be turned on to run this task. The operating system must be running.
  • Page 158 About Out of Band Management Component pages Update ASF Configuration Settings task Options on the Update ASF Configuration Settings task page Table 10-25 (continued) Option Description Modify timers settings Check to modify the settings in this group when the task runs. Enable OS hang watchdog Check to watch for operating system hangs and type the watch interval in seconds.
  • Page 159 About Out of Band Management Component pages Update ASF Configuration Settings task Options on the Update ASF Configuration Settings task page Table 10-25 (continued) Option Description Wake on ARP or RMCP traffic Check to configure the network adapter to wake the computer upon receiving ARP or RMCP traffic while the computer is in low-powered mode.

  • Page 160: Update Dash Configuration Settings Task

    About Out of Band Management Component pages Update DASH Configuration Settings task Options on the Update ASF Configuration Settings task page Table 10-25 (continued) Option Description Modify remote control settings Check to modify the settings in this group when the task runs.

  • Page 161: Oob Site Service Page

    About Out of Band Management Component pages OOB Site Service page Options on the Update DASH Configuration Settings task page Table 10-26 (continued) Option Description Modify Web Services-based settings Check to modify the settings in this group when the task runs. HTTP Session Timeout Set the management session timeout value.
  • Page 162 About Out of Band Management Component pages OOB Site Service page Options on the OOB Site Service page Table 10-27 Option Description SQL settings Type the SQL server's host name and the database name with which you want Intel SCS to work. Default database name for 7.x release of Out of Band Management Component is Symantec_CMDB_IntelAMT.
  • Page 163 About Out of Band Management Component pages OOB Site Service page Options on the OOB Site Service page (continued) Table 10-27 Option Description Use TLS for secured Check if you want the OOB site server installation to verify if communication the certification authority is accessible and the site server can support TLS.

  • Page 164: Certificate Enrollment Task

    Notification Server computer and on the OOB site server computers. “About TLS” on page 95. For more information on running tasks, see the Symantec Management Platform Help. Firewall Configuration task This task lets you configure the firewall on the OOB site server computer to allow incoming traffic to the Intel SCS or SQL Server port.

  • Page 165: Fqdn Synchronization Task

    This task lets you synchronize the FQDN of Intel AMT devices between the Intel SCS database and CMDB. CMDB contains the up-to-date FQDN that the Altiris Agent reports. For more information on running tasks, see the Symantec Management Platform Help. Install Intel Setup and Configuration Server task This task is an internal task that is used by the OOB site server installation jobs.

  • Page 166: Intel Setup And Configuration Server Upgrade Job

    This job is an internal job that upgrades an OOB site server. We recommend that you do not modify or run this job. To upgrade OOB site servers, use the Site Server page in the Symantec Management Console. “Installing an OOB site server”...

  • Page 167: Troubleshooting Out Of Band Management Component

    Symantec_CMDB_IntelAMT). If you have problems configuring, connecting to, managing, or otherwise interacting with the Intel AMT devices, you can check the logs through the Symantec Management Console. If you want to view more detailed information in the logs, on the General page,...
  • Page 168 Troubleshooting Out of Band Management Component Viewing Intel SCS logs To change the log level In the Symantec Management Console, on the Settings menu, click All Settings. In the left pane, click Remote Management > Out of Band Management >...

  • Page 169: About Intel Scs Error Messages

    Troubleshooting Out of Band Management Component About Intel SCS error messages To view Intel SCS logs In the Symantec Management Console, on the Settings menu, click All Settings. In the left pane, click Remote Management > Out of Band Management >...
  • Page 170 Troubleshooting Out of Band Management Component About Intel SCS error messages Intel SCS error messages Table A-1 Error Description Error 102 - Intel AMT device is Trying to configure an Intel AMT device that is not already configured in an unconfigured state within the Intel SCS database.
  • Page 171 Troubleshooting Out of Band Management Component About Intel SCS error messages Intel SCS error messages (continued) Table A-1 Error Description Error 137 - Another process This error is typical if an action is attempted on a currently working on AMT device that is already undergoing a procedure (such as configuration).
  • Page 172 As a general rule, these errors resolve themselves. The major cause of many of these errors is slow progress while computers are in a configuration state. Check the Intel AMT Systems node in the Symantec Management Console for the status of AMT devices.

  • Page 173: About Intel Amt Setup And Configuration Issues

    Troubleshooting Out of Band Management Component About Intel AMT setup and configuration issues Intel SCS error messages (continued) Table A-1 Error Description Cannot contact back AMT with The recorded IP address from the Hello packet IP:xxx.xxx.xxx.xxx Exception sequence is not responding to requests. If the target system sends a new Hello packet with an updated IP address, Intel SCS updates the queue entry.

  • Page 174: About Intel Scs Console Integration

    Default Web site. About Intel AMT filters update The time between the AMT device being seen by Intel SCS and the Symantec Management Console integration is determined in the following area: The first is filter updates. Out of Band Discovery policy populates the database with computer data.

  • Page 175: Troubleshooting Oob Site Server Installation

    Altiris Agent's GUI. To view the list of computers capable of running Intel SCS In the Symantec Management Console, on the Manage menu, click Filters. In the left pane, click Out of Band Management > Out of Band Site Service...
  • Page 176 Troubleshooting Out of Band Management Component Troubleshooting OOB site server installation...

  • Page 177: Appendix B Reference Topics

    Have at least one 7-bit ASCII non-alphanumeric character (Example: !, @, $). Contain both upper and lower case Latin characters (Example: A, a, B, b). Example: P@ssw0rd Also, you are required to use strong passwords in the Symantec Management Console when you configure Out of Band Management Component.

  • Page 178: About Populating Filters

    Reference topics About populating filters About populating filters In the Symantec Management Console, you can find a few filters (previously known as collections) that display Intel AMT and ASF computers. However, all these filters are populated in a different way.
  • Page 179 Reference topics About populating filters Out of Band Management Component Intel AMT filters (continued) Table B-1 Filter Description Duplicated Intel This filter contains computers that have the same Fully AMT/NotificationServer Qualified Domain Name (FQDN) in both Inv_OOB_AMT_Device Computers (which is populated when a system is Fully Configured and a synchronization has occurred) and Inv_AeX_AC_Location (populated by the Altiris Agent's basic inventory).
  • Page 180 Reference topics About populating filters Out of Band Management Component ASF/DASH filters Table B-2 Filter Description ASF capable computers This filter is populated using the Out of Band Discovery Task through the Altiris Agent. This task copies down an .exe that executes and checks the target computer for ASF functionality.

  • Page 181: How Resource Synchronization Policy Works

    Reference topics How Resource Synchronization policy works Out of Band Management Component ASF/DASH filters (continued) Table B-2 Filter Description Intel ASF capable This filter is populated using the Out of Band Discovery Task computers through the Altiris Agent. This task copies down an .exe that executes and checks the target computer for ASF functionality.

  • Page 182: Remote Configuration Certificate Requirements

    Reference topics Remote Configuration certificate requirements Cleans up exported USB keys files older than 7 days. Remote Configuration certificate requirements Using Microsoft certification authority, which you must have installed to use the remote configuration feature, and the certificate, you configure Intel SCS to be able to establish a secure connection between Intel SCS and the Intel AMT device.

  • Page 183: Intel Amt Release 2.2

    Reference topics Remote Configuration certificate – differences between releases Intel AMT Release 2.2 Intel AMT retrieves its domain suffix using DHCP Option 15. The CN in the SCS certificate must match the full domain suffix. The result is that a separate certificate is required for each domain.
  • Page 184 Reference topics Remote Configuration certificate – differences between releases , then east.corp.yourenterprise.com west.mkting.yourenterprise.com would match. Release 2.6 supports certificates that use the SubjectAltName (SAN) “DNS Name” extension. The certificates have multiple DNS names, and each one is compared consecutively with the domain suffix that is received from DHCP. When one of the names matches, Intel AMT accepts the certificate.

  • Page 185: Glossary

    IT technicians can apply these filters to computers that send suspicious network packets to seal infected computers from the rest of the network. The central database that stores all information about the Symantec Management CMDB (Configuration Platform and its managed computers.
  • Page 186 Configuration integrates Intel SCS into the Notification Server infrastructure and provides the Service) interface for Intel SCS in the Symantec Management Console. A system that provides authenticated access for users and services on a network. Kerberos A piece of information that controls the operation of a cryptography algorithm.
  • Page 187 Out-of-band management can be performed on the computers that have Intel AMT, DASH, or ASF-capable network adapters. The rights that a user or group has to access different items within the Symantec permissions Management Console. Permissions are granted to users through their security role.
  • Page 188 The proprietary protocols that are defined for Intel AMT that redirect keyboard, SOL/IDE-R (Serial-over- text, floppy disk, and CD transfers from a local host to a remote workstation. LAN/IDE-Redirection) The Web-based user interface for managing the Symantec Management Platform Symantec Management and any other installed solutions. Console The platform that provides a set of services for IT-related solutions.

  • Page 189: Index

    Index configuration mode Intel AMT enterprise mode 19 Active Directory Intel AMT small business mode 18 about 55 configuration profile integrating Intel SCS with 35, 55 assigning 85 Altiris Agent creating 62 configuration request interval 52 mapping to Intel AMT computers 64 configuring 52 configuring discovering computers 51...
  • Page 190 Index evaluation Intel AMT computer installing product in a lab 41 initializing manually 76 remotely 65 managing without Altiris Agent 41 firewall populating with PID-PPS pairs 58 configuring 39 setting up and configuring 82 Intel SCS about 17 Hello message viewing logs 167 resending 89 help...
  • Page 191 SQL server Intel AMT configuration 61 about configuring 34 minimum 43 installation guidelines 35 server computer 43 Symantec Installation Manager. See SIM product comparison 25 Symantec Management Console provision profile. See configuration profile about 16 provisioning. See setup and configuration...
  • Page 192 106 installing certificate 103 troubleshooting 167 uninstalling Out of Band Management Component 45 Out of Band Task Agent 46 with Symantec Installation Manager 47 upgrading Out of Band Management Component 45 USB-key initialization 77 wireless profile about 24...

This manual is also suitable for:

Out of band management component 7.0 sp3 mr1

Table of Contents