Cutting edge technology is bringing powerful enterprise-grade solutions to the small and medium business sector. Read on for tips, analysis and tutorials about how you can take advantage.Setting up Intel's Centrino Pro for the SMB
Intel’s AMT technology allows remote troubleshooting of PCs down to BIOS-level configuration, with ‘out of band’ access, now available via Wi-Fi. We explain how.
Intel’s Graham Tucker is a technology enthusiast. When PC Authority arrived to tour the new features of Centrino Pro, the notebook counterpart to Intel’s Vpro, he was full of excitement. Ordinary people may not become so excited about technology for desktop support and administration, but then, most people never rise to the position of Senior Technical Manager, for Intel Australia.
“Australia’s really embracing this (Vpro),” he enthused. “There’s real engineering behind the marketing,”
How does Centrino Pro differ from the pre-existing Intel Vpro, the tool for remote desktop administration?
“You can use wireless controllers for Out Of Band (OOB) access. That’s the difference with Centrino Pro.“ Says Tucker. Centrino Pro is also for notebook computers.
Running Out Of Band means that the Vpro functions can be activated in any power state, they are OS agnostic, they operate regardless of the state of the OS (including corrupted or non-functioning) and add an additional layer of security.
“You can’t hack the agent,” said Tucker proudly.
The Intel Management Engine uses an Xscale processor, which is an integrated microcontroller on the PC motherboard (independent of the computer’s CPU and main functions). This additional hardware on the motherboard that Vpro and Centrino Pro computers have added, which allows an administrator to remotely repair and update computers. This includes a small amount of flash memory, which stores the Windows Event Log and system configuration data. Again, that’s defended from interlopers.
“There’s an isolated piece of RAM that the microcontroller uses.” Says Tucker. “It’s not addressable; there’s no way to hack that,”
Mr Tucker also explained that using Centrino Pro in an enterprise setting, with software suites provided by Altiris or other providers, allows for each machine to be authenticated with public key cryptography.
Serial Over LAN (SOL) is the standard method of access, and all communications in the administration channel can be encrypted with Secure Sockets Layer (SSL) or Transport Layer Security (TLS). An inside hacker trying to break into a machine’s AMT interface by guessing passwords is locked out after three attempts. These already fairly comprehensive security functions are set to be hardened in the short term.
“In the second half of this year (2007), we’re releasing AMT 3.0, with enhanced security and manageability. That’s in the road map,” said Tucker.
“LaGrande technology has now been renamed to TXT (Trusted eXecution Technology), in the marketing,” Tucker elaborated.
Extensive work has been done in ensuring Windows system compatibility. Referencing Microsoft Systems Management Server (SMS), MR Tucker gave PC Authority a rare insight into collaborative technology development between Intel and Microsoft.
“We did all the (integration) development for SMS. We wrote all the software and a stand-alone server. So Microsoft are right behind it. They’re a bit slow off the mark, but they’re right behind it.,” he said.
Remote repair with Vpro
Using the free AMT web interface
Accessing computers for AMT administration is as simple as firing up Internet Explorer, typing in the target computer’s IP address, and adding the port number 16992 (e.g. 192.168.0.12:16992). Graham made a point of accessing this on a the target computer that was in sleep mode, to illustrate that the AMT functions are completely independent of the PC’s resources. Instantly, the AMT interface appeared, much like a ROM-based web interface for a router or network switch. Logging in with the preset administrator’s password, you are forced to use a strong eight-character string. (this would be pre-configured on the target machine by accessing the MeBX, a BIOS-like pre-boot environment that services the Vpro configuration.)
A feature missing from the free AMT web interface is IDE redirection, which is included with the enterprise software suites, and the AMT Commander application.
Using Landesk Management Suite
Graham Tucker also gave us a short demo on the enterprise-grade Landesk Management Suite under Windows Server 2003, using SQL 2005 for the back end. It has the capability to automatically discover new systems added to the network.
“Once it discovers a system, you add it to the inventory,” explained Tucker.
“This is the difference between the enterprise and SMB: you get these all-singing, all-dancing reporting functions,” he quipped.
“In enterprise mode, there’s an automatic setup process. In SMB mode, it’s all manual setup in the BIOS.” Hence, enterprise mode is the way to avoid repetitive deskside visits, even for initial Vpro configuration. Even and initial fifteen or twenty minutes per machine at the deskside can rapidly mount up for large rollouts, as anyone who has done it can attest. Do that for just three machines – that’s one hour out of the day. How many machines are you rolling out?
Remote Vpro access
One advantage of Vpro for SMB environment is for those companies that choose to have an IT department on contract, at an external location. They may already used in-band tools to configure systems at the client’s location, but Vpro allows them to extend their work on computers to the AMT’s Out Of Band functions, for repairing the drive image, operating system or BIOS settings.
For remote administration, the client’s firewall would of course have to allow the Vpro ports – 16992 and 16993 – traffic to flow freely. “You’d have to open those ports,” said Tucker.
For SMBs, most commercial broadband accounts will generally pass all ports by default, but of course the corporate firewall may not. You may also require a static IP address.
During boot, with console redirection you can view the remote machine’s BIOS output, even going so far as replicating the correct text colours. This view is fully interactive at about 15 fps. You can press keys at the appropriate times to enter various BIOS or MeBX menus, too. All this while the machine could be hundreds or thousands of kilometres away.
You can also elect to boot the remote machine from an ISO image in your local machine, for example, in the optical drive. Basically, you have maximum flexibility at every turn.
Throughout your remote control, the user’s keyboard can be disabled. There’s nothing worse than trying to compete with the keystrokes of a trigger-happy helpdesk customer, who wants to “help”.
“BIOS access can be locked from the user perspective,” said Tucker. However the controlled environment goes further, due to the inherent risk to modern companies from within. “There’s the potential for service guys to run amok here,” said Tucker. “You can set up access lists and permissions,” This would allow discrete access to the Vpro functions on various computers.
Another feature Tucker demonstrated was the PXE boot, (Pre-eXecution Environment) for situations where the hard drive has entirely failed. As this requires a deskside visit, the time spent can be minimised. The technician can simply replace the dead drive then walk away, as the system can be remotely set to automatically download a new OS image from the network.
Using the free AMT Commander tool
In an enterprise environment, you’ll likely be using an advanced software solution from Altiris or HP for remote system repair with Vpro. However, in the SMB environment, you can augment your functions (beyond the basic web-based AMT interface) by downloading a free tool from Intel, called the AMT Commander. This is available from this page: http://softwarecommunity.intel.com/articles/eng/1034.htm
It is listed on this page as the ‘Intel AMT Developer Tool Kit’, or DTK. Source code for the program is also available if you have the skills and inclination to extend it.
As it is officially a “demonstration” program, the AMT Commander doesn’t have enhanced reporting functions, nor is it particularly scalable. However, it does add network filters and policies. For example, this could be used to enforce automatic shutdown of a user’s virtualised NIC; to stop bandwidth hogs in their tracks.
The key additional legwork that SMB customers will be doing involves the initial BIOS and MEBx configuration of machines to allow Vpro administration. With an enterprise solution, this step is automated through AMT provisioning.
“Enterprise customers want to receive machines, and not have to fiddle around with BIOS,” said Tucker. The technician should be able to unpack the computer, plug it all in, and walk away.
The Vpro horizon
Obviously, to make effective use of technology like Vpro and Centrino Pro, the entire computer population or ‘fleet’ should have the Vpro technology in-built. Of course, not all companies are going to junk every system in the inventory, just to have Vpro functionality across the board. As a result, Vpro is only now starting to reach the installed numbers for IT departments to start treating it as the default.
“The fleets are growing,” says Graham Tucker. “No one replaces the whole fleet in one go. People are now switching it on (Vpro) and starting to use it,”.
As a smallish set of affordable components built into the motherboard, investing in Vpro-enabled computers will pay for itself, according to Tucker. “In the life of the machine, if you only save one deskside visit, you’ve paid for Vpro,” he said.
Finally, Mr Tucker gave PC Authority a glimpse into future Centrino standards, which will incorporate the final WiMAX standard for wireless broadband.
“We’ll have a WiMAX implementation on Centrino notebooks in Q1 of next year,” he said.
Centrino Pro Lingo
AMT - Advanced Management Technology
IPMI – Intelligent Platform Management Interface, a standard for remote systems administration.
ODM – Original Design Manufacturer (opposite of OEM)
MEBx - Management Engine BIOS eXtension, a pre-boot environment for configuring Vpro settings. This includes the settings for the TCP/IP settings for the virtualised network interface card (NIC), allowing the computer network access early in the boot process. The MEBx is accessed by pressing Ctrl-P at boot time.
SMS – Microsoft Systems Management Server
Vpro – Intel’s advanced remote desktop maintenance technology.
WiMAX – Worldwide Interoperability for Microwave Access, a new open wireless broadband standard being championed by Intel.