How to test CIRA in 9 easy steps (Client Initiated Remote Access)

We are starting to get questions on how to test CIRA, one of the new features in the Intel® AMT 5.0 SDK. Specifically, how to test it. I have included in this blog steps that I have documented on testing this feature (note that Ajith Illendula is the guy who designed the lab - but his gone. He just left for his Sabbatical and will not be back until January '09.) Although we do not include the source code for the MPS in the SDK, you can use the MPS sample which contains the binary in order to test it and see how it works.

In the example below, we used a Virtual Machine and so your environment settings might be different - you will need to set up your network according to your network requirements. Also we used a specific domain name - feel free to use whatever domain name you want (just replace "corpamt.com" below with whatever domain name you are using.)

You may be wondering, however, how to implement this in the real world (outside of the SDK.) I posted a blogawhile back where I tried to explain this. Basically, our non-enterprise AMT ISVs, will need to utilize the vPro Enabled Gateway available through the Intel Connect Service - that is, non-enterprise ISVs will not have the tools to write their own vPro Enabled Gateway (MPS). This is the "Remote PC Assist" model. In my blog I also have contact information that you can utilize for finding out more information.

Other things you may need to know - this Lab utilized the Soap UI tool - you don't have to use Soap UI, but it is really nice not to have to build this into an application - you can just go into the APIs according to the steps below and set up the requests for each API accordingly. Also you may need to download 3proxy - it's a free proxy tool. You don't have to use it - you can use your own, but it is the one that is referenced in this lab. You will also have to set up the config files in your MPS sample with the appropriate Management Console subscriber as well as the Server subscribers. The Readme file has instructions on how to do this and which config files need to be modified.

Oh... one more thing. As I mentioned, this lab uses SMB mode and manually installs certificates where they need to be. I'm thinking that if your systems are already provisioned in Enterprise TLS with Server authentication (ie, not Mutual) then you could skip the installation of the certificates below since the Enterprise provisioning process should already to that.

Acronyms:

MPS - Manageability Presence Server (also referred to as the "vPro Enabled Gateway"

SMB - Small Business Mode (Technically you are supposed to be in Enterprise mode but we got it to work in SMB by manually placing the certificates where they needed to be.)

CIRA - Client Initiated Remote Access (Now referred to as "Fast Call for Help", "Remote PC Assist", "Remote Alerts", and "Remote Scheduled Maintenance")

CIRA LAB STEPS:

Creating a CIRA connection via an MPS server involves the following steps. These steps are further defined below.

Step 1: Get MPS Up and Running

Step 2: Configure AMT Client in SMB (Step 4)

Step 3: Install Certificates onto the AMT Client

Step 4: Add MPS Server, Remote Access Policy, Enable CIRA through OS and BIOS

Step 5: Run MPS Notification Sample

Step 6: Enable Environment Detection

Step 7: Initiate CIRA Connection through Privacy Icon

Step 8: Initiate CIRA Connection through BIOS

Step 9: Connect to AMT Client using MPS as proxy and demonstrate GetEnvironmentDetection settings

Relevant APIs: (See the Network Interface guide in the SDK)

Realm

Relevant APIs

SecurityAdministration

AddTrustedRootCertificate

CertStoreAddCertificate

CertStoreAddKey

SetEnvironmentDetection

GetEnvironmentDetection

RemoteAccessAdmin

AddMPServer

AddRemoteAccessPolicy

EnableUserInitiatedInterface

How to Create and Test a CIRA Connection:

System Prep
0	Set the IP Address of the Host OS on the system that is hosting the MPS VM IP address: 192.168.1.3 Mask: 255.255.255.0 Default Gateway: 192.168.1.1 Open DHCP Server in the MPS VM Activate default scope Set IP Address on AMT Client to: 192.168.1.10 Connect Client to Switch after MPS is up and running with DHCP Scope Password for VM: p@ssw0rd
Step 1: Get MPS Up and Running
1	Find "Stunnel" under Start/All programs and Run it - then look for icon in system tray. Open the MPS Folder on the Desktop of the MPS VM Get a CMD window and CD into the 3Proxy/bin folder: You will have to set up your config files (see files listed below) The readme file in the SDK has instructions on how to do this. go to ...\MPS\3proxy-0.5.3k\bin >3proxy.exe 3proxy.mps.cfg -- then minimize window Go into the AMT SDK 4.0 Beta-5 Alpha/Windows/Intel_AMT/bin/MPS folder Double Click onMPS.exe -- minimize window. MPS.config is there if anyone wants to see it MPS.log MCSubscriberslist.config has the list of Management Consoles that are subscribed for notification events (when AMT is connected or disconnected. AuthorizedServersList.config has the list of Servers receiving PET alerts from AMT

How to Create and Test a CIRA Connection (Continued)

Step 2: Configure AMT Client in SMB
2	Host Name:mvbeta TCP/IP: Domain - amtnac.net Change to SMB Exit and boot Again - use the host names/domain names for your environment.
Step 3: Install Certificates onto the AMT Client
3	NOTE: Provisioning in SMB mode required creating certificates and cutting and pasting the correct portions into the APIs below. The requests called CIRA Trusted Root,AMT TLS CIRA CERT, and CertStoreAddKey will not be in your environment - you will have to create it and paste the certificate portions into them.Installing the Root Certificate Open the SoapUI 1.7 Go into the MPS folder Look for two WSDLs (SecurityAdministrationSoapBinding, RemoteAccessAdminSoapBinding Go into the SecurityAdministration WSDL Go into AddTrustedRootCertificate Double click on the CIRA Trusted Root Soap request (The base 64 format of the trusted root cert is in there.) Click on the Play button (upper left hand corner) Make sure status codes are 0 on the right hand side - that way we know that it went through Close this request Installing the Client Certificate and the Key Go into CertStoreAddCertificate(Installs the Client Certificate) Mutual Authentication Open AMT TLS CIRA CERT soap request Click on Play - look for Status Code of 0 (The handle will be used in the AddMPServer API) Close the request Go into CertStoreAddKey(the key associated with the cert) Open the AMT TLS CIRA CERT KEY Request Click on the Play button - make sure status code is 0 Close the request (close the window) Collapse the Security Administration WSDL
Step 4: Add MPS Server, Remote Access Policy, Enable CIRA through OS and BIOS
4	Note: You will not have the MPS_DO requestin your Soap UI project - you will need to create a new request and put in the handle from the CertStoreAddCertificate request in the previous step.The UI Soap request* has the Trigger set to 0 for "User Initiated" and same with the BIOS and OS soap reqeuests - set "source" to 2 for BIOS and 1 for OS* Go into the RemoteAccessAdminSoapBinding WSDL Go into AddMPServer Double click on the MPS_DO Soap request (The handle from CertStoreAddCertificate is used in this request)) Click on the Play button -- Make sure status codes are 0) Close this request Go into AddRemoteAccessPolicy Open UI soap request (User Initiated, Trigger=0) Click on Play - look for Status Code of 0 (Connection set to be valid for only 120 Seconds if nothing happens) Close the request Go into EnableUserInitiatedInterface Open the BIOS Request (source is either 1=OS agent or 2=BIOS, IsEnabled=1) Click on the Play button - make sure status code is 0 Close the request (close the window) Do the same for the OS Request Collapse the RemoteAccessAdminSoapBinding WSDL RemoteAccessPolicyTriggerType: 0 = User Initiated, 1 = Alert, 2 = Periodic, 3 = Home Provisioning

How to Create and Test a CIRA Connection (Continued)

Step 5: Run MPS Notification Sample
5	Bring up a CMD Window CD into /AMT SDK 4.0 Beta-5Alpha folder/Windows/Intel_AMT/bin folder >MPSNotification.exe -h (this is the help) >MPSNotification.exe -verbose - serverAddress 196.168.1.1 -port 4567 Keep the window up so we can see when it connects (This is subscribing to notification events.) Make sure privacy icon shows up (sometimes it doesn't show up) Uninstall HECI and LMS through Add/Remove Programs (if Privacy Icon is not there) Will have to restart Open the Security Icon
Step 6: Enable Environment Detection
6	Go back to SecurityAdministrationin the SoapUI (you will have to create a request that adds your specific domain instead of CORPAMT.com.) Go into SetEnvironmentDetection Open CORPAMT.com request The Local Domain is set to corpamt.com (note that this is different from the AMT Client domain that was set during provisioning) They are different so that it will be seen outside the corporate network, otherwise you cannot demonstrate CIRA Run - status code is 0 Close the request
Step 7: Initiate CIRA Connection through Privacy Icon When the connection is established we can
7	Go back to the Client Open the Privacy Icon Go into Intel AMT tab Click on Connect under the Remote Connectivity tab Show the MPS Command window
Step 8: OR Initiate CIRA Connection through BIOS
8	F2 - go into BIOS Advanced - AMT Configuration AMT CIRA Request Trigger --> Enabled Set the timeout (for when you reboot the system it will wait this long before it establishes a connection) Save Settings
Step 9: Connect to AMT Client using MPS as proxy and demonstrate GetEnvironmentDetection settings
9	Go back to SecurityAdministration in the SoapUI Go into GetEnvironmentDetection Go into Request 1 Click on Play Then it will show the current Environment Detection Settings To demonstrate that we can now manage the Client: You can go into Soap UI again File- Preferences - Proxy Settings Host: acsradius.amtnac.net Port: 8089