intel integration guide

Guide Intel® vProTM Processor Technology

Integration Guide PCs with Intel® vProTM Processor Technology and N-able Technologies N-central*

V 1.0

317306-001

Integration Guide:

Intel® vPro™ processor technology and N-able Technologies N-central*

- 2 -

The information contained in this document is provided for informational purposes only and represents the current view of Intel Corporation (“Intel”) and its contributors (“Contributors”), as of the date of publication. Intel and the Contributors make no commitment to update the information contained in this document, and Intel reserves the right to make changes at any time, without notice.

THIS DOCUMENT IS PROVIDED “AS IS.” NEITHER INTEL, NOR THE CONTRIBUTORS MAKE ANY REPRESENTATIONS OF ANY KIND WITH RESPECT TO PRODUCTS REFERENCED HEREIN, WHETHER SUCH PRODUCTS ARE THOSE OF INTEL, THE CONTRIBUTORS, OR THIRD PARTIES. INTEL AND ITS CONTRIBUTORS EXPRESSLY DISCLAIM ANY AND ALL WARRANTIES, IMPLIED OR EXPRESS, INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR ANY PARTICULAR PURPOSE, NON-INFRINGEMENT, AND ANY WARRANTY ARISING OUT OF THE INFORMATION CONTAINED HEREIN, INCLUDING WITHOUT LIMITATION, ANY PRODUCTS, SPECIFICATIONS, OR OTHER MATERIALS REFERENCED HEREIN. INTEL AND ITS CONTRIBUTORS DO NOT WARRANT THAT THIS DOCUMENT IS FREE FROM ERRORS, OR THAT ANY PRODUCTS OR OTHER TECHNOLOGY DEVELOPED IN CONFORMANCE WITH THIS DOCUMENT WILL PERFORM IN THE INTENDED MANNER, OR WILL BE FREE FROM INFRINGEMENT OF THIRD PARTY PROPRIETARY RIGHTS, AND INTEL AND ITS CONTRIBUTORS DISCLAIM ALL LIABILITY THEREFORE.

INTEL AND ITS CONTRIBUTORS DO NOT WARRANT THAT ANY PRODUCT REFERENCED HEREIN OR ANY PRODUCT OR TECHNOLOGY DEVELOPED IN RELIANCE UPON THIS DOCUMENT, IN WHOLE OR IN PART, WILL BE SUFFICIENT, ACCURATE, RELIABLE, COMPLETE, AND FREE FROM DEFECTS OR SAFE FOR ITS INTENDED PURPOSE, AND HEREBY DISCLAIM ALL LIABILITIES THEREFORE. ANY PERSON MAKING, USING OR SELLING SUCH PRODUCT OR TECHNOLOGY DOES SO AT HIS OR HER OWN RISK.

Licenses may be required. Intel its contributors and others may have patents or pending patent applications, trademarks, copyrights or other intellectual proprietary rights covering subject matter contained or described in this document. No license, express, implied, by estoppels or otherwise, to any intellectual property rights of Intel or any other party is granted herein. It is your responsibility to seek licenses for such intellectual property rights from Intel and others where appropriate.

Intel hereby grants you a limited copyright license to copy this document for your use and internal distribution only. You may not distribute this document externally, in whole or in part, to any other person or entity.

IN NO EVENT SHALL INTEL OR ITS CONTRIBUTORS HAVE ANY LIABILITY TO YOU OR TO ANY OTHER THIRD PARTY, FOR ANY LOST PROFITS, LOST DATA, LOSS OF USE OR COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR FOR ANY DIRECT, INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF YOUR USE OF THIS DOCUMENT OR RELIANCE UPON THE INFORMATION CONTAINED HEREIN, UNDER ANY CAUSE OF ACTION OR THEORY OF LIABILITY, AND IRRESPECTIVE OF WHETHER INTEL OR ANY CONTRIBUTOR HAS ADVANCE NOTICE OF THE POSSIBILITY OF SUCH DAMAGES. THESE LIMITATIONS SHALL APPLY NOTWITHSTANDING THE FAILURE OF THE ESSENTIAL PURPOSE OF ANY LIMITED REMEDY.

Intel® vProTM processor technology includes Intel® Active Management Technology (Intel® AMT) and Intel® Virtualization Technology (Intel® VT).

Intel® Active Management Technology (Intel® AMT) requires the computer system to have an Intel AMT-enabled chipset, network hardware and software, as well as connection with a power source and a corporate network connection. With regard to notebooks, Intel AMT may not be available or certain capabilities may be limited over a host OS-based VPN or when connecting wirelessly, on battery power, sleeping, hibernating or powered off. For more information, see http://www.intel.com/technology/iamt

Any third party links in this material are not under the control of Intel and Intel is not responsible for the content of any third party linked site or any link contained in a third party linked site. Intel reserves the right to terminate any third party link or linking program at any time. Intel does not endorse companies or products to which it links. If you decide to access any of the third party sites linked to this material, you do so entirely at your own risk.

Intel, the Intel logo, Intel Core, and Intel vPro are trademarks of Intel Corporation in the United States and other countries.

*Other names and brands may be claimed as the property of others.

Copyright © 2007 Intel Corporation. All rights reserved.

Order number: 317306-001

Integration Guide:


- 3 -

Revision History Revision Revision History Date 1.0 First release August 2007

Integration Guide:


- 4 -

Table of Contents

Introduction Two manuals used during deployment................................................................... 11 Purpose and Audience ........................................................................................... 12

Intended audience .......................................................................................... 12 Scope ........................................................................................................... 12 Contents ....................................................................................................... 13

Common notations and terms ................................................................................ 13

Section 1: Solution Architecture Introduction .......................................................................................................... 14

Order of deployment ....................................................................................... 14 Quick Start .................................................................................................... 15 In this section... ............................................................................................. 15

Solution architecture ............................................................................................. 15 Intel vPro processor technology and Intel AMT.................................................... 16

New hardware-based capabilities ................................................................. 16 Remote management — even if PC power is off or the OS is unresponsive ......... 17 OS-neutral and language-neutral ................................................................. 17

N-able N-central............................................................................................. 17 Management components ........................................................................... 18 Hosted and “platform” or “appliance” solutions............................................... 18

Benefits to you and your customers .................................................................. 18 Remote communication ......................................................................................... 19

Out-of-band communication via Intel AMT.......................................................... 19 Remote console sessions via N-central............................................................... 20

Remote management through a probe.......................................................... 21 Remote management through agents ........................................................... 21

Security for remote management...................................................................... 22 Where to get the solution ...................................................................................... 22 Related documentation .......................................................................................... 23 For more information............................................................................................. 26

Section 2: Deployment requirements Introduction .......................................................................................................... 27 Order of deployment .............................................................................................. 27 Web console for validation of Intel AMT ................................................................ 29 Deployment requirements ..................................................................................... 29

Recommended configurations........................................................................... 29 Intel vPro processor technology: Requirements for configuring the PC............... 29 Probe: Requirements for installing the N-able probe ....................................... 30

Network requirements..................................................................................... 32 Communication ports ................................................................................. 32 DHCP or static IP addressing ....................................................................... 32

Dynamic IP (DHCP) environments ........................................................... 33 Static IP environments .......................................................................... 33

Integration Guide:


- 5 -

Section 2: Deployment requirements - continued Security requirements ..................................................................................... 34

Security considerations and best practices..................................................... 34 Passwords ................................................................................................ 34

Information needed for integration.................................................................... 36 Personnel requirements................................................................................... 36

Important considerations ...................................................................................... 37 Considerations for installing probes ................................................................... 37 Considerations for using proxy servers .............................................................. 38 Considerations for integrating the PC with N-central ............................................ 38 Considerations for WMI services ....................................................................... 39 Requirements and considerations for firewalls..................................................... 39

Working with Microsoft Windows firewall ....................................................... 39 For more information............................................................................................. 40

Section 3: Integration Introduction .......................................................................................................... 41

Required procedures ....................................................................................... 41 Additional procedures that may be of use........................................................... 41

Intel AMT information............................................................................................ 42 Overview of deployment ........................................................................................ 42 Step 1: Configure and validate Intel AMT via BIOS ................................................ 45 Step 2: Enable the Intel AMT respond-to-ping setting ........................................... 45 Step 3: Validate connectivity between N-central components ............................... 47

If you have trouble with validation... ................................................................. 48 Step 4: Verify network communication .................................................................. 49 Step 5: Log into N-central ...................................................................................... 50 Step 6: Create the customer site............................................................................ 52

Create the customer site ................................................................................. 52 Optional: Set up user account .......................................................................... 54

Step 7: In N-central, set Intel AMT credentials for the probe................................. 54 Step 8: Install the probe at the customer site........................................................ 57 Step 9: Verify communication between probe and N-central server....................... 57 Step 10: Discover the PC........................................................................................ 58

Considerations for scanning the network ............................................................ 58 Discover Intel AMT-enabled PCs........................................................................ 59 If you have trouble discovering the PC............................................................... 61

Step 11: Import the newly discovered PC .............................................................. 62 Import the PC into the device list ...................................................................... 62 Verify that the PC was imported into the management domain.............................. 64 Add previously deployed PC to the device list as an Intel AMT-enabled PC............... 65 Remove an Intel AMT-enabled PC from the device list .......................................... 68

Step 12. Verify that the Intel vPro service is assigned to the PC............................ 69 Step 13: Configure each PC.................................................................................... 72

Option 1: Minimum configuration procedure for an Intel AMT-enabled PC................ 72 Option 2: General configuration procedure ......................................................... 73

Step 14: Select the probe for power control........................................................... 77 Step 15. Create a custom Intel vPro dashboard ..................................................... 78

Integration Guide:


- 6 -

Section 3: Integration - continued Verify integration................................................................................................... 81

If you have trouble with integration................................................................... 86 For more information............................................................................................. 86

Section 4: Using Intel® AMT capabilities Introduction .......................................................................................................... 87 Discover an Intel AMT-enabled PC ......................................................................... 88

Common uses of persistent UUID...................................................................... 88 Discover Intel AMT-enabled PCs........................................................................ 88 Identify the UUID and hardware asset details ..................................................... 90

Remotely power on, off, or reset a PC.................................................................... 91 Common uses for remote power-on, power-off, and power-reset........................... 92 Check the power status of the PC...................................................................... 93 Remote power-on an Intel AMT-enabled PC ........................................................ 95 Remote power-off an Intel AMT-enabled PC........................................................ 96 Remote power-reset a PC with Intel vPro processor technology ............................. 97

For more information............................................................................................. 97

Section 5: Troubleshooting Introduction .......................................................................................................... 98 Categories of possible issues ................................................................................. 98 Support and validation tools .................................................................................. 99

Intel AMT Web console .................................................................................... 99 Verify access to Intel AMT..........................................................................100 Restricted access to Intel AMT information pages ..........................................102 Change network settings ...........................................................................102

Computer Host Name ...........................................................................103 Networking mode ................................................................................103 Respond-to-ping setting .......................................................................103

Intel AMT Commander....................................................................................104 Troubleshooting: Intel AMT configuration............................................................ 104

Authentication problems .................................................................................104 Intel AMT configuration ..................................................................................106

Most likely problem: You did not configure Intel AMT on the PC.......................106 Problems accessing the Intel AMT parameters via MEBx or the Web console......107 Online support for PCs with Intel vPro processor technology ...........................109

Troubleshooting: Network, firewall, and WMI problems ...................................... 109 Troubleshooting: network configuration ............................................................109 Troubleshooting: installation of the N-central server or probe ..............................111

Correct the settings for the N-central server .................................................113 Troubleshooting: Windows firewall ...................................................................115

Troubleshooting: Status indicators ...................................................................... 115 Troubleshooting: Discovery ................................................................................. 121 Troubleshooting: Remote power on/off ............................................................... 124 For more information........................................................................................... 127

Integration Guide:


- 7 -

Appendix A: Quick Start for Integration Introduction ........................................................................................................ 128 Deployment procedure......................................................................................... 131

Step 1: Configure and validate Intel AMT via BIOS and MEBx...............................131 Step 2: Enable the Intel AMT respond-to-ping setting .........................................131 Step 3: Validate connectivity between N-central components ...............................132

If you have trouble with installation or validation...........................................132 Step 4: Verify network communication .............................................................133 Step 5: Log into N-central...............................................................................133 Step 6: In N-central, set Intel AMT credentials for the probe................................133 Step 7: Discover the PC..................................................................................134

If you have trouble discovering the PC.........................................................134 Step 8: Import the newly discovered PC ...........................................................135

Verify that the PC was imported into the management domain ........................135 Step 9. Verify that the Intel vPro service is assigned to the PC .............................136 Step 10: Configure each PC ............................................................................136 Step 11: Select the probe for power control ......................................................137

Verify integration................................................................................................. 137 If you have trouble with integration..................................................................138

For more information........................................................................................... 138

Appendix B Accessing BIOS

Appendix C Acronyms and Glossary Glossary............................................................................................................... 140 Acronyms............................................................................................................. 142

Integration Guide:


- 8 -

List of Tables Table 1-1. Intel AMT capabilities being used by N-central .............................. 16 Table 1-2. Out-of-band communication versus in-band communication ........... 19 Table 1-3. Where to get the solution .......................................................... 22 Table 1-4. Related deployment documentation from Intel.............................. 23 Table 1-5. Related information about Intel vPro processor technology

and Intel AMT........................................................................ 24 Table 1-6. Related deployment documentation from N-able ........................... 25 Table 1-7. Where to find information in this guide ........................................ 26 Table 2-1. Requirements and important considerations for configuring

the user PC ........................................................................... 30 Table 2-2. Requirements for installing the probe at the customer site ............. 31 Table 2-3. Network communication requirements......................................... 32 Table 2-4. Network requirements to configure Intel AMT for DHCP or

static IP addressing................................................................ 33 Table 2-5. Administrator passwords used during deployment ......................... 35 Table 2-6. Information required during deployment...................................... 36 Table 2-7. Considerations for installing probes............................................. 37 Table 2-8. Considerations for integrating PCs with Intel vPro processor

technology into N-central ........................................................ 38 Table 2-9. Considerations for WMI services ............................................... 39 Table 2-10. Important considerations for firewalls ........................................ 40 Table 3-1. Deploying Intel AMT-enabled PCs and N-central............................ 42 Table 3-2. Validating communication between N-central components.............. 48 Table 3-3. Validating Windows firewall and WMI configuration........................ 49 Table 3-4. Special considerations for scanning the network ........................... 59 Table 3-5. Settings that help verify integration ............................................ 81 Table 4-1. Common uses of access to persistent UUID.................................. 88 Table 4-2. Common uses of the secure, remote power on/off capability........... 92 Table 5-1. Using the correct passwords .....................................................105 Table 5-2. Troubleshooting: Accessing Intel AMT parameters via MEBx

or the Web console ...............................................................107 Table 5-3. Troubleshooting: Network communication problems .....................110 Table 5-4. Troubleshooting: Installation of N-central and/or probe ................111 Table 5-5. Troubleshooting: Windows firewall problems ...............................115 Table 5-6. Troubleshooting: General status indicators..................................116 Table 5-7. Troubleshooting: Intel vPro service indicator ...............................117 Table 5-8. Troubleshooting: Intel vPro network-availability and

power-status indicators..........................................................119 Table 5-9. Troubleshooting: PC doesn’t show up as an Intel AMT-enabled PC ..121 Table A-1. Deploying Intel AMT-enabled PCs and N-central...........................130 Table A-2. Settings that help verify integration ...........................................138 Table B-1. Commands/keys to access BIOS................................................139

Integration Guide:


- 9 -

List of Figures Figure 1-1. Remote communication channel ............................................... 20 Figure 1-2. Elements of the N-central service environment........................... 21 Figure 2-1. General deployment process.................................................... 28 Figure 3-1. Deployment process ............................................................... 44 Figure 3-2. Entry screen for the Intel AMT Web console ............................... 46 Figure 3-3. Network settings screen accessed via the Intel AMT Web console.. 47 Figure 3-4. Verifying that WMI is configured correctly.................................. 50 Figure 3-5. Login screen in N-central ........................................................ 51 Figure 3-6. The NOC overview screen........................................................ 51 Figure 3-7. Customers screen .................................................................. 52 Figure 3-8. Add customer information ....................................................... 53 Figure 3-9. Enter limits appropriate for this site.......................................... 53 Figure 3-10. Overview screen for the customer site ...................................... 55 Figure 3-11. Probes screen for the customer site .......................................... 56 Figure 3-12. Setting Intel AMT credentials on the probe................................. 56 Figure 3-13. Verify that the probe is communicating with N-central................. 58 Figure 3-14. List of devices available for the customer site and their status ...... 60 Figure 3-15. Discovery screen for creating discovery tasks and importing

devices .............................................................................. 60 Figure 3-16. Creating a discovery task to discover new Intel AMT-enabled PCs . 61 Figure 3-17. List of newly discovered devices available to be imported ............ 63 Figure 3-18. Select the probe to use for monitoring the PC(s) ........................ 63 Figure 3-19. Verify that the Intel AMT-enabled PC was imported..................... 64 Figure 3-20. Access device information for the Intel AMT-enabled PC .............. 65 Figure 3-21. Device details, with Intel vPro service automatically checked........ 70 Figure 3-22. Services screen with Intel vPro service checked.......................... 71 Figure 3-23. Verifying the status of the Intel vPro service. ............................. 71 Figure 3-24. Device details screen.............................................................. 74 Figure 3-25. Interface information for discovery ........................................... 76 Figure 3-26. Specifying the probe for the Intel AMT power-control feature ....... 77 Figure 3-27. List of dashboards currently available for the customer site.......... 78 Figure 3-28. Adding a dashboard ............................................................... 79 Figure 3-29. Custom dashboard that includes status of the Intel vPro service ... 80 Figure 3-30. Status of individual Intel AMT-enabled PCs ................................ 80 Figure 3-31. Verify that the PC was imported ............................................... 82 Figure 3-32. Verify that Intel vPro service is available ................................... 83 Figure 3-33. Verify the status of the Intel vPro service .................................. 83 Figure 3-34. Verify that monitoring is enabled.............................................. 84 Figure 3-35. Verify access to the Intel AMT power-control feature ................... 84 Figure 3-36. Verify that the Intel vPro service is checked as a monitoring

option................................................................................ 85 Figure 3-37. Verify that the UUID and motherboard information is displayed .... 86

Integration Guide:


- 10 -

List of Figures - continued Figure 4-1. List of devices available on the target site ................................. 90 Figure 4-2. Identifying the UUID and motherboard information anytime......... 91 Figure 4-3. PC powered down, but Intel vPro service still available ................ 94 Figure 4-4. Power status for a PC that is powered up................................... 94 Figure 4-5. Power report for a PC that was powered down............................ 95 Figure 4-6. Power-control feature for Intel AMT-enabled PCs ........................ 96 Figure 5-1. Sample login prompt for the Intel AMT Web console...................101 Figure 5-2. Login dialog for the Intel AMT Web console ...............................101 Figure 5-3. Network settings page accessed via the Intel AMT Web console ...102 Figure 5-4. Padlock icon indicates restricted access for that account .............102 Figure 5-5. Deleting a PC from the device list ............................................126 Figure A-1. Deployment process ..............................................................129

Integration Guide:


- 11 -

Introduction

Welcome to the integration guide for Intel® vProTM processor technology and N-able Technologies (N-able) N-central*. This guide explains how to integrate PCs with Intel vPro processor technology into an N-central service environment.

Intel vPro processor technology includes the powerful, hardware-based Intel® Active Management Technology (Intel® AMT). Intel AMT is a new technology for remote management and security of PCs. With Intel AMT, managed service providers (MSPs) can monitor and manage PCs anytime — even if PC power is off, the operating system (OS) is inoperable, management agents are missing, or hardware (such as a hard drive) has failed.

When integrated into a third-party management solution, such as N-able N-central, Intel vPro processor technology lets service providers spend less time managing the PC and more time focusing on strategic business initiatives.

This guide describes integration of PCs with Intel vPro processor technology into N-Central v6.

Two manuals used during deployment You will need two manuals during deployment of PCs with Intel AMT in the N-central management environment:

• Intel® Active Management Technology Configuration Guide for SMB Environments, which explains:

• Deployment requirements for Intel AMT. • Step-by-step procedures for using BIOS and the Intel® Management Engine

BIOS extension (MEBx) to configure the Intel AMT security, networking, and operational parameters on the PC. These settings are required in order for a third-party management application to remotely access the powerful Intel AMT capabilities.

Caution: Configuring Intel AMT parameters on the PC is a separate process from integrating an Intel AMT-enabled PC into N-central. If you try to integrate the PC into N-central before enabling and configuring Intel AMT, N-central will not be able to access Intel AMT capabilities.

• Integration Guide: Intel® vProTM Processor Technology and N-able Technologies Solutions* (this guide), which includes:

• Deployment requirements and important considerations for hardware and software elements of the N-central managed environment.

• Integration procedures for integrating an Intel AMT-enabled PC into N-central v6.

• Quick start, for users who are already familiar with Intel AMT and N-central.

Integration Guide:


- 12 -

Note: Intel AMT is OS-neutral, and N-central is also OS-neutral. For consistency in requirements, procedures, troubleshooting, and so on, this guide assumes you are using Microsoft Windows XP* or Microsoft Windows Vista* on the end-user PC.

Purpose and Audience This guide explains the deployment process for PCs with Intel vPro processor technology in an N-central environment in which probes are used to monitor PCs.

Intended audience This guide is intended for MSPs using N-central to manage PCs with Intel vPro processor technology. Users of this guide should be experienced in:

• Setting up networks for SMB customers • Setting up, configuring, and using Microsoft networking, server, and OS applications • Communication and security methodologies and technologies, such as TCP/IP, HTTP,

HTTPS, and SSL

Scope This guide includes step-by-step integration procedures for integrating an Intel AMT-enabled PC into the N-central management environment.

To help with integration, this guide describes deployment requirements and installation considerations for N-central.

• Note that this guide does not explain how to install or setup N-central. Refer to your N-able documentation for installation, setup, and validation procedures for N-central

This guide also includes hardware requirements for PCs, as well as some deployment considerations for Intel AMT in the N-central environment.

• Note that this guide does not explain how to configure Intel AMT parameters on the PC. That information is located in the Intel AMT configuration guide for SMB environments.

This guide assumes you are using probes to monitor the PCs. If you will be using agents to monitor PCs, refer to your N-central documentation for installation and setup procedures for agents.

Integration Guide:


- 13 -

Contents This guide includes these sections:

• Section 1: Solution architecture, which explains the order of deployment and briefly describes the architecture of Intel AMT and the N-central solution, including key aspects of secure, remote communication between the elements of the N-central managed environment.

• Section 2: Deployment requirements, which provides requirements for hardware and software, includes deployment recommendations, and briefly describes important considerations for configuring the network, installing N-central, and setting up the managed environment.

• Section 3: Integration, which explains how to integrate an Intel AMT-enabled PC into N-central.


• Section 4: Use cases, which provides simple procedures for updating security software on a PC that is powered off, discovering PCs, and acquiring a hardware inventory.

• Section 5: Troubleshooting, which provides information and procedures that can help resolve common issues with remote management.

• Appendix A: Quick start, which provides abbreviated step-by-step procedures for integrating the Intel AMT-enabled PC into N-central.

• Appendix B: Accessing BIOS, which describes some ways to access BIOS for common PC manufacturers.

• Appendix C: Glossary and acronyms.

Common notations and terms This guide uses the following notation conventions:

• Keystrokes and screen buttons are indicated by boldface. • Replaceable parameters (such as text strings and filenames) are indicated by italics. • The right caret > indicates a menu path or sequence of screens and tabs. For

example: Setup > Devices.

This guide uses the following terminology:

• Remote site refers to the MSP service center or centralized help desk. • Local site refers to the customer site.

Other common terms are listed in the glossary near the end of this guide.

Integration Guide:


- 14 -

Section 1: Solution Architecture

Introduction Intel® vProTM processor technology delivers many high-performance features and innovative capabilities for both users and IT administrators, all in an energy-efficient platform that is Microsoft Windows Vista* ready. Among the innovative capabilities of Intel vPro processor technology is Intel® Active Management Technology (Intel® AMT).

Intel AMT is powerful hardware-based technology for remote management and security of PCs. These capabilities allows MSPs to monitor and manage PCs anytime, even if PC power is off, the OS is unresponsive, management agents are missing, or hardware (such as a hard drive) has failed.

With Intel AMT, authorized technicians can remotely and securely power on/off/reset a PC, remote boot a PC to a clean state, redirect a PC’s boot device to another device (such as a CD or network share), use console redirection, and take advantage of powerful hardware-based system-defense capabilities. Intel AMT also provides secure access to detailed hardware asset information, the persistent Intel AMT event log, and other critical system information virtually anytime. Service providers can now spend less time managing the PC and more time focusing on strategic business initiatives.

This guide describes how to integrate PCs with Intel vPro processor technology into N-able N-central* v6. N-central is taking advantage of several key Intel AMT capabilities, including remote power on/off, access to the PC’s unique universal identifier (UUID), and access to detailed hardware asset information.

Note: For information about all hardware-based Intel AMT capabilities, refer to the appendix on Intel AMT architecture, or refer to the Intel Web site.

Order of deployment The overall deployment process follows four general steps:

1. Configure Intel AMT on the end-user PC.

2. Install the Windows probe at the customer site on a local PC or server.

3. Integrate the Intel AMT-enabled PC with N-central v6.

Note: This guide assumes you have already installed and set up N-central correctly. Refer to your N-central documentation for information about installing, setting up, verifying, and troubleshooting N-central.

Integration Guide:


- 15 -


This guide explains step 3, integration of the Intel AMT-enabled PC into N-central.

Quick Start If you are already familiar with Intel AMT and N-central, you might want to use the quick start appendix in this guide to begin deployment.

If you are not already familiar with these technologies, make sure you carefully read your N-central documentation, as well as the deployment requirements and important considerations in this guide for configuring firewalls, WMI, and other components of N-central.

In this section... This section provides information about:

• Solution architecture for N-central and Intel AMT • Remote communication and remote management • Where to get the solution • Related documentation

Deployment requirements, recommendations, and important considerations are described in the deployment requirements section of this guide.

Solution architecture MSPs must manage and adapt to a changing and competitive environment. With tens, even hundreds of sites across geographic areas, reducing site visits is critical to keeping costs down and being able to plan better for the future. Two of the obvious solutions to reducing site visits are:

• Automate more tasks. • Allow more tasks to be performed from a remote, centralized location.

When integrated into a third-party management application, such as N-central, Intel vPro processor technology (including Intel AMT) is designed to help service providers perform more work from the service center and significantly reduce site visits. In turn, this will help MSPs increase efficiencies, reduce service costs, improve revenue margins, and offer new services to customers.

Integration Guide:


- 16 -

Intel vPro processor technology and Intel AMT Intel vPro processor technology delivers unique hardware-based features and capabilities that help MSPs remotely manage and secure PCs, while offering users an outstanding Intel® Core™2 Duo performance in an energy-efficient platform that is Microsoft Windows Vista ready.

Intel AMT is a set of tamper-resistant hardware-based manageability and security capabilities that allow MSPs to perform many remote tasks — even if PC power is off, the OS is unresponsive, or hardware (such as a hard drive) has failed. Intel AMT capabilities include secure remote/redirected boot, secure console redirection, secure remote power-up, dedicated memory for critical system information, and preboot access to BIOS settings and configuration information.

Intel AMT is part of the Intel Management Engine in Intel vPro processor technology. Intel AMT is built directly into the hardware and firmware of the PC. Because the technology is built into the system, Intel AMT can deliver powerful new capabilities that are well-secured from viruses and worms, and resistant to tampering by hackers and inexperienced users.

New hardware-based capabilities To help MSPs simplify remote management of PCs, N-central is taking advantage of several Intel key AMT capabilities:

Table 1-1. Intel AMT capabilities being used by N-central

Out-of-band (OOB) communication channel

Runs “under” or outside the OS, and is available to authorized technicians anytime, as long as the PC is connected to power and plugged into the network. Technicians can monitor and manage the PC even if PC power is off, the OS is unresponsive, or hardware (such as a hard drive) has failed.

Secure remote power-on

Allows authorized technician to remotely power-on, power-off, or power-reset a PC from the service center, even if the OS is unresponsive. In N-central, this capability is available through the power-management feature.

Persistent ID Stored in dedicated, protected Intel AMT memory, the UUID for the PC is available to authorized technicians virtually anytime, even if PC power is off, the hard drive has been reimaged, hardware or software has been reconfigured, the OS has been rebuilt, the OS is missing, or PC power is off. Technicians can see the UUID through the device-details feature in N-central.

Persistent hardware-asset information

Stored in dedicated, protected Intel AMT memory, and updated every time the PC goes through power-on self test (POST), this information is available to authorized technicians virtually anytime, regardless of PC power state or the state of the OS. Technicians can see detailed hardware-asset information through the device-details feature in N-central.

Integration Guide:


- 17 -

Remote management — even if PC power is off or the OS is unresponsive When integrated into N-central, Intel AMT lets technicians:

• Update security software and applications off-hours — even if the PC is powered off at the start of the update cycle. With Intel AMT, technicians can now securely and remotely power up the PC from the service center so that N-central can apply the update or patch.

• Remotely power up PCs for monitoring or maintenance, using the secure, remote power on/off feature

• Power-reset PCs to a clean state, using the secure remote power reset feature. • Inventory hardware assets anytime — and on a lower level than can be

monitored through use of Windows Management Instrumentation (WMI) alone. • Discover more PCs more accurately with access to the UUID, so that you always

know which systems are on the network and can perform more accurate asset inventories.

Because the capabilities of Intel AMT are designed into the PC, they are available to N-central technicians anytime (refer to Figure 1-1). As long as the PC is connected to a power source and plugged into the network, the capabilities of Intel AMT are available to authorized IT technicians.

OS-neutral and language-neutral Because the capabilities are built into the system hardware, they are OS-neutral and language-neutral. They are available to authorized technicians regardless of the type of OS installed on the PC. Also, you can write applications in any programming language to take advantage of Intel AMT capabilities.

N-central is also an OS-neutral application which supports many OSs. Refer to your N-central documentation for information about the OSs supported and the agents available for each OS.

Note: Intel AMT is OS-neutral, and N-central is also OS-neutral. For consistency in requirements, procedures, troubleshooting, and so on, this guide assumes you are using Microsoft Windows XP or Windows Vista on the end-user PC.

N-able N-central N-central is a leading remote monitoring and management platform deployed globally by MSPs servicing the SMB market. N-central is a powerful and feature-rich tool for managed services that will help drive new efficiencies and profitability into your managed service programs.

Integration Guide:


- 18 -

When N-central is used for PCs with Intel vPro processor technology, IT administrators gain access to powerful new hardware-based capabilities of Intel AMT. This includes the ability to remotely discover, monitor, and manage PCs regardless of PC power state or the state of the OS. You can now use N-central to securely and remotely power up PCs to update security software off-hours, upgrade software applications, and ready PCs for a user work shift — all without leaving the service center. You can also accurately identify an Intel AMT-enabled PC even if PC power is off, the OS has been rebuilt, the hard drive has been reimaged, a hardware or software configuration has changed, or management agents are missing.

With access to the new Intel AMT capabilities, N-central can help you significantly improve remote device discovery, hardware asset inventory, off-hours maintenance, and other processes and tasks. For MSPs, the combination of N-central and PCs with Intel vPro technology makes it easier to improve labor utilization, optimize IT processes, and improve management coverage for all PCs.

Management components The N-central solution has a distributed architecture and three main components:

• N-central server, which is the central management console that provides the web based interface; conducts data processing, reporting, and notifications; and can monitor devices with public IP addresses using TCP port monitoring capabilities.

• Software agents, which are installed at the customer site on end-user PCs for local monitoring. An agent collects detailed OS and other system data from a single PC and passes the data back to the N-central server when the user device is on the network. (Agents are particularly useful for mobile PCs.)

• Probes, which are installed at the customer site on a dedicated PC or server, and which can monitor many devices. Probes collect general information from the PC and/or agents, and pass the data back to the N-central server. Probes generate less network traffic than agents and can be used to provide an agentless solution.

Hosted and “platform” or “appliance” solutions N-able offers two options for MSPs: hosted solutions and “platform” or “appliance” solutions.

• Hosted solution: The N-central server is located at the N-able site, and available to MSPs through a subscription service.

• Platform or appliance solution: The N-central server is located at the MSP site and creates a self-contained management environment.

Benefits to you and your customers When integrated into N-central, Intel AMT helps MSPs:

• Perform updates, patch management, maintenance, and monitoring off-hours, even for PCs that are powered off at the start of the management cycle.

• Improve compliance with government and other regulations. • Increase the accuracy of inventories and improve maintenance contracts. • Increase automation for many tasks.

Integration Guide:


- 19 -

There are significant cost and resource benefits for MSPs managing Intel AMT-enabled PCs via N-central. With Intel AMT, MSPs can:

• Eliminate virtually all site visits traditionally required for updates and patching for PCs that are often shut off.

• Eliminate many manual hardware-asset inventories. • Reduce total cost of ownership (TCO) of technology for customers.

MSPs can now significantly reduce manual processes; increase automation for inventory, update, and upgrade tasks; shift more work off-hours; and minimize interruptions to their customers’ business. The result is a more managed, more efficient infrastructure that helps increase productivity, reduce service costs, and improve revenue margins.

Remote communication This discussion is a brief overview of remote communication via the Intel Management Engine (which includes Intel AMT) through a third-party management application, such as N-central.

Out-of-band communication via Intel AMT For communication with a management console, Intel AMT uses an Ethernet controller directly, without going first through the OS. This gives MSP technicians “always-available” access to Intel AMT capabilities, even if PC power is off, the OS is unresponsive, or hardware (such as a hard drive) has failed.

Table 1-2 explains the difference between out-of-band communication (used by Intel AMT) and in-band communication (used by typical PCs).

Figure 1-1 shows how Intel AMT out-of-band communication works for PCs in different power states and OS states. Figure 1-1 shows communication for a network with a probe installed on the customer site.

Table 1-2. Out-of-band communication versus in-band communication

Communication type Description Works when...

Out-of-band communication

Communication between Intel AMT (via the Intel Management Engine) and N-central

The Intel Management Engine and the host (the PC’s OS) use the same Ethernet controller. This allows Intel AMT hardware and firmware to access the network through the Ethernet device anytime.

Works anytime, even if PC power is off, the OS is unresponsive, management agents are missing, or hardware (such as a hard drive) has failed.

In-band communication

Communication between Intel AMT (via the Intel Management Engine) and the PC’s OS

The OS uses the Intel Management Engine interface (MEI) to communicate to the management engine.

Works only if PC power is on and the OS is up and working properly.

Integration Guide:


- 20 -

Figure 1-1. Remote communication channel. The Intel AMT communication channel is available even if PC power is off, the OS is unresponsive, management

agents are missing, or hardware (such as a hard drive) has failed. N-central is taking advantage of three “always available” capabilities: remote power on/off,

access to the PC’s UUID, and access to detailed hardware asset information.

For more information about Intel AMT architecture, refer to the Intel AMT configuration guide for SMB environments.

Remote console sessions via N-central N-central can communicate with probes and agents, and also directly with the Intel Management Engine to access Intel AMT capabilities even if PC power is off, the OS is unresponsive, or management agents are missing.

Figure 1-2 shows elements of the N-central service environment and the path of communication between the N-central server and probes/agents.

Integration Guide:


- 21 -

Figure 1-2. Elements of the N-central service environment

Remote management through a probe When managing PCs with Intel vPro processor technology, the N-central server establishes remote communication to the Windows probe installed at the customer site. The probe allows you to discover, monitor, and manage Intel AMT-enabled PCs at the site, even if PC power is off, the OS is unresponsive, or hardware (such as a hard drive) has failed.

The remote session to the probe occurs via a TCP tunnel that is established through the firewall between the N-central server and the probe. The probe then functions like a software router, redirecting communication between the MSP technician and the PC.

The outbound connection from the probe to the PC is established using current web services SOAP/XML through HTTP/HTTPS.

Remote management through agents Agents are installed directly on the user PC. They collect detailed information about the PC, and send that data back to N-central at regular intervals, whenever the PC is connected to the network. Remote sessions to agents occur via a TCP tunnel established between the N-central server and the agent. However, because Intel AMT offers an out-of-band communication channel, N-central can also directly monitor and manage the PC even if the N-central agent is disabled or missing.

Integration Guide:


- 22 -

This guide assumes you are using probes to monitor and manage the Intel AMT-enabled PCs. For information about remote management through agents, refer to your N-central documentation.

Security for remote management Intel vPro processor technology uses a variety of robust security methodologies and technologies to protect the powerful Intel AMT capabilities and data stored in the Intel AMT protected memory. For information about the methodologies and technologies, refer to the Intel AMT deployment and reference guide for enterprise environments. A link to the Intel AMT deployment and reference guide is provided in this guide’s introduction section, under related documentation.

Where to get the solution The following table provides URLs or contact information for Intel vPro processor technology and N-able N-central.

Table 1-3. Where to get the solution

Solution component Source

Vendors. For a list of vendors who supply PCs with Intel vPro processor technology, contact

http://www.intel.com/buy/vPro.htm

Intel vPro processor technology

Intel vPro processor technology. For information about Intel vPro processor technology used in the small- and medium-business market, refer to the Intel Web site:

http://www.intel.com/business/vpro/

N-able N-central Vendors. Contact your N-able representative for information about purchasing N-central:

http://www.n-able.com/

Integration Guide:


- 23 -

Related documentation The next several tables describe documentation from Intel, N-able, and other sources which may be useful during deployment, or which can give you additional details about Intel vPro processor technology or N-able N-central.

Table 1-4. Related deployment documentation from Intel

Intel deployment documentation Description

Download from Intel Web site at:

Intel Active Management Technology Configuration Guide for SMB Environments, v1.0

Requirements and step-by-step procedures for configuring the Intel AMT security, networking, and operational parameters on the PC, via BIOS and MEBx.

http://www3.intel.com/cd/channel/reseller/asmo-na/eng/347046.htm

Integration Guide: Intel vPro processor technology and N-able N-central, v1.0

(This guide.) Requirements and step-by-step procedures for integrating Intel AMT-enabled PCs into N-able N-central.

http://www.intel.com/reseller/vpro

Intel vPro processor technology SDK

Intel offers a Software Development Kit (SDK), for Intel vPro processor technology. The SDK includes developer tools which may be of use during validation and troubleshooting.

http://softwarecommunity.intel.com/isn/home/manageability.aspx

Intel® Active Management Technology Deployment and Reference Guide, v1.0

Aimed at enterprise markets, but includes details about deployment planning (including proof of concepts and pilots), security methodologies / technologies, and use-case capabilities of Intel AMT.

http://download.intel.com/business/vpro/pdfs/deployment_guide.pdf

Integration Guide:


- 24 -

Table 1-5. Related information about Intel vPro processor technology and Intel AMT

Intel product information Description

Download from Intel Web site at:

Intel vPro processor technology Portal

A Web entry point for information about the Intel vPro processor technology line of business desktops.

http://msp.intel.com/

http://intel.com/reseller/vpro

Intel AMT Technology Brief Overview of the hardware-based Intel AMT capabilities and benefits to MSPs.

http://www.intel.com/technology/manage/iamt/303749.pdf

A New Level of Remote Managed Services for PCs in Small-Business Environments

Explanation of how hardware-based capabilities of Intel vPro processor technology address critical challenges facing MSPs to help them eliminate site visits, increase service efficiencies, and improve revenue streams and margins.

http://cache-www.intel.com/cd/00/00/31/87/318739_318739.pdf

Improving Security and Compliance with Intel Active Management Technology

Explains how to plan and install a more secure and compliant PC fleet.

http://www.intel.com/business/vpro/pdfs/amt_security_and_compliance.pdf

Intel AMT architecture Detailed information about Intel AMT architecture.

http://softwarecommunity.intel.com/articles/eng/1004.htm

Technical support For technical support questions related to Intel® Software Solution.

http://supportmail.intel.com/scripts-emf/welcome.aspx?id=2556,2557

Integration Guide:


- 25 -

Table 1-6. Related deployment documentation from N-able

N-able documentation Description

Use your partner login to access resources from the N-able partner Web site at:

N-able Velocity* Partner Center

Provides:

• User guides

• Message board

• N-able product knowledge base

http://www.n-able.com/login/

N-able University* Applied Technology Training

Provides:

• Web-based training

• N-central Web-based weekly scheduled Q&A sessions

• N-central advanced instructor-led training

http://www.n-able.com/university/programs/n-central/

N-central Installation and Configuration Guide

Explains how to install and configure N-central for your environment


Configuring Your Customer Networks for N-central

Detailed information and instructions to help you configure the customer’s network properly so that N-central and its components work as intended


N-able Technologies N-central* and PCs with Intel® vPro™ Technology

Improved monitoring and asset discovery to reduce truck rolls and improve automation

www.intel.com/cd/channel/reseller/asmo-na/eng/products/desktop/processor/processors/vpro/sales/323517.htm

Integration Guide:


- 26 -

For more information Table 1-7 explains how to find information in this guide and from other sources.

Table 1-7. Where to find information in this guide

Information Located in Description

Quick Start Appendix A Simplified list of steps to follow to integrate an Intel AMT-enabled PC into N-central.

Deployment requirements

Section 2 Hardware, software, networking, firewall, and information requirements, and important considerations.

Also refer to the Intel AMT configuration guide for SMB environments, and refer to your N-central documentation.

Special consid-erations and best practices

Sections 2, 5

Important considerations for setting up, configuring, and using networks, firewalls, N-central, and Intel AMT.

Integration Section 3 Procedures to integrate an Intel AMT-enabled PC into N-central. This section assumes you have already installed and validated N-central, and have already configured Intel AMT parameters on the PC.

Validation Sections 3, 5

Validation for communication between components of the N-central solution is described in Section 3. The troubleshooting section includes a procedure to validate access to Intel AMT.

Table 1-8. Where to find information in this guide – continued

Information Located in Description

Troubleshooting Sections 2, 5

Section 2 describes deployment requirements and special considerations. Section 5 includes detailed troubleshooting tables to help you identify and resolve setup, configuration, installation, and use issues.

Intel AMT architecture

Section 1 Overview of Intel AMT, and description of how it is used in the N-central service environment.

Using Intel AMT Section 4 Common uses of Intel AMT capabilities and how to use them in the N-central service environment. Also refer to the Intel AMT configuration guide for SMB environments, or to the Intel Web site.

Integration Guide:


- 27 -

Section 2: Deployment requirements

Introduction See your N-able installation guides for information about installing and setting up N-central. Configuration information for Intel AMT is located in the Intel AMT configuration guide for SMB environments.

This section covers:

• Order of deployment • Deployment requirements for hardware and software • Important considerations and best practices


Note: This guide assumes that N-central is already installed and working properly, including network communications between N-central elements. Refer to your N-central documentation for information about installing, setting up, verifying, and troubleshooting N-central.

Order of deployment The deployment process follows three general steps to install, configure, and integrate the key elements (PC, N-central server, and probe) of the system in a platform or appliance environment:



3. Integrate the Intel AMT-enabled PC with N-central.


Integration Guide:


- 28 -

Caution: Remote management of PCs will fail if you do not set up the security, networking and operational parameters properly on the end-user PC, probe, and/or servers to allow remote communication between N-central components and through firewalls and proxy servers.

Figure 2-1 shows the general deployment process. Refer to the section on solution architecture in this guide, for a information about how communication flows in the N-able managed-service environment.

Figure 2-1. General deployment process. Configuring Intel AMT is done

separately, by physically accessing the PC and setting BIOS and MEBx parameters.

Integration Guide:


- 29 -

Web console for validation of Intel AMT Intel AMT includes a Web console to help you validate configuration and communication with the Intel AMT capabilities.

If you are having trouble establishing remote communication to the Intel AMT capabilities via N-central, you can use the Web console to help troubleshoot the problem. Refer to the troubleshooting section of this guide for information about using the Web console and other tools to resolve networking and installation issues.

Deployment requirements To help prepare you for deployment, this discussion includes:

• Recommended configurations for hardware and software • Networking, security, and setup requirements

Recommended configurations There are three main hardware elements in an N-central environment, each of which has certain requirements:

• End-user PC: requirements for setting up and configuring Intel AMT and the N-central agent on the end-user’s desktop PC

• Probe device: requirements for the low-end server or high-end PC at the customer site on which the Windows probe is installed

• Remote server: requirements for the remote server that hosts N-central at the MSP’s service center.

Intel vPro processor technology: Requirements for configuring the PC Table 2-1 lists requirements and special considerations for configuring the networking and operational parameters required in order for N-central to access the Intel AMT capabilities.


For more in-depth information about special considerations and best practices, refer to the configuration section for the PC with Intel AMT.

Integration Guide:


- 30 -

Table 2-1. Requirements and important considerations for configuring the user PC

Component Recommendation or requirement

Hardware • PC with Intel vPro processor technology, including:

• Intel AMT v2.1 or later

• Motherboard series DQ965GF, DQ965CO, DQ965WC or later

• BIOS Version 5882 [CO96510J.86A] or later

Software • Microsoft Windows XP or later versiona

Information • BIOS-level administrator password (if necessary) to enter BIOS

• Intel AMT administrator username and password to enter MEBx

• TCP/IP settings

Special considerations

• Configure Intel AMT: Intel AMT parameters must be configured before N-central can access the Intel AMT capabilities. Configuration is performed at the PC, and is a separate process from integration of an Intel AMT-enabled PC into N-central. Integration is performed at the remote server site, via N-central.

• Authentication: Do not assume the username-password pair when logging into MEBx. Verify the username-password pair as per the OEM documentation for the PC.

• Respond-to-ping: N-central requires that the Intel AMT respond-to-ping setting be enabled to allow out-of-band discovery.

• Windows Vista: If you are using Windows Vista on the user PC, you must install the N-able hotfixes for the OS.

a If you are using Windows Vista, you must install the N-able hotfixes for the OS. Refer to your N-able documentation for information about the hotfixes.

Probe: Requirements for installing the N-able probe You should install the Windows probe on a low-end server (or high-end PC).

Table 2-2 lists the recommendations and requirements for installing the Windows probe at a customer site using a Microsoft Windows server-class OS on a server-class PC.

Integration Guide:


- 31 -

Table 2-2. Requirements for installing the probe at the customer site

Component Recommendation or requirement

Hardware • CPU: Depends on site size. For a smaller site, use a processor that can effectively run Microsoft Windows XP or Microsoft Windows 2003*. For a larger site, you should consider using an Intel® Core™2 Duo processor or above.

• Motherboard chipset: Intel motherboard chipset

• Hard drive: 20 GB hard-disk or larger

• RAM: 128 MB RAM

• Network card: 100 Mb or 1 Gb

• CD ROM drive: recommended

OS and server software

• Windows server-class OS, which can be any one of these:

• Windows Small Business Server or R2 Standard/Premium

• Windows Small Business Server 2003

• Windows 2000 Server

• Windows 2003 or Windows 2003 Web Edition

• Windows XP – supported, but a server-class OS is recommended

Information • N-central administrator username (this is an email address) and password

• Windows probe activation key

• Public IP address of the N-central server or its URL

Special considerations

• Network firewall: must allow TCP sessions on ports 80, 443, and 22.

• Port 10000 is used to access the administrator console.

Integration Guide:


- 32 -

Network requirements You will need certain networking information in order to complete the configuration, installation, and integration procedures for Intel vPro processor technology and N-central. This information includes the networking parameters, values for general configuration settings, administrator passwords, and security requirements.

Communication ports The N-central service environment requires certain communication ports be open on the firewall router, as described in Table 2-3.

Table 2-3. Network communication requirements

Communication Requires: Used for Description

Port 443 HTTPS Recommended: For secure transmission of data between the agent/probe and the N-central server. This is used for standard SSL-based communication

Port 80

HTTP Used only if port 443 (HTTPS traffic) cannot be used. Used for transmission of data between the agent/probe and the N-central server

Port 22 SSH Recommended: Used for remote control functions

Inbound communication to N-central

Port 10000 TCP sessions Used to access the administrator console. Refer to your N-central documentation for information about how this port is used.

DHCP or static IP addressing Intel AMT-enabled PCs can be configured for dynamic (DHCP) or static IP addressing (refer to Table 2-4).

To allow you to choose the best networking mode for your SMB environment, hardware vendors configure the PCs with two MAC addresses:

• MAC address for the host (the PC’s OS) • Manageability MAC address for the Intel Management Engine

The IP address for Intel AMT (part of the Intel Management Engine) is specified during setup of Intel AMT. Setup is the process of establishing security credentials for Intel AMT. In SMB mode, setup means establishing the administrator password. In SMB mode, you typically do both setup and configuration of the Intel AMT networking and operational parameters at the same time.

Integration Guide:


- 33 -

Table 2-4. Network requirements to configure Intel AMT for DHCP or static IP addressing

Network element DHCP Static IP

DHCP service Required —

DNS service Required Optional

Dynamic IP (DHCP) environments

Typically, your PC manufacturer sets up Intel AMT to use dynamic IP addressing by default, via DHCP and DNS. In dynamic IP addressing, the same IP address is used for both the host (the computer’s OS) and Intel AMT.

Intel AMT can tell the difference between communication intended for Intel AMT and communication intended for the OS. To identify Intel AMT communication from OS communication, the firmware stack in Intel AMT looks at the communication port.

Keep this in mind when setting up Intel AMT in a DHCP environment:

• Intel AMT conforms its settings to the host (the PC’s OS) network settings.

Static IP environments

In static IP addressing, the PC has fixed network settings. When using static-IP addressing in enterprise environments, you can define different IP addresses for Intel AMT and the host (the PC’s OS). However, you should not use different IP addresses for PCs configured in SMB mode.

When using static-IP addressing for SMB mode, you should:

• Use the same IP address for Intel AMT and the host (the PC’s OS). • Use the same host name for Intel AMT and the PC’s OS name.

Note: In SMB mode, if you use different IP addresses for Intel AMT or the host, or if you use different host names for either Intel AMT or the host, your management application is likely to report two devices for the same PC. This typically occurs when the management application uses mainly IP addressing to discover or identify the PC.

Integration Guide:


- 34 -

Security requirements You will need certain security and configuration information in order to complete the configuration, installation, and integration procedures for Intel vPro processor technology and N-central. This information includes the values required for general configuration settings, administrator passwords, and security requirements.

Security considerations and best practices Intel vPro processor technology supports a range of security options from simplified security for SMB markets, to enterprise-grade security with certificate-based authentication and encryption.

In the SMB arena, security for Intel AMT-enabled PCs is established primarily through the administrator’s secret password.

For detailed explanations about Intel AMT security methodologies and technologies, refer to the security section of the Intel AMT deployment and reference guide (aimed at enterprise environments). A link to the manual is provided in this guide’s introduction section, in the discussion of related documentation.

Passwords There are three main administrator passwords required during deployment of PCs with Intel vPro processor technology in the N-central service environment. You might also require another password to access BIOS, depending on your PC’s manufacturer.

Make sure you have the correct administrator username and password available for each step of the deployment process. (Do not assume the default username or password; these can vary, depending on your PC manufacturer.) Table 2-5 lists the passwords used during deployment.

Integration Guide:


- 35 -

Table 2-5. Administrator passwords used during deployment

Administrator password Used for: Used to:

BIOS password

BIOS Used by an IT administrator to access BIOS. If your OEM requires a BIOS password, you will need the administrator username and password required to access the PC’s BIOS.

MEBx Used by the IT administrator to access the MEBx screens and set security, networking, and operational parameters for Intel AMT. The factory-default password is provided by the OEM and included with your PC’s documentation. You must change the default password the first time you enter MEBx.

Intel vPro credentials on the probe

Used by the IT administrator to set credentials for the probe that will access Intel AMT-enabled PCs.

Intel AMT password

Intel AMT Web console Used by the IT administrator to access Intel AMT remotely via the Intel AMT Web console.

N-central password

N-central Used by an IT administrator to log into N-central. This password is first set during installation of N-central, and can be reset via the user-management feature in N-central.

User’s management password

Access to customer’s N-central information

Each user has a unique password to access only their customer information, add probes and services to their site, and so on. The password is shared by all PCs at the site, and should be unique to this site. You create this password on each machine when you create the user’s management account on each PC.

Integration Guide:


- 36 -

Information needed for integration Make sure you have all information required before beginning a setup, installation, or configuration procedure. Table 2-6 explains where to find some of the information required for deployment of PCs in the N-central service environment.

Table 2-6. Information required during deployment

Information needed Obtain the information by:

Key or command sequence to access BIOS

Refer to the appendix about BIOS for examples of accessing BIOS for common PC manufacturers. Or, refer to the OEM’s information for your PC.

Computer name 1. Follow these steps to identify the computer name: 2. In Microsoft Windows*, right-click My Computer. 3. Select Properties from the pop-up menu. 4. Click the Computer Name tab. 5. Note the PC’s name in a handy location for use later during

the Intel AMT setup and configuration procedures.

TCP/IP settings Follow these steps to identify the TCP/IP settings:

1. In Microsoft Windows, open the Control Panel. 2. Open Network Connections. 3. Right-click the appropriate connection. 4. Select Properties > TCP/IP > Properties. 5. Note the TCP/IP settings in a handy location for use later

during the Intel AMT setup and configuration procedures.

Probe activation key You can identify the probe activation key via N-central by accessing Setup > Probes > System Communication (tab).

Personnel requirements Before deploying Intel AMT devices, make sure your IT personnel have adequate training and experience. Deployment personnel should be experienced in:

• System administration • Security methodologies and technologies, including secure sockets layer (SSL) • IT management tools and applications

Integration Guide:


- 37 -

Important considerations This discussion briefly explains special considerations and best practices for:

• Installing N-central • Installing probes • Integrating a PC with Intel AMT into N-central • Locating N-central from the customer site • Firewalls

Considerations for installing probes You should make sure that probes are properly configured to connect to the N-central server. Table 2-7 briefly describes key considerations to keep in mind when installing and setting up probes.

Table 2-7. Considerations for installing probes

Consideration Description

Install probe on low-end server or high-end PC

You should install the Windows probe on a low-end server (or high-end PC

Use correct N-central IP address

When installing the probe, make sure you specify the correct IP address for N-central. The IP address is entered in the server field in the nagent.conf file. You can access the nagent.conf file through C:/Program Files/N-able Technologies/Windows Software Probe/nagent.conf.

Activation key required

During probe installation, you must enter the probe activation key. You can access the activation key through the Setup > Probes > System Communication (tab) in N-central.

Verify communication between probe and N-central server

After installing the probe, make sure the probe can communicate with the N-central server. If communication is working properly, you should be able to see the version information for the probe when you log into N-central. If you do not see version information, refer to the troubleshooting section of this guide for help diagnosing and fixing the problem.

Unique security credentials for different PCs

You can establish different security credentials for Intel AMT-enabled PCs at the customer site, such as for an accountant’s PC versus general user PCs. To use different security credentials for a particular PC, you would create a separate probe for that PC in N-central. You would then download new probe software for the probe device at the customer site, and set up that probe with the unique security credentials for the target Intel AMT-enabled PC.

Integration Guide:


- 38 -

Considerations for using proxy servers Windows probes (and agents) can communicate through nonauthenticating proxy servers, clear-text authenticating proxy servers, and ISA 2000/2004 proxy servers. If your customer network includes a proxy server, you may need to configure the Windows probe software so that the probe can pass information through the proxy server to the N-central server.

Where to get details: Refer to the N-central guide titled “Configuring Your Customer Networks for N-central®” for detailed information about configuring a probe or agent to use a proxy string. You can access the guide through your partner login at the N-able Web site.

Considerations for integrating the PC with N-central Keep the considerations in Table 2-8 in mind while entering information into N-central about the remote desktop PC.

Table 2-8. Considerations for integrating PCs with Intel vPro processor technology into N-central


Using firewalls If a network firewall is used, this address is the external address of the firewall.

Enable the Intel AMT respond-to-ping feature

N-central requires that the Intel AMT respond-to-ping setting be enabled to allow out-of-band discovery.

Let N-central automatically assign Intel vPro service to the PC

Whenever possible, do not manually assign the Intel vPro service to the PC. Instead, allow N-central to automatically assign the service when the PC is discovered. If you manually assign the Intel vPro service to the PC, the power-control feature may not work properly.

Integration Guide:


- 39 -

Considerations for WMI services Misconfigured WMI services are some of the most common causes of problems in remotely management of a customer site. Table 2-9 briefly describes considerations for setting up and testing WMI services to make sure they are corrected configured.

Table 2-9. Considerations for WMI services


Set up WMI properly WMI synching errors and/or permission errors can prevent communication between the probe and the N-central server. Make sure you set up WMI services properly.

Test connectivity You can run the Microsoft wbemtest utility to test that WMI is configured properly on the PCs you are remotely managing, and that the correct user permissions are set on each PC. N-central also provides a script to help you identify synching problems and/or resync WMI services.

Refer to N-central documentation for information about setting up WMI services correctly. Refer to Microsoft documentation for information about using the wbemtest utility, which included with your Microsoft Windows OS.

Requirements and considerations for firewalls One of the two most common deployment problems relates to setting up firewalls. There are several important requirements and considerations you must meet or keep in mind when setting up communication ports and firewalls.

Working with Microsoft Windows firewall Table 2-10 briefly describes that consideration as well as other important requirements and considerations for setting up the PC’s communication ports and for remotely managing PCs in the Windows firewall environment.

Where to get additional details: Refer to the N-central guide titled “Configuring Your Customer Networks for N-central®” and your N-central installation and setup documentation for detailed information about configuring the exception for remote administration. You can access N-central documentation through your partner login at the N-able Web site.

Integration Guide:


- 40 -

Table 2-10. Important considerations for firewalls


Allow exception for remote administration

• By default, Windows firewall does not permit WMI queries. In order to monitor WMI-based services on a PC, you should allow the remote-administration exception in the firewall, in order to allow WMI queries to pass. Refer to your N-central documentation for details about reconfiguring PCs to allow for remote administration.

Network firewall • The probe must allow an outbound TCP session on port 10000.

• The N-central server must allow an inbound TCP session on port 10000.

Windows firewall • Windows XP SP2 default settings conflict with the correct operation of the probe. You must reconfigure the Microsoft personal firewall settings on each PC in the network in order to monitor those PCs by the probe while using Windows firewall.

• If you are reconfiguring the Microsoft personal firewall settings on each PC in the network for use with Windows firewall, there may be issues with group policies. For more information, refer to Microsoft Knowledge Base article 842933, and to your N-central documentation.

• You cannot configure Windows firewall settings or Security Center settings on a Windows XP SP2-based target computer that is in a Windows Small Business Server (SBS) 2002-based network. For more information, refer to Microsoft Knowledge Base article 872769. Microsoft has issued an update to resolve this issue. This update enables and configures the Windows Firewall in Windows XP Service Pack 2 on Windows Small Business Server 2003 networks.

For more information For product-specific information about N-central, refer to your N-able N-central documentation.

The introduction section of this guide provides links and descriptions of some N-central documentation that may be useful to you.

For information about Intel AMT, refer to the Intel AMT configuration guide for SMB environments.

Integration Guide:


- 41 -

Section 3: Integration

Introduction For a nonhosted solution, the overall deployment process follows three general steps:



3. Integrate the Intel AMT-enabled PC with N-central.



This section provides step-by-step procedures to perform the integration process in a service environment that is monitored by probes.

Required procedures This section explains how to integrate an Intel AMT-enabled PC with N-central. This section includes procedures that explain how to:

• Validate installation and connectivity for the probe and N-central server. • Make sure the Intel AMT respond-to-ping feature is enabled on the target PC. • Discover the PC using N-central. • Import the PC into the N-central device list. • Set up the Intel vPro service and device details for the PC. • Validate that the Intel AMT-enabled PC was integrated correctly into N-central.

Additional procedures that may be of use This section also includes additional procedures that may be of use during deployment:

• Remove an Intel AMT-enabled PC from the device list. • Add previously deployed PC to the device list as an Intel AMT-enabled PC.

Integration Guide:


- 42 -

• Assign the Intel vPro service to one Intel AMT-enabled PC at the customer site (as opposed to all Intel AMT-enabled PCs at the site).

• Create a custom vPro dashboard.

Intel AMT information Once the PC has been integrated into N-central, you can access information from Intel AMT, including the PC’s UUID and information about the motherboard manufacturer and model. This information is now available even if PC power is off, the OS is unresponsive, management agents are missing, hardware (such as a hard drive) has failed, the hard drive has been reimaged, or the OS has been rebuilt.

You can access Intel AMT capabilities via these N-central features:

• PC power feature: in the power-control tab, found by accessing All Devices View, then selecting the device which you want to remotely power up/down.

• UUID: in the device-information feature, found by selecting the target PC and accessing the Details tab.

• Hardware asset information: in the device-information feature, found by selecting the target PC and accessing the Details tab.

The rest of this section explains how to integrate the Intel AMT-enabled PC into N-central.

Overview of deployment Table 3-1 briefly describes the deployment processes.

Table 3-1. Deploying Intel AMT-enabled PCs and N-central

Step Process Description

Step 1 Configure Intel AMT on the user PC

Refer to the Intel AMT configuration guide for SMB environments for the procedure to configure security, networking and operational parameters for Intel AMT, via BIOS and MEBx, on the PC.

Step 2 Make sure respond to ping is enabled on the user PC

Included in this guide. N-central requires that you enable the Intel AMT respond-to-ping feature in order to perform out-of-band discovery.

Step 3 Validate connectivity between N-central components

Included in this guide.

Step 4 Verify network communication

Refer to your third-party and/or N-central documentation.

Integration Guide:


- 43 -

Table 3-1. Deploying Intel AMT-enabled PCs and N-central – continued

Step Process Description

Step 5 Log into N-central Included in this guide.

Step 6 Create customer site in N-central


Step 7 In N-central, set Intel AMT credentials for the probe

Included in this guide: This step registers the PC’s Intel AMT credentials (administrator username and password) so that N-central can access the Intel AMT capabilities.

Step 8 Install Windows probe at customer site

Refer to your N-central documentation.

Step 9 Verify communication between probe and N-central


Step 10 Discover new Intel AMT-enabled PCs


Step 11 Import the Intel AMT-enabled PCs into the N-central management domain

Included in this guide: After you discover new PCs on the network, you must import them into the device list so that N-central can remotely manage those PCs.

Step 12 Verify that the Intel vPro service is assigned to the PC

Included in this guide: This step selects the Intel vPro service as one of the monitoring options. This lets N-central access the Intel AMT out-of-band capabilities to allow monitoring and management even if PC power is off, the OS is unresponsive, hardware (such as a hard drive) has failed, or management agents are missing.

Step 13 Configure the PC with the Intel vPro service and other details

Included in this guide. This step explains how to specify other details for the PC.

Step 14 Select the probe for the Intel AMT power-control feature

Included in this guide: Make sure the appropriate probe is selected to allow N-central to use the Intel AMT out-of-band power-on, power-off, and power-reset features.

Step 15 Optional: Create a custom Intel vPro dashboard

Included in this guide: This optional step shows how to customize the overview screen or “dashboard” to display the status of Intel AMT-enabled PCs.

Integration Guide:


- 44 -

Figure 3-1. Deployment process

Once the PC is integrated into N-central, you can use other N-central features to customize the way N-central monitors the PC, displays information, categorizes alerts, and creates reports. For more information about N-central features, refer to your N-able documentation.

Figure 3-1 shows the general deployment process, including integration.

Integration Guide:


- 45 -

Step 1: Configure and validate Intel AMT via BIOS

You must set up security credentials and configure networking and operational parameters of Intel AMT before you can access Intel AMT capabilities. This is done on the PC, via BIOS and MEBx.

Configuring Intel AMT parameters on the PC is a separate process from “building” or “provisioning” the PC with the user OS and applications. You must configure the Intel AMT parameters via BIOS and MEBx – including enabling Intel AMT and setting security credentials for remote management – before N-central can access the powerful Intel AMT capabilities.


Refer to the Intel AMT configuration guide for SMB environments for step-by-step procedures that explain how to configure Intel AMT.

Step 2: Enable the Intel AMT respond-to-ping setting

PCs with Intel AMT can respond to an ICMP echo request anytime, even if PC power is off, the OS is unresponsive, or hardware (such as a hard drive) has failed. To allow this, you must enable the Intel AMT respond-to-ping feature before trying to integrate the PC into N-central.

Note: N-central requires that you enable the Intel AMT respond-to-ping feature on the target PC in order to allow out-of-band discovery.

Note: Make sure the firewall does not prevent the ping response. Refer to your N-able documentation for recommended settings for firewalls.

You can use the Intel AMT Web console to check the Intel AMT respond-to-ping setting on the target PC. Note that the Web console must be used from a PC other than the target PC. For example, you can use the Intel Web browser to access Intel AMT settings and information from the probe device, from another user PC at the customer site, from the remote management workstation, or from another remote PC.

Integration Guide:


- 46 -

Note: You must use the Web console from another PC to access the Intel AMT respond-to-ping feature on the target PC.

Follow these steps to verify or update the Intel AMT respond-to-ping setting on the target PC:

1. Determine the IP address or host (OS) name of the target PC.

2. On the remote PC, open a Web browser.

3. In the URL field, enter the target PC’s name or IP address, and the port number (refer to Figure 3-2). • If the network can resolve the target PC’s host name to a TCP/IP address, enter

the host name in the URL field, like this: http://host_name:16992 For example: http://TestSystem:16992

• If a static TCP/IP address is defined for the target PC, enter the PC’s IP address in the URL field, like this: http://ip_address:16992 For example: http://192.168.1.7:16992

4. Select the logon option. The system will then display a login dialog for the Intel AMT Web console.

5. When prompted, login using the Intel AMT administrator username and password. The Intel AMT Web console is then opened. The screen should show the current status of the target PC.

6. In the left navigation bar, select Network Settings, as shown in Figure 3-3.

7. Make sure the Intel AMT respond-to-ping setting is checked (enabled).

8. Click Submit.

You are now ready to begin integrating the PC into N-central.

Figure 3-2. Entry screen for the Intel AMT Web console

Integration Guide:


- 47 -

Figure 3-3. Network settings screen accessed via the Intel AMT Web

console

Step 3: Validate connectivity between N-central components

You should validate connectivity between N-central components before installing the Windows probe or integrating Intel AMT-enabled PCs into N-central.

You can validate communication between the probe device, probe, and the N-central server in several ways, as described briefly in Table 3-2. For more information about important considerations, recommendations, and validation procedures regarding network and solution connectivity, refer to your N-central documentation.

Integration Guide:


- 48 -

Table 3-2. Validating communication between N-central components

Validation procedure Description

Verify remote-management fields in N-central server

You can use the administrator’s network setup screen to check the remote management settings for N-central. In the network settings screen, the public IP address is the public Internet IP address the probe uses to access the N-central server for remote management.

Test connectivity between N-central server and probe

When you first install the probe, you can test connectivity from the N-central server to the probe by seeing if the probe version information is displayed in N-central. Follow these steps:

1. Select customer site.

2. Access Setup > Probes.

3. In the probe list, select the probe to check.

4. Select the System Communication tab.

If the probe version information is displayed (near the center of the screen), connectivity is established between the probe and the N-central server.

Test connectivity between probe device and N-central server

You can test connectivity between the probe device and the N-central server using a Web browser. Follow these steps:

1. On the probe machine, open a Web browser.

2. Using a secure port (such as HTTPS on port 10000), point to the N-central URL. For example, enter https://n-central.dyndns.org/10000

If the N-central login page is displayed, network connectivity between the probe device and N-central is verified.

If you have trouble with validation... If you have trouble verifying the installation of N-central, the most likely problem is:

• The network firewall is not correctly set up. • You have not correctly and completely reconfigured each PC to allow the exception

for remote administration while using Windows firewall. • WMI services are not configured correctly on user PCs or on the probe device. • You forgot to configure Intel AMT in SMB mode.

First make sure you have set up all networking and security parameters correctly, including firewalls and remote-communication parameters.

Then use the troubleshooting section of this guide or from your N-central documentation to help identify and resolve apparent setup, installation, or configuration problems.

Integration Guide:


- 49 -

Step 4: Verify network communication When setting up networking, firewalls, and WMI, pay particular attention to the important considerations in the deployment requirements section of this guide. Keep in mind that the most common problems with deployment of N-central are caused by problems with the configuration of Windows firewalls and WMI.

Note: Most deployment and connectivity problems occur because Microsoft Windows firewall and/or WMI are not set up correctly for your SMB environment. Make sure you follow the important configuration and installation requirements, recommendations, and considerations for networking, firewalls, and other elements of the SMB environment, as described in detail your N-able documentation. Considerations are also described briefly in the deployment requirements section of this guide.

Once you have installed the general software components, make sure you validate the network infrastructure. Table 3-3 lists ways to validate firewall and WMI configurations. Figure 3-4 shows WMI status indicators in the dashboard for a customer site.

Table 3-3. Validating Windows firewall and WMI configuration

Validation procedure Description

Validate that Windows firewall is configured properly

The Windows firewall should be configured on each PC to allow the exception for remote administration. You can verify the Windows firewall settings via the control panel on the target PC. Refer to the N-central guide called “Configuring Your Customer Networks for N-central®“ for detailed information about reconfiguring PCs to allow the exception.

Validate that WMI is configured properly

You can run the Microsoft wbemtest utility to test that WMI is configured properly on the PCs you are remotely managing, and that the correct user permissions are set on each PC. Refer to Microsoft documentation for information about using the wbemtest utility, which included with your Microsoft Windows OS.

Integration Guide:


- 50 -

Figure 3-4. Verifying that WMI is configured correctly. This figure shows

PCs with various states of network connectivity.

Step 5: Log into N-central Once you have installed and validated N-central, log in:

1. Launch N-central. N-central will display the login screen (see Figure 3-5).

2. When prompted, enter your administrator username and password.

3. Click Sign In.

4. If prompted, answer (yes/no) whether you are available to respond to requests for remote desktop support.

The system should then display the NOC View. This is a list of PCs at the various sites which are not in a normal state. Figure 3-6 shows a sample NOC View.

Once you have logged in, you are ready to set up the probe to monitor the site with Intel AMT-enabled PCs.

Integration Guide:


- 51 -

Figure 3-5. Login screen in N-central

Figure 3-6. The NOC overview screen

Integration Guide:


- 52 -

Step 6: Create the customer site Before you can integrate an Intel AMT-enabled PC into N-central, you must create the customer site. You can also create user accounts (an optional step) at this time.

Create the customer site If you have not already done so, create the customer site by following these steps:

1. Using the left navigation bar, access your service organization site.

2. Access Setup > Add Customer. N-central then displays the Customers screen (see Figure 3-7).

3. Click on Add Customer. N-central then displays the customer information screen (see Figure 3-8).

4. Fill in the fields as appropriate for your customer. Make sure all required fields are filled in. Required fields are indicated with an asterisk.

5. When you have filled in the information you want for this customer, click Save and Finish. N-central then displays a screen where you enter the limits for the site (see Figure 3-9).

6. Enter the number of accounts, devices, probes, and so on, appropriate for this customer site.

7. When done setting limits, click Finish.

8. If prompted, confirm that you want to save and finish, or that you do or don’t want to add user accounts at this time.

You are now ready to add user accounts (an optional step) or set Intel AMT credentials for the probe.

Figure 3-7. Customers screen

Integration Guide:


- 53 -

Figure 3-8. Add customer information

Figure 3-9. Enter limits appropriate for this site

Integration Guide:


- 54 -

Optional: Set up user account You can now either set up a read-only user account (for a customer who will be monitoring their services through N-central) or skip to configuring the probe with the Intel AMT security credentials.

It is typical to create the user account(s) after you have created the customer site. However, you do not have to create user accounts in order to integrate an Intel AMT-enabled PC into N-central.

Refer to your N-central documentation for instructions on creating user accounts.

Step 7: In N-central, set Intel AMT credentials for the probe

The N-able probe can discover Intel AMT-enabled PCs anytime, even if PC power is off. As long as the PC is connected to a power source and plugged into the network, the probe can discover the PC.

Before you install the probe at the customer site, you must set up the N-able probe in N-central, including setting the Intel AMT credentials on the probe.

Note: For the N-able probe to identify the PC as an Intel AMT-enabled PC, Intel AMT must be enabled and the Intel AMT security, networking, and operational parameters must be configured correctly on the PC via BIOS and MEBx.

Note: The security credentials set in this procedure must match the credentials (administrator username and password) set in the Intel AMT parameters on the PC. You set these credentials on the PC when you configure Intel AMT via BIOS and MEBx.

Follow these steps to set up the Intel AMT security credentials in N-central for the probe that will be used to manage the Intel AMT-enabled PCs.

1. Select the customer site. N-central then displays the overview screen for that site, such as the one shown in Figure 3-10.

2. Access Setup > Probes to display the probes screen (see Figure 3-11).

3. Open the edit-probe screen so that you can enter Intel AMT credentials: • If you are editing an existing probe (see Figure 3-12), in the column that lists

the available probes, click the name of the probe you want to edit. • If you are creating a new probe, click Add Probe.

4. If necessary, enter the probe name, type, network routable address, and description.

5. If necessary specify the auto update parameter.

Integration Guide:


- 55 -

6. Enter the Intel AMT administrator username in the User Name field. This is the same username you used to access the Intel AMT feature in BIOS/MEBx on the target PC during configuration of Intel AMT.

7. Enter the Intel AMT administrator password in the Password field. This must be the same password used to log into the Intel AMT feature in BIOS/MEBx on the target PC during configuration of Intel AMT.

8. Enter the administrator password again in the Confirm Password field to confirm the credentials.

9. Save and finish: • If you are editing an existing probe, Click OK. • If you have been creating a new probe, click Save and Continue.

N-central then updates the probe (or adds the new probe to the probe list) and displays an updated probes screen.

Figure 3-10. Overview screen for the customer site

Integration Guide:


- 56 -

Figure 3-11. Probes screen for the customer site

Figure 3-12. Setting Intel AMT credentials on the probe

Integration Guide:


- 57 -

Step 8: Install the probe at the customer site Once you have set up probe parameters in N-central, you are ready to install the probe at the customer site.

The deployment requirements section of this guide explains considerations for installing the probe, including these two key considerations:

• Probe activation key is required: You need the probe activation key, as established in N-central, to install and activate the probe on the probe device. You can access this key through the Setup > Probes > System Communication (tab) in N-central.

Refer to your N-central documentation for details and the actual procedure for installing a probe at the customer site.

Once you have installed the probe at the customer site, you should verify that it is communicating with N-central, as described next.

Step 9: Verify communication between probe and N-central server

To verify that the probe is communicating with the N-central server, simply check that the probe version information is displayed in N-central. Follow these steps:

1. Select the customer site. N-central then displays the overview screen for that site.

2. Access Setup > Probes. N-central then displays the probes listing for the customer site. The list of probes should include the probe you just installed at that customer site.

3. Select the name of the probe for which you will verify communications. N-central will then display a screen for editing communication parameters for the probe.


You should see the current probe version number near the middle of the screen (see Figure 3-13).

• If you see the probe’s version information, communication is established between the probe and the N-central server.

• If you do not see the version info, the probe is not communicating with the N-central server. In this case, refer to your N-central documentation to troubleshoot your setup of the N-central server and the probe.

Integration Guide:


- 58 -

Figure 3-13. Verify that the probe is communicating with N-central

Step 10: Discover the PC After Intel AMT is configured on the PC and credentials set on the Windows probe, you are ready to use N-central to scan the network for the new Intel AMT-enabled PCs. This will validate communication between N-central and the Intel AMT-enabled PC.

Remember that, before you can discover and integrate the PC into N-central, you must first configure the PC for remote management. This is a manual process performed on the PC, via BIOS and MEBx features.


Considerations for scanning the network Table 3-4 lists considerations for scanning the network:

Integration Guide:


- 59 -

Table 3-4. Special considerations for scanning the network


Make sure PCs can respond-to ping

Intel AMT-enabled PCs can respond to ping even if powered off or when their OS is unresponsive. Make sure the Intel AMT respond-to-ping option is enabled so that Intel AMT can reply to an out-of-band discovery by N-central anytime.

Scan can take 3 to 10 minutes or longer

N-central scans the network using a variety of methods to ensure accurate discovery. Because of this, scanning can take 3 to 10 minutes or longer, depending on the size of your network. N-central will change the task status from Pending to Completed when the scan is done.

Discover Intel AMT-enabled PCs You will need the IP address for each PC in order to discover the PCs the first time. To discover the Intel AMT-enabled PCs, follow these steps:

1. In the left navigation bar, select the customer site and All Devices view. N-central then displays the list of devices currently available for that site (see Figure 3-14).

2. Access Setup > Asset Management > Auto Discovery. N-central then displays a screen that lists any discovery tasks that are currently available (see Figure 3-15).

3. Click Create Auto Discovery Task. N-central then displays the screen for creating discovery tasks and importing devices (see Figure 3-16).

4. Enter a task name appropriate for discovering the PC. For example, enter “Discover new Intel AMT PCs.”

5. Select the probe to use for discovery. For example, select Scan Now.

6. Click the appropriate task button. • If this is a new task, click New Task. • If you are modifying the discovery parameters for an existing task, click

Update Task.

Because you told the probe to scan now, N-central executes the discovery task.

Note: Depending on the size of the network, it can take 10 minutes or longer to complete the scan and discover new PCs.

When N-central finishes the scan, N-central updates the status field to “Completed.” You are now ready to import the list of discovered devices into the N-central management list.

Note: N-central does not automatically show you a list of discovered devices when the scan is complete. You must import the list of discovered devices into N-central in order to view the list of new PCs found at the customer site.

Integration Guide:


- 60 -

Figure 3-14. List of devices available for the customer site and their

status

Figure 3-15. Discovery screen for creating discovery tasks and

importing devices

Integration Guide:


- 61 -

Figure 3-16. Creating a discovery task to discover new Intel AMT-

enabled PCs

If you have trouble discovering the PC If you have trouble establishing remote communications to the PC, follow these steps first:

1. Check the system requirements and special considerations listed in this section. Make sure your equipment, OSs, network, and other elements are appropriate for your environment.

2. Check the configuration or installation settings listed in the solution architecture section and in the three deployment sections (configuring Intel AMT, installing N-central, and integrating the PC with N-central). Make sure you have set up networking and security properly for the PC, servers, and environment.

3. Refer to the troubleshooting section.

Integration Guide:


- 62 -

Once you have discovered the PC with Intel vPro processor technology, you are ready to log into N-central and integrate the PC with N-central.

Step 11: Import the newly discovered PC This step explains how to.

• Import the Intel AMT-enabled PC into the device list • Verify that the PC was imported into the management domain and is now recognized

as an Intel AMT-enabled PC

This discussion also includes additional procedures that may be of use to you during deployment:

• Add previously deployed PC to the device list as an Intel AMT-enabled PC • Remove an Intel AMT-enabled PC from the device list

Import the PC into the device list Follow these steps to import the newly discovered Intel AMT-enabled PCs into N-central:

1. Select the customer site where you have installed the new PC.

2. Access Setup > Asset Management > Access Auto Discovery.

3. Access Create Autodiscovery Task > Scan.

4. Click Import Discovered Assets. N-central then displays the list of newly discovered PCs for the customer site (see Figure 3-17).

5. In the Devices Found area, select the target PC you want to add to the device list.

6. Click > to add the PC’s name to the list of devices that will be imported.

Note: Because you are integrating a desktop PC, do not check the Monitor Local Services checkbox.

7. Click Import Devices. N-central then imports the PCs and displays the list of probes to assign to the PCs (see Figure 3-18).

8. Select the probe to use to monitor the PC.

9. In the Services area, select the services to assign to the PC.

10. Click Finish.

N-central then assigns the probe and returns to the device list. You should see the discovered PC in the device list.

Integration Guide:


- 63 -

Figure 3-17. List of newly discovered devices available to be imported

Figure 3-18. Select the probe to use for monitoring the PC(s)

Integration Guide:


- 64 -

Verify that the PC was imported into the management domain Follow these steps to make sure the Intel AMT-enabled PC was imported into the management domain:

1. Select the customer site and All Devices View. N-central should show the new Intel AMT-enabled PC in the device list (see Figure 3-19).

2. Click on the name of the Intel AMT-enabled PC. N-central will then display the N-central features for that PC, including the Intel AMT power-control tab (see Figure 3-20).

Figure 3-19. Verify that the Intel AMT-enabled PC was imported

Integration Guide:


- 65 -

Figure 3-20. Access device information for the Intel AMT-enabled PC

Add previously deployed PC to the device list as an Intel AMT-enabled PC In some cases, the PC is in use before Intel AMT is configured for remote management. For these PCs, the administrator password for Intel AMT might be established in BIOS/MEBx. However, Intel AMT is not usually configured into its operational mode before the Intel AMT capabilities are expected to be in use. If the capabilities are not configured, the PC with Intel vPro processor technology shows up in N-central as a typical PC. N-central cannot yet remotely access the Intel AMT capabilities for this PC.

When you want to make the PC’s Intel AMT capabilities available to N-central, you must, 1) configure Intel AMT, then 2) assign the Intel vPro service to the PC in N-central, and 3) rediscover the PC as an Intel AMT-enabled PC.

Step A: Verify Intel AMT configuration on the PC

1. Make sure PC power is on.

2. Make sure the Intel AMT parameters on the PC have been configured in SMB mode via BIOS and MEBx. Refer to the Intel AMT configuration guide for SMB environments for this procedure.

Integration Guide:


- 66 -

3. Verify that the networking and operational settings of Intel AMT are appropriate for your SMB environment. You can use the Intel AMT Web console to validate Intel AMT parameters, as described in the Intel AMT configuration guide for SMB environments, or in the troubleshooting section of this guide.

Once you have verified that Intel AMT is configured correctly for your SMB environment, you should verify that the PC is available to N-central, as described next.

Step B: Verify the PC is available to N-central

This step shows how to verify that the PC is accessible in the N-central management domain:

4. Select the customer site and All Devices View. • Make sure you can see the target PC in the list of devices available at the

customer site. • Make sure the PC power/management status is on (green).

If the PC is powered on, you are ready to add the PC to the Intel AMT device list.

Step C: Assign the Intel vPro service to the PC

This procedure

5. If necessary, select the customer site.

6. Access Setup > Devices.

7. Select the target PC. N-central then displays the edit-device screen.

8. In the monitoring options area, check the checkbox to enable Intel vPro as a monitoring option.

Caution: If you manually assign the Intel vPro service to the PC in N-central, the power-control feature in N-central may not work properly. Refer to the troubleshooting section for steps to resolve this potential issue.

9. Click OK. N-central updates the PC’s information and returns the display to the device list.

10. Check the checkbox next to the name of the target PC.

11. Click Add Services.

12. When prompted, select the probe to be used to monitor the PC. N-central then displays the add-services screen.

13. If necessary, click OK.

14. In the probe service settings screen, make sure the instance of Intel vPro status service is set to 1.

15. If necessary, click OK.

N-central should add the Intel vPro service to the device. You are now ready to rediscover the PC, as described in step D.

Integration Guide:


- 67 -

Step D: Rediscover the PC as an Intel AMT-enabled PC

You can wait N-central to rediscover the PC automatically in the next polling cycle, or you can scan immediately to update N-central now. The steps here for scanning now are the same as the typical discovery procedure described earlier in this guide.



18. In the task screen, select Scan Now, select the probe for the site, enter the IP range to scan, and select a recipient to be notified when the scan completes.

19. Choose Scan Now.

When the scan is complete, N-central will change the task status from “Pending” to “Completed.”

Note: Depending on the size of the network, it can take 3 to 10 minutes or longer to complete the scan and discover “new” PCs.

Step E: Import the Intel AMT-enabled PC into the device list

This procedure is the same as the typical procedure for importing PCs.


21. Access Setup > Asset Management > Access Auto Discovery

22. Access Create Task > Scan > Import Discovered Assets. N-central displays the list of PCs recently discovered for the customer site.



25. Click Import Devices.

N-central then imports the PC and returns to the device list. You should see the rediscovered PC in the device list.

Step F: Verify that the PC is recognized as an Intel AMT-enabled PC:

Follow these steps to make sure the PC is now recognized as an Intel AMT-enabled PC:


27. Access Status > Devices.

28. Select the target PC.

N-central should display a screen with a list of tabs for the PC, including the Intel AMT power-control tab. If you see the power-control tab, the PC has been recognized as an Intel AMT-enabled PC.

Integration Guide:


- 68 -

Remove an Intel AMT-enabled PC from the device list Removing an Intel AMT-enabled PC from the device list makes the PC inaccessible from N-central. This does not disable the Intel AMT capabilities on the PC. It only removes the Intel AMT-enabled PC from the N-central management domain.

Caution: When you delete the PC from the device list, you are removing the PC from the management domain. N-central will erase all historical data collected for this PC when the PC is deleted from the device list. The PC will be considered a new PC the next time it is discovered.

Caution: Removing a device from the Intel AMT device list in N-central does not disable Intel AMT in BIOS and MEBx. It only disables the ability of N-central to recognize and remotely manage the PC as an Intel AMT-enabled PC. Security credentials, networking, and operational parameters for Intel AMT remain enabled on the PC. Refer to your Intel AMT configuration guide for SMB environments for information about erasing Intel AMT security, networking, and operational parameters so that the Intel AMT capabilities can no longer be remotely accessed.

To remove an Intel AMT-enabled PC from the device list, follow these steps:

1. Select the customer site and All Devices View.

2. Access Setup > Devices. N-central displays the devices screen.

3. Click Delete Device(s).

4. If prompted, confirm that you want to remove the specified PC from the management domain.

The selected PC is then removed from the device list.

You should access the devices view for the site to verify that the PC is no longer in the management domain.

Integration Guide:


- 69 -

Step 12. Verify that the Intel vPro service is assigned to the PC

The Intel vPro service is usually assigned to an Intel AMT-enabled PC by default. The service is assigned to the PC during discovery by N-central.

In some cases, you might want to assign the Intel vPro service manually to the PC. The next step (configure the PC) explains how to do this. However, to help make sure the Intel AMT power-control feature works properly, you should allow N-central to assign the service automatically.

Caution: Whenever possible, do not manually assign the Intel vPro service to the PC. Instead, allow N-central to automatically assign the service when the PC is discovered. If you manually assign the Intel vPro service to the PC, the power-control feature may not work properly.

To verify that the Intel vPro service is assigned to the Intel AMT-enabled PC, follow these steps:


2. Select the target PC to which you want to assign the Intel vPro service. N-central displays a screen with several tabs for functions specific to this PC.

3. If necessary, select the Details tab. N-central then displays the device-settings screen (see Figure 3-21). • The Intel vPro service should already be checked. N-central automatically

assigns this service to any Intel AMT-enabled PCs that are found during discovery.

4. Select the Services tab to display the list of services currently assigned to the PC. The Intel vPro service should be listed (see Figure 3-22).

5. Click on the name of the Intel vPro service. N-central then displays details for the service (see Figure 3-23).

6. Make sure the network availability status for Intel Management Engine is green (available).

The status screen also shows the power status for the PC.

Once you have verified that the Intel vPro service is assigned to the PC and available, you are ready to configure each PC with device settings, remote manager settings, downtime settings, and other parameters, as described next.

Integration Guide:


- 70 -

Figure 3-21. Device details, with Intel vPro service automatically

checked

Integration Guide:


- 71 -

Figure 3-22. Services screen with Intel vPro service checked

Figure 3-23. Verifying the status of the Intel vPro service.

Integration Guide:


- 72 -

Step 13: Configure each PC In this step, you set up device details for the Intel AMT-enabled PC. This discussion explains two options for configuring PCs:

• Minimum configuration procedure for an Intel AMT-enabled PC • General configuration procedure

The two options do not describe all the fields you can set, list all restrictions or considerations (for example, the unscheduled downtime feature works only if an agent is installed on the PC), or provide full details. Refer to your N-central documentation for detailed instructions on configuring PCs.

Note: You should be familiar with N-central features and the N-central procedure for configuring PCs before following these steps.

Option 1: Minimum configuration procedure for an Intel AMT-enabled PC Follow these steps to set the minimum required fields for an Intel AMT-enabled PC:

1. Make sure the PC is powered on.

2. If necessary, access Setup > Devices to display the devices screen.

3. If necessary, click Add Device to display the screen where you can enter device details, as shown later, in Figure 3-24.

4. Enter the name for the target PC.

Note: You should add “vPro” or something similar to the PC’s name to help you identify this as a PC with Intel vPro processor technology.

5. Select the class to which the PC belongs. This setting tells N-central what kinds of monitoring options will be available for the target PC.

6. Verify that the monitoring option called Intel vPro Enabled is checked.


7. In the description field, enter other information that would be useful when remotely managing the PC.

8. Click OK. N-central then saves the device details and returns the display to the device list.

Integration Guide:


- 73 -

N-central should display a confirmation message telling you that the PC was successfully added to the management domain.

The confirmation screen will give you the option of adding additional services to the PC. Answer yes or no, as appropriate.

You are now ready to select the probe to use for the Intel AMT power-control feature.

Option 2: General configuration procedure This procedure will briefly guide you through the steps to set up common device parameters for an Intel AMT-enabled PC:



3. If necessary, click Add Device to display the screen where you can enter device details, as shown in Figure 3-24.




6. In the Network Address field, enter the IP address or FQDN for the target PC. • For static IP networking, enter the IP address for the PC. This must be the

same IP address as the address used for both Intel AMT and the host (the PC’s OS).

• For DHCP networking, enter the FQDN.

7. Enter the remote access URI (uniform resource identifier), as described in your N-central documentation. • If the target PC is located at the customer site (a site other than the MSP

service center), enter the URL that can be used to access the target PC through the central server.

• If the target PC is not located at the customer site, leave this field blank.

8. Select the OS installed on the target PC. • If you do not know which OS is on the target PC, or if the OS is not included in

the list, select “Other Operating System.”

Integration Guide:


- 74 -

Figure 3-24. Device details screen

9. Verify that the monitoring option called Intel vPro Enabled is checked. This service lets you access the N-central power-control tab to remotely power-on, power-off, or power-reset the target PC. If necessary, check this service.


Note: Refer to your N-central documentation for restrictions, considerations, and cautions about monitors.

Integration Guide:


- 75 -

10. Select other appropriate monitoring options as described in your N-central documentation.

11. Select the appropriate dates for warranty, lease expiry, and PC replacement, as appropriate for the target PC.


13. Select or disable a downtime: • Off, which disables scheduled downtimes. • One Time Only, which schedules a downtime to occur only once. • Recurring, which schedules a recurring downtime.

If you selected a downtime, you must also select the times at which you would like the downtime to occur

14. If appropriate, select the start time and end time for the downtime.

15. Select the action to take when unscheduled downtime occurs.

Note: If the agent-status service fails, the central server will disconnect all other services except for Intel vPro status and a few other services.

16. Click Save and Continue.

N-central then displays a screen appropriate for the monitoring options you chose for the PC.

Note: If you have selected an option to install an agent on the PC, you will be prompted to continue with the install-agent process, as described in your N-central documentation.

17. Select the probe to use at the customer site.

18. Click Save and Continue. N-central then displays the screen where you can enter information about the interface (see Figure 3-25 on the next page).

19. Enter the community string for the target PC.

20. Enter the port number (for communications with the PC) used by N-central to monitor the target PC.

21. Enter other details as appropriate and as described in your N-central documentation.

22. Click Finish.

N-central should display a confirmation message telling you that the PC was successfully added to the management domain.

The confirmation screen will give you the option of adding additional services to the PC. Answer yes or no, as appropriate.

Integration Guide:


- 76 -

Figure 3-25. Interface information for discovery

You are now ready to select the probe to use for the Intel AMT power-control feature, as described next.

Integration Guide:


- 77 -

Step 14: Select the probe for power control This procedure explains how to select the probe for the Intel AMT power-control feature. Follow these steps:

1. If necessary, select the customer site and All Devices View. N-central then displays the list of devices available for remote management at the customer site.

2. In the device list, select the name of the PC. N-central then displays the edit-devices screen.

3. Select the power-control tab. N-central then displays the power-control features (see Figure 3-26).

4. Select the probe to use for the Intel AMT power-control feature.

5. Click OK.

N-central then saves your changes and returns the display to the device list.

The Intel AMT-enabled PC is now integrated into N-central. You can now customize N-central for Intel AMT-enabled PCs, or verify integration, as described near the end of this section.

Figure 3-26. Specifying the probe for the Intel AMT power-control

feature

Integration Guide:


- 78 -

Step 15. Create a custom Intel vPro dashboard

A dashboard shows how services are grouped and displayed services, using folders that you create in N-central. Because the Intel vPro service offers unique capabilities, such as remote power-on, you might want to create a custom dashboard to show the status of the Intel vPro service. Follow these steps:

1. Select the customer site.

2. Access Setup > Dashboards, to display the list of dashboards currently available for the site (see Figure 3-27).

3. Click Add Dashboard, to display the dashboard-details screen (see Figure 3-28).

4. Enter a name for the custom dashboard, such as “Managed vPros.“

5. Select the access permissions for the dashboard (public or private).

6. Select any relevant folders.

7. Select the Intel vPro Status service to add to the dashboard.

8. Select other monitoring services to add to the dashboard as needed.

9. Click Finish. N-central creates the dashboard and updates the left navigation bar to add the new dashboard to the customer site.

10. Access the name of the dashboard to verify that you have access to it.

Figure 3-27. List of dashboards currently available for the customer

site.

Integration Guide:


- 79 -

Figure 3-28. Adding a dashboard

Figure 3-29 shows a custom dashboard called “Managed vPros” with the Intel vPro status listed as one of the services. Figure 3-30 shows the expanded dashboard, with the Intel vPro service and other services listed for each PC.

Integration Guide:


- 80 -

Figure 3-29. Custom dashboard that includes status of the Intel vPro

service

Figure 3-30. Status of individual Intel AMT-enabled PCs

Integration Guide:


- 81 -

Verify integration To verify that you have successfully integrated the Intel AMT-enabled PC(s) into N-central, you should verify the settings listed in Table 3-5.

Table 3-5. Settings that help verify integration

Location You should see:

In the device list for the customer site

• The new Intel AMT-enabled PC should be included in the device list.

In the device information screen for the PC

• The power-control tab should be available.

In the monitoring options for the PC

• The Intel vPro service should be checked. This service should have been automatically enabled when N-central discovered the Intel AMT-enabled PC

In the device details screen for the PC

• The UUID and motherboard information should be included in the asset list. This information is pulled from the dedicated, protected Intel AMT memory, which is available regardless of PC power state.

In the services tab for the PC • The Intel vPro service should be included in the list of available services.

In the status tab for the Intel vPro service

• Network availability for the Intel Management Engine should be green (available).

• Power status for the PC should be green (powered up).

In the service details tab for the Intel vPro service

• Monitoring should be enabled.

To verify integration, follow these steps:

1. Select the customer site and All Devices View. N-central should display the device list for the site. • The list should include the new Intel AMT-enabled PC (see Figure 3-31).

2. Select the target PC to display a screen with a list of tabs for the PC. • The Intel AMT power-control tab should be available.

3. If necessary, select the services tab to display the list of available services for the PC. • The Intel vPro service should be included in the list of available services (see

Figure 3-32).

4. Click on the Intel vPro service to display information about the service.

Integration Guide:


- 82 -

5. If necessary, select the Status tab (Figure 3-33). • Network availability should be green (up). This indicates that the Intel

management Engine is available. • Power status for the PC should be green (powered up).

6. Click on the Service Details tab to show the details for the Intel vPro service. • Make sure that monitoring is enabled (see Figure 3-34).

7. Select the power-control tab. N-central should display the power-control screen (Figure 3-35).

8. Select the Details tab to display a screen with details about the PC. • In the monitoring options area, the Intel vPro service checkbox should be

checked (see Figure 3-36). This service should have been enabled when you set up the PC parameters in N-central.


• In the asset information area, the UUID and motherboard information for the PC should be displayed (see Figure 3-37).

If you have verified the elements in the procedure, you have verified integration of the PC into N-central, as well as access to the Intel AMT capabilities.

Figure 3-31. Verify that the PC was imported

Integration Guide:


- 83 -

Figure 3-32. Verify that Intel vPro service is available

Figure 3-33. Verify the status of the Intel vPro service

Integration Guide:


- 84 -

Figure 3-34. Verify that monitoring is enabled

Figure 3-35. Verify access to the Intel AMT power-control feature

Integration Guide:


- 85 -

Figure 3-36. Verify that the Intel vPro service is checked as a

monitoring option

Integration Guide:


- 86 -

Figure 3-37. Verify that the UUID and motherboard information is

displayed

If you have trouble with integration If you have trouble integrating the PC into N-central, the problem is typically with the Windows firewall or WMI settings.

First make sure all elements of your network meet the deployment requirements. Pay special attention to the network and firewall considerations described earlier in this guide.

Refer to the troubleshooting section of this guide for additional information that can help you identify and resolve configuration, installation, or integration problems for PCs, networking, and N-central.

For more information Once you have configured Intel AMT, installed the N-central components, and integrated the PC into N-central, you are ready to begin using the powerful new capabilities of Intel AMT. The use-case section of this guide provides brief procedures to help you get started using the new remote management and security capabilities.

Integration Guide:


- 87 -

Section 4: Using Intel® AMT capabilities

Introduction Intel AMT delivers new hardware-based capabilities for remotely monitoring and managing PCs — even if the PC is powered off, the OS is unresponsive, management agents are missing, or hardware (such as a hard drive) has failed. As long as the PC is connected to a power source and plugged into the network, Intel AMT is available to authorized MSP technicians.

The hardware-base capabilities include secure remote power-on/off, secure remote boot/redirected boot, secure console redirection, system isolation and defense, agent presence checking, access to BIOS configuration settings, and access to detailed hardware asset information for CPUs, memory, hard disks, CD/DVD drives, and so on.

N-central is taking advantage of the Intel AMT capabilities for remote power on/off, access to the PC’s universal unique identifier (UUID), and access to manufacturer and model information for the motherboard. The UUID and hardware asset information is stored in dedicated, protected Intel AMT memory that is not on the hard drive.

Some of the most common tasks for which technicians will use the Intel AMT capabilities via N-central include:

• Security updates. Remotely power up a PC to perform a security update or critical patch.

• Application upgrades. Remotely power up a PC off-hours to update or upgrade an application.

• Ready PCs for a work shift. Remotely power up PCs before a work shift so that the systems are ready when users arrive for the day.

• Discovery. Accurately discover PCs with Intel vPro processor technology anytime. • Identify the UUID of a PC. Access device details to see the UUID for the

PC anytime.

Note: The procedures in this section assume that you have already logged into N-central.


Integration Guide:


- 88 -

Discover an Intel AMT-enabled PC PCs with Intel AMT include a UUID stored in dedicated tamper-resistant memory that is not on the hard drive. Because the UUID is stored in dedicated memory, it is available to authorized IT technicians even if PC power is off, the PC is moved, the OS is rebuilt, software has been upgraded, or the hardware or software configuration has changed.

N-central can now poll a PC with Intel AMT and accurately identify the system anytime. As long as the PC is connected to power and plugged into the network, N-central can discover the system.

Common uses of persistent UUID Table 4-1 lists some of the common uses for access to the UUID.

Table 4-1. Common uses of access to persistent UUID

Use case Access to “always available” event log allows you to:

Discovery • Discover PCs even if PC power is off or the OS is unresponsive.

• Accurately identify PCs even after the OS is rebuilt, software is updated, the OS is migrated, the hard disk has been reimaged, the hardware configuration has changed, and so on.

Inventory • Eliminate virtually all deskside visits traditionally required to inventory PC assets.

Security • Identify authorized vs. unauthorized devices on the network.

Discover Intel AMT-enabled PCs To discover Intel AMT-enabled PCs at a particular site, follow these steps:

1. Select the customer site. N-central should display a list of devices available at the site (see Figure 4-1).

2. Access Setup > Asset Management Tasks > Auto Discovery Tasks. N-central then displays a screen that lists any discovery tasks that are currently available.

3. Select Create Asset Discovery Task. N-central then displays the screen for creating discovery tasks and importing devices.


5. Select the “Scan Now” probe to use for discovery.

Integration Guide:


- 89 -

6. Click the appropriate task button. • If this is a new task, click New Task. • If you are modifying the parameters for an existing task, click Update Task.

Because you told the probe to scan now, N-central executes the discovery task.


When N-central finishes the scan, N-central updates the status field from “Pending” to “Completed.” You are now ready to import the list of newly discovered devices into the N-central device list.

7. If necessary, access Setup > Asset Management Tasks > Auto Discovery Tasks.

8. Access Create Task > Scan

9. Click Import Discovered Assets. N-central then displays the list of newly discovered PCs for the customer site.



12. Click Import Devices. N-central then imports the PCs and displays the list of probes to assign to the PCs.

Note: The system does not automatically show you a list of discovered devices. You must import the list of discovered devices into N-central in order to view the list of new PCs found at the customer site.


14. Click Finish.

N-central then assigns the probe and displays the device list for the site. You should see the rediscovered PC in the device list.

Once the devices are discovered and imported, you can access the AMT functionality of a device by selecting the vPro system from the All Devices View.

Integration Guide:


- 90 -

Figure 4-1. List of devices available on the target site

Identify the UUID and hardware asset details Intel AMT makes it easy to use N-central to identify the PC’s UUID, as well as detailed information about the motherboard. Follow these steps:

1. Select the customer site and the All Devices View.

2. Click on the name of the PC you want to accurately identify.

3. Click on the Details tab to display detailed information about the PC.

4. Scroll down to the asset information area (see Figure 4-2).

The asset-information table includes the UUID for the PC, as well as detailed information for the motherboard, such as manufacturer and model number.

Integration Guide:


- 91 -

Figure 4-2. Identifying the UUID and motherboard information anytime

Remotely power on, off, or reset a PC A primary challenge in remotely managing PCs is accessing the PC anytime. Software-only solutions cannot usually access or manage a PC that is powered off. In contrast, the hardware-based technology of Intel AMT includes a powerful remote power on/off capability that allows authorized technicians to securely and remotely power-up, power-down, and power-cycle a PC.

The new capability is more secure than preexecution environment (PXE) or wake on LAN (WOL). It is also independent of the network architecture, so MSPs do not have to establish a WOL network in order to use the capabilities. And, as with other Intel AMT capabilities, the remote power on/off capability is OS-independent. It can work regardless of the OS installed on the target PC.

This discussion shows how easy it is to check the power status of a PC, and remotely power on, power off, or power reset a PC with Intel vPro processor technology.

Integration Guide:


- 92 -

Common uses for remote power-on, power-off, and power-reset Remote power-on, power-off, and power-reset are powerful commands for remotely managing PCs. Table 4-2 lists some of the common uses of the secure, remote power on/off capability.

Table 4-2. Common uses of the secure, remote power on/off capability

Use case Secure, remote power on/off allows you to:

Security • Power up PCs to update security software off-hours.

• Power up PCs to push a critical patch off-hours.

• Power up PCs before a work shift in order to update and ready them for users.

• Power down PCs during a particularly malicious attack to help prevent spread of a virus, worm, or other security threat.

Inventory • Bring up OS in order to perform a software inventory off-hours.

• Identify and remove unapproved software off-hours.

Diagnostics and problem resolution

• Power up a PC so that hardware asset information is updated (this happens each time POST is run) and can be compared to help diagnose a hardware failure

• Power up PC off-hours to perform diagnostics at times that won’t interfere with the user.

• Power cycle the PC to a clean state during problem resolution.

Maintenance and monitoring

• Power up PCs to perform maintenance, such as disk defragmentation and disk checking off-hours.

• Power up PCs to perform time-consuming back-ups off-hours.

Software application upgrade

• Bring up OS in order to perform a software application update.

• Install new utilities off-hours.

Energy savings • Allow users to power down PCs after work shifts, to help customers reduce power bills.

Integration Guide:


- 93 -

Check the power status of the PC Because you can access Intel AMT capabilities anytime, the Intel vPro service and remote power on/off feature can be available even if other services are not available. Figure 4-3 shows how the Intel vPro service indicator can still be up even if other services are down.

To check the power status of an Intel AMT-enabled PC, follow these steps:

1. Select the target site and an appropriate dashboard for the site. Figure 4-3 shows a dashboard for a site with one PC powered off.

2. Click on the name of the target PC. N-central then displays the list of command tabs available for the PC.

3. Select the Services tab.

4. Click on the Intel vPro service. N-central then displays the status screen for the service, which includes the power status of the PC (see Figure 4-4).

5. Click on the Reports tab to see a report of the power status of the PC (see Figure 4-5).

Figure 4-4 shows a sample service-status screen for a PC. Note the power-status indicator. If the power-status indicator is red (failed), the PC is powered off. If the power-status indicator is green (see Figure 4-4), the PC is powered up. There is also an indicator for the Intel vPro service, which can be available even if PC power is off.

Figure 4-5 shows a report for a PC that was powered down the previous night. You can see that power status went to zero (unavailable) in the previous 12-hour period. This PC is no longer available for service through traditional software-based tools. However, you can now use N-central and the remote power-on feature of Intel vPro processor technology to remotely and securely power the Intel AMT-enabled PC up for service. This procedure is described next.

Integration Guide:


- 94 -

Figure 4-3. PC powered down, but Intel vPro service still available

Figure 4-4. Power status for a PC that is powered up

Integration Guide:


- 95 -

Figure 4-5. Power report for a PC that was powered down

Remote power-on an Intel AMT-enabled PC After you have checked the power status of the PC (described in the previous procedure), you are ready to use the power on/off feature to remotely and securely power up an Intel AMT-enabled PC, follow these steps:

1. Select the target site and the All Devices View.

2. Click on the name of the PC you want to accurately identify. N-central then displays the list of command tabs available for the PC.

3. Select the Power Control tab (see Figure 4-6).

4. If necessary, select the probe to use at the customer site.

5. Click Power Up.

Note: It takes approximately 2 minutes to fully power up a PC. Depending on the size of the customer network, it can take 3 to 10 minutes or longer for the PC status to update on the All Devices View.

When power-up is completed, N-central should display a message saying that the PC has successfully powered up. Once the PC is fully powered up, other service indicators in the dashboard should be green (up).

If the status of other services does not change within 10 minutes, try refreshing the screen.

Integration Guide:


- 96 -

Note: The power-control feature works best if you allow N-central to automatically assign the Intel vPro service to the PC during discovery (whenever possible, do not manually assign the service to a PC). Refer to the integration section of this guide for more information.

Figure 4-6. Power-control feature for Intel AMT-enabled PCs

Remote power-off an Intel AMT-enabled PC

Caution: Remote power-off and power reset commands may cause data loss. They go directly to the system hardware and do not allow the OS to shutdown gracefully.

To remotely and securely power off an Intel AMT-enabled PC through N-central, follow these steps:



3. Select the Power Control tab (see Figure 4-6).


5. Click Power Down.

Integration Guide:


- 97 -

N-central then displays a message indicating that you have selected the power-down feature, and the system is processing your request.

When the PC is fully powered down, all services except Intel vPro will become unavailable. The Intel vPro service, which is available out-of-band, gives you access to the power on/off feature, UUID, and detailed hardware asset information even when other services are not available.


Remote power-reset a PC with Intel vPro processor technology

Caution: Remote power-off and power reset commands may cause data loss. They go directly to the system hardware and do not allow the OS to shutdown gracefully.

To remotely and securely power-reset an Intel AMT-enabled PC, follow these steps:



3. Select the Power Control tab (see Figure 4-6, earlier in this guide).


5. Click Reboot.

N-central then displays the message indicating that you have selected the reboot feature, and the system is processing your request. When done, the status field will display a message indicating that the PC is now powered back up.


For more information For more information about N-central features, refer to your N-able documentation.

For more information about the capabilities of Intel AMT, refer to the Intel Web site at:

http://msp.intel.com/

http://intel.com/reseller/vpro

Integration Guide:


- 98 -

Section 5: Troubleshooting

Introduction This section describes considerations and procedures that can help you troubleshoot typical issues with network communication, security credentials, and other parameters. This section includes these major discussions:

• Categories of typical problems • Support and validation tools • Troubleshooting procedures

Special considerations and best practices for setup, configuration, and installation procedures are described earlier in this guide, in the configuration, installation, and integration sections.


Categories of possible issues Deployment problems tend to fall into three categories. The most common are caused by inappropriate firewall and networking settings.

Be particularly careful when setting up your network, especially when configuring firewall and WMI authentication settings. Pay close attention to the considerations listed in the requirements section of this guide, and to the considerations described in the N-able documentation for installing and configuring the network.

Caution: Remote management will be problematic or will fail if you do not install network software correctly or configure networking and firewalls appropriately for your service environment.

The most common problems encountered during deployment are networking and firewall problems:

• Windows firewall settings are blocking communication between N-central and the Windows probe, or between the Windows probe and the target PC.

• WMI authentication settings by default do not allow remote readers (such as the Windows probe or agent) to collect monitoring information from the target PC.

• Network firewall settings are blocking communication between the Windows probe or agent and the N-central server.

Integration Guide:


- 99 -

Other common problems encountered during deployment include incorrect URLs or IP addresses in N-central, as well as forgetting to enable the Intel AMT respond-to-ping setting on the target PC:

• DNS issues. For example, in the probe, the IP address for the N-central server might be wrong.

• The public IP address of the N-central server might be wrong. • Intel AMT respond-to-ping capability is disabled on the PC.

Refer to your N-central documentation for detailed information about troubleshooting and fixing problems with firewalls, WMI, and network settings.

The most common issues relating to Intel AMT are:

• Intel AMT was not configured before you tried to integrate the PC into N-central. (Configuration of Intel AMT is a separate process from integration into N-central.)

• Intel AMT was not configured in SMB mode.

Support and validation tools There are several ways to validate and troubleshoot configuration of Intel AMT parameters, network communication and firewalls, and connectivity between the N-central server and the probe and/or agent. For example, you can use:

• Intel AMT Web console. Use the Intel AMT Web console (the Web graphical user interface, or GUI), which is included with Intel AMT, to validate communication with Intel AMT and the Intel AMT operational parameters.

• Developer applications. Use a stand-alone developer application, such as Intel AMT Commander (one of the utilities bundled in the Intel AMT developer’s toolkit), to help validate and troubleshoot networking and operational settings.

• N-central. Use your remote management application to troubleshoot network communication issues (such as with Windows firewall or WMI), and validate communication between N-central and the probe and/or agent.

This discussion briefly explains how to access and use the Intel AMT Web console and Intel AMT Commander tools.

Intel AMT Web console Intel AMT includes a Web console to help you configure and communicate with the PC. If you are having trouble establishing remote communication to the PC via N-central, you can use the Web console to verify access to Intel AMT, perform basic management tasks, and help troubleshoot the problem.

The Web console allows an authorized administrator to:

• View the system status and hardware information for the target PC • View, start/stop, and clean the Intel AMT event log. • Remotely power the PC on or off, or reset the PC. • View and manage Intel AMT network parameters. • View and manage Intel AMT user accounts.

Integration Guide:


- 100 -

The Intel AMT Web console must be used from a PC other than the target PC. For example, you can use the Intel Web console to access Intel AMT settings and information from the PC on which the probe is installed, from another user PC at the customer site, from the remote management workstation, or from another remote PC.

Verify access to Intel AMT To log into Intel AMT using the Intel AMT Web console, follow these steps:

1. Determine the IP address or host name of the target Intel-AMT enabled PC.

2. On a remote PC, open a Web browser.

3. Enter the target PC’s name or IP address, and the port number (refer to Figure 5-1).

• If the network can resolve the PC’s host name to a TCP/IP address, enter the host name in the URL field, like this: http://host_name:16992. For example: http://TestSystem:16992

• If a static TCP/IP address is defined for the Intel AMT-enabled PC, enter the PC’s IP address in the URL field, like this: http://ip_address:16992. For example: http://192.168.1.7:16992.

4. When prompted, log on using the Intel AMT administrator username and password, as shown in Figure 5-2.

• The Intel AMT administrator username and password are the credentials which were used to access MEBx on the PC during configuration. These are the same credentials that will be used by N-central to remotely access the Intel AMT capabilities.

• Both username and password are case sensitive. Make sure to note any capitalization changes in either field when defining or changing them.

Once you have logged on,

• If the credentials used are valid, the Intel AMT Web console will be displayed, and the system status page will open. The PC host name is listed in the top banner

• If the credentials used are invalid, the message “Log on failed. Incorrect user name or password, or user account is temporary locked.” will be displayed. If you receive an error message, refer to the troubleshooting tables, later in this section.

The navigation bar on the left gives authorized administrators access to system status, persistent hardware information, the Intel AMT event log, and other important parameters and capabilities. Figure 5-3 shows a sample network settings page in the Intel AMT Web console.

Integration Guide:


- 101 -

Figure 5-1. Sample login prompt for the Intel AMT Web console

Figure 5-2. Login dialog for the Intel AMT Web console

Integration Guide:


- 102 -

Figure 5-3. Network settings page accessed via the Intel AMT Web

console

Restricted access to Intel AMT information pages Access to the Intel AMT information pages is allowed based on user account rights. For example, the padlock icon (shown in Figure 5-4) shows that this user account does not have sufficient rights to view or make changes to network settings or user accounts.

Figure 5-4. Padlock icon indicates restricted access for that account

If you try to access a Web console page for which you do not have sufficient rights, you will be prompted to log in using a different account name and password.

Once you have logged in using an account with greater rights, you can refresh the display of padlock icons using the console’s refresh button.

Change network settings

You can use the Web console to change network settings for Intel AMT on the target PC, including:

• Computer host (the PC’s OS) name • Networking mode

Integration Guide:


- 103 -

• Respond-to-ping setting

Computer Host Name

The host name is a name that can be used to browse to this computer.

• In DHCP mode, the host name is the same as the name set for the PC’s OS. • In static IP mode, use a name different from the one set for the PC’s OS.

After changing the host name, click Refresh in the Web console to update the name in the banner at the top of the page.

Networking mode

You can remotely reset networking to DHCP (“obtain IP address automatically”) or static IP addressing (“use the following IP settings”), as appropriate for your SMB environment.

In DHCP networking (the “obtain IP address automatically” field), Intel AMT will try to obtain an IP address from a DHCP server. If you choose DHCP mode (obtain IP address automatically), make sure:

• Host name: The name of the host (PC’s OS) is the same as the computer name set in MEBx for Intel AMT.

• DNS server: Your network includes a DNS server that can resolve the PC’s name.

Note: In DHCP networking, the name for Intel AMT should be the same as the name defined for the host (the PC’s OS).

In static IP addressing (the “use the following IP settings” field), you must enter additional information manually, including IP address, subnet mask, gateway address, and preferred and alternate DNS addresses. For static IP addressing, make sure:

• IP address: Set the IP address for the host (PC’s OS) and the IP address for Intel AMT to the same value.

• Preferred and Alternate DNS addresses: Specify the address of the DNS server that will resolve the computer host name.

Note: Some third-party management applications do limited discovery; for example, they use only the IP address for discovery. To prevent these applications from reporting two PCs for the same device, in static-IP addressing in SMB mode, make sure that, , the IP address for Intel AMT is the same as the IP address defined for the host (the PC’s OS).

Respond-to-ping setting

This field configures the ping status of the network interface card (NIC), and allows Intel AMT to respond to an IP ping anytime, even if the PC is powered off.

• In static IP mode, Intel AMT always responds to a ping. • In DHCP mode, Intel AMT will respond to a ping only when the OS is down.

Integration Guide:


- 104 -

N-able takes advantage of the PC’s ability to respond to pings. Because of this, make sure the Intel AMT respond-to-ping feature on the PC is enabled by checking the respond-to-ping checkbox through the Intel AMT Web console. This allows N-central to accurately discover the PC anytime.

Intel AMT Commander The Intel AMT developer’s toolkit (DTK) includes a tool called Intel AMT Commander. This is not a supported validation tool for Intel AMT, but a tool for developers. However, it can also be a valuable tool during deployment to help you validate communication with Intel AMT, validate operational settings, and troubleshoot configuration issues.

You can download the Intel AMT developer’s toolkit from the Intel Web site at:

http://softwarecommunity.intel.com/articles/eng/1034.htm

Troubleshooting: Intel AMT configuration Problems accessing Intel AMT capabilities are usually caused because firewall and/or network settings are inappropriate for your managed-service environment. This prevents communication between N-central and the target PC. Before beginning troubleshooting procedures, verify:

• Access to Intel AMT, as described earlier in this section • Firewall settings and WMI settings, as described in the deployment requirements

section of this guide • Connectivity between the N-central server and the probe/agent, as described in the

integration section of this guide

The rest of this section describes specific problems and possible fixes for those issues.

Authentication problems There are several administrator passwords used during deployment, and later, to reconfigure hardware and/or software as needed.

If you are having trouble logging into N-central, BIOS, MEBx, or Intel AMT, you are probably using the wrong administrator password for that component of the managed environment.

Integration Guide:


- 105 -

Table 5-1. Using the correct passwords

Password Used for: Used to:

BIOS password

BIOS Used by an IT administrator to access BIOS. If your OEM requires a BIOS password, you will need the administrator username and password required to access the PC’s BIOS.

MEBx Used by the IT administrator to access the MEBx screens and set security, networking, and operational parameters for Intel AMT. The factory-default password is provided by the OEM and included with your PC’s documentation. You must change the default password the first time you enter MEBx.

Intel vPro credentials on the probe

Used by the IT administrator to set credentials for the probe that will access Intel AMT-enabled PCs.

Intel AMT password

Intel AMT Web console Used by the IT administrator to access Intel AMT remotely via the Intel AMT Web console.

N-central password

N-central Used by an IT administrator to log into N-central. This password is first set during installation of N-central, and can be reset via the user-management feature in N-central.

User’s management password

Access to customer’s N-central information

Each user has a unique password to access only their customer information, add probes and services to their site, and so on. The password is shared by all PCs at the site, and should be unique to this site. You create this password on each machine when you create the user’s management account on each PC.

Integration Guide:


- 106 -

Intel AMT configuration You should verify the Intel AMT configuration separately from your N-central configuration and networking connectivity. This will help clarify whether the issue is with the Intel AMT configuration or with networking, firewalls, or N-central installation or configuration.

The most common issues related to Intel AMT which are encountered during deployment are:

• You have not configured Intel AMT in SMB mode. • You have not yet established the administrator password in MEBx. • You are trying to access MEBx using the wrong administrator password. • You are trying to access Intel AMT capabilities, but you have not yet integrated the

Intel AMT-enabled PC into N-central.

Security credentials and networking and operational parameters used to access Intel AMT capabilities must be enabled and appropriate for your network and SMB environment. Table 5-2 lists ways to fix possible issues with the Intel AMT configuration.

Most likely problem: You did not configure Intel AMT on the PC Most problems that seem to be related to accessing the Intel AMT capabilities in N-central occur because you have not yet configured Intel AMT. Some problems occur because you have not integrated an Intel AMT-enabled PC properly into N-central.

You must physically configure the Intel AMT parameters on the PC via BIOS and MEBx, and integrate the PC into the third-party management solution before you can remotely access the Intel AMT capabilities.

It is important to note that, in N-central:

• You must import the PC before it appears in the device list. Discovery and importing the device are separate steps.

• You should allow apply N-central to automatically assign the Intel vPro service to the PC during discovery. This helps make sure the power-control feature in N-central works properly.


Integration Guide:


- 107 -

Problems accessing the Intel AMT parameters via MEBx or the Web console Table 5-2 explains how to troubleshoot problems in accessing Intel AMT parameters via MEBx or the Web console.

Table 5-2. Troubleshooting: Accessing Intel AMT parameters via MEBx or the Web console

Issue Possible reason How to fix

Can’t log into MEBx

You are not using the correct factory-default administrator username and/or password.

Do not assume the username or password (for example, admin vs. administrator). Use the factory-default credentials provided by your PC manufacturer. This information should be located in the PC’s shipping container or manual, on a sticker, or via some other method.

You have not yet reset the factory-default Intel AMT administrator password in MEBx, and so cannot access Intel AMT para-meters over the network.

On the PC, using the BIOS and MEBx features, change the factory-default administrator password. You should be prompted to do this the first time you access MEBx.

You are not using the correct Intel AMT administrator password.

Use the administrator username and password set the first time MEBx was used, in order to access the Intel AMT capabilities over the network.

Can’t log into Intel AMT Web console (but can access the login-page)

If the link is followed by a padlock icon, the user account you are using does not have rights to access this page.

You must log in using an account with sufficient rights.

Can’t bring up the Intel AMT Web console using the machine name or the FQDN

The domain name is not correctly specified in MEBx. This can affect some applications, such as Web browsers.

Use the IP address of the target PC to access the Intel AMT Web console.

Or, set the domain name field in MEBx on the PC:

• If there is a Windows domain in your LAN environment, set the MEBx domain name field in MEBx to the Windows domain name.

• If the PC is not part of a domain, set the MEBx domain name field to vPro.local.

Integration Guide:


- 108 -

Table 5-2. Troubleshooting: Accessing Intel AMT parameters — continued


Intel AMT is configured in enterprise mode.

Or,

Intel AMT is not enabled on the PC.

Refer to the configuration section of this guide for information about enabling Intel AMT and configuring Intel AMT in SMB mode.

Can ping the target PC , but can’t connect to the Intel AMT Web console

You are trying to connect using a protocol that is not compatible with the selected port.

Note that Intel AMT supports both HTTP and HTTPS. The default protocol is HTTP. For HTTP, the default communication port is 16992.

Make sure that you are connecting to the correct HTTP interface (HTTP by default) and the correct port (16992).

If you use HTTPS, you must use communication port 16993, and you must change the MEBx port parameter to 16993.

Security credentials (administrator password) are not yet established for the PC.

You must physically access the machine and, using BIOS and MEBx features, establish the administrator password before Intel AMT will be available over the network.

You are not entering the correct administrator username and/or password.

When prompted for the Intel AMT password, you must enter the MEBx administrator username and password, as established during configuration of Intel AMT. This is a different password from your N-central password.

You are not using an administrator password (account) with sufficient permission.

Use an administrator password with greater permissions.

Can’t access Intel AMT from the network.

Error messages could include: log on failed, incorrect user name or password, or user account is temporary locked

You are trying to access Intel AMT using a Web browser on the target PC itself.

In order to access Intel AMT over the network, you must use a Web browser on a device other than the target PC. Move to another PC and try network access again.

Integration Guide:


- 109 -

Online support for PCs with Intel vPro processor technology For more information on troubleshooting Intel vPro devices, visit Intel’s support Web page at:

http://support.intel.com/

You can then browse by product, select the desktop platform page, then Intel vPro processor technology. The site includes a FAQ, as well as other information that may be of use during troubleshooting.

You can also access the support area for Intel vPro processor technology directly at:

http://support.intel.com/support/desktopplatforms/vpro/

Troubleshooting: Network, firewall, and WMI problems

The next three tables describe common problems, possible reasons, and potential fixes for issues involving:

• Network setup • Windows firewall • WMI settings

Troubleshooting: network configuration Most problems with deployment are actually network problems, and typically, that the Windows firewall or WMI is not set up correctly for your environment. Table 5-3 briefly describes common problems relating to network configuration and possible ways to fix those problems.

Integration Guide:


- 110 -

Table 5-3. Troubleshooting: Network communication problems


The N-central server is down.

Make sure server is up and running

Network settings are not correct.

Log in as administrator and make sure the network setup is correct, including IP addresses, FQDN, host name, protocol, etc.

Default network settings are not correct.

Propagate current network settings to default settings. This procedure is described in the integration section of this guide, and described in detail in your N-central documentation.

Can’t get to N-central login page

Network firewall is blocking inbound traffic to the N-central Web site.

The firewall must allow inbound traffic to the N-central Web site on ports 80, 22, 443, and 10000.

Error: Invalid certificates

The security certificate has expired or has not yet been generated.

On the N-central server, log in as an administrator, and generate a certificate for the server.

The proxy server may be blocking communications between N-central and the probe.

Test connectivity between N-central and the probe, as described in your N-central documentation.

Target site with Intel AMT-enabled PCs is listed as down for all services

The configuration settings in the probe have been changed.

DNS solutions must be able to solve the name of the N-central server, and local proxy servers and firewalls must allow this communication from the probe device. Refer to your N-central documentation for the URL or IP address used to communicate with the N-central server.

After the OS loads, I can't connect to the PC

The IP address is not correct.

In DHCP networking, if you have installed the correct base driver and are working in DHCP mode, try to manually renew the DHCP lease.

In static IP addressing, use the Intel AMT Web console to reconfigure the static IP settings appropriately for your environment.

Integration Guide:


- 111 -

Troubleshooting: installation of the N-central server or probe After you have installed N-central and the probe, you could encounter some problems establishing remote communication between the elements of your environment. These problems are most likely the result of incorrect settings for the Windows firewall, WMI, or other networking parameters for your SMB environment.

Tables 5-4 lists common issues and potential fixes that may be useful when troubleshooting problems that manifest when trying to install or use N-central and probes. The procedure following Table 5-4 explains how to correct network and protocol settings.

Table 5-4. Troubleshooting: Installation of N-central and/or probe


Can’t complete installation of the probe

You need the probe activation key, as established in N-central, to install and activate the probe on the probe device.

Get the probe activation key from the Setup > Probes > System Communication tab in N-central.

Windows firewall settings are not correct.

Refer to the important considerations about Windows firewalls in the deployment requirements section of this guide. If you are using a Windows firewall, you must reconfigure each target PC, as described in your N-central documentation.

WMI settings are incorrect.

Correct the WMI settings, as per your Microsoft and N-central documentation.

The probe cannot locate the N-central server because the DNS solutions are not correctly specified.

DNS solutions are configured during installation of the N-central server (if a nonhosted solution).

Test connectivity between the N-central server and the probe, as described in your N-central documentation.

Can’t verify installation of N-central or the probe

Networking parameters are not correctly specified for your security setup or network architecture.

Make sure you have set up all networking and security parameters correctly, including firewalls and remote-communication parameters.

Integration Guide:


- 112 -

Table 5-4. Troubleshooting: Installation of N-central and/or probe – continued


One of the servers is not powered up or is not working properly.

Make sure the devices on which the probe and the N-central server are installed are powered up and working properly.

The probe is not using the correct public (external) IP address for the N-central server.

The network settings for public (external) IP address or FQDN, port number, and/or protocol for the N-central server are not correct.

The IP address in nagent.conf for the N-central server is not correct.

The IP address for the N-central server is the public IP address used for communications with the server. When installing the probe, make sure you enter the correct public IP address or FQDN for the N-central server, the correct port number (443), and the correct protocol (HTTPS). To correct the network settings for the N-central server, follow the procedure described after this table.

Can’t access probe device

Or,

Can’t select a probe

Or,

N-central is not receiving data from the probe

The default IP address settings for the N-central server are not correct.

Propagate the current network settings to the default settings in N-central, as described in the procedure after this table.

The Intel AMT credentials specified in the probe do not match the security credentials (administrator username and password) specified in the Intel AMT BIOS / MEBx settings.

Reset the security credentials for Intel AMT in the probe to match the credentials specified in BIOS and MEBx during configuration.

In static IP addressing, the IP address of Intel AMT does not match the IP address specified for the host (PC’s OS) in BIOS/MEBx.

Change the IP address in Intel AMT to match the IP address of the host (the PC’s OS).

I configured Intel AMT, but I can’t discover the PC as an Intel vPro PC

Intel AMT has not been configured.

Configure Intel AMT, as described in the Intel AMT configuration guide.

Can’t remote control any PC at the target site

This is an in-band capability of N-central.

Refer to your N-central documentation for troubleshooting in-band remote control of the PC.

Integration Guide:


- 113 -

Correct the settings for the N-central server If you cannot complete installation of the probe, there may be problems with the network or communication protocol settings. Follow these steps to correct the IP address, port number, or protocol in nagent.conf for the N-central server:

A. Correct the N-central server settings. First, use your administrator privileges to verify and/or correct the settings for the N-central server:

1. Open nagent.conf (C:/Program Files/N-able Technologies/Windows Software Probe/nagent.conf)

2. Check the SOAP settings. They should be: • Server_ro=no • Port=443 • Protocol=https • Applianceid=17024 • Server=n-central.dyndns.org (or other IP address of your N-central server)

3. If necessary, correct the IP address, port number, or protocol: a. Access Menu > Run. b. Enter services.msc. c. Press Enter. d. Access Windows Software Probe Watchdog. e. Stop the watchdog service. f. Access Windows Software Probe. g. Stop the software-probe service. h. Return to the nagent.conf file. i. Enter the correct IP address, port number, and protocol for the SOAP settings. j. Save your changes and close the file. k. Open the services.msc file. l. Access Windows Software Probe. m. Start the software-probe service. n. Access Windows Software Probe Watchdog. o. Start the watchdog service. p. Right-click Software Probe > Properties. q. Verify (or correct) that the local system account is not used. r. If necessary, save your change to the services.msc file, and close the file.

B. Reset the default settings for N-central. Once you have updated the settings for the N-central server, you must verify or correct the default settings for the server. Follow these steps:

4. Log into the N-central administrator page (port 10000).

5. Click Default Settings.

6. Verify that the correct public and private IP addresses are entered in the IP address fields.

7. To correct the IP address for the N-central server, follow these steps: a. Access Network Setup > Modify Network Setup, to display the Network settings

screen.

Integration Guide:


- 114 -

b. Enter the correct public (external) IP address for the N-central server in the public IP address field.

c. Enter the correct private IP address for the N-central server in the private IP address field.

d. Make sure the host name is set to the public (external) FQDN. e. Click OK to save your changes. N-central will automatically log you out.

It takes approximately 2 to 3 minutes for the new network settings to take effect.

Caution: If you don’t save current settings as the default settings, the N-central server may reset network settings to previous values when you establish the next remote session. This may cause many network problems; for example, you may not be able to connect to the local server from the MSP service center, your probe(s) may not be able to connect to the server, or you may experience other network issues.

f. Log back into the administrator module. g. Access Network Setup. h. Make sure you can see the corrected public and private IP addresses. i. Click the command option to make the current network settings the default

settings. j. Click OK.

8. Return to the main administrator page for N-central.

9. Click Default Settings.

10. Verify that the settings have been updated.

11. Log out of the administrator console.

C. Verify that the probe is now communicating with the N-central server. To verify that the probe is now communicating with the N-central server, see if probe version information is displayed via the Setup > Probes feature. Follow these steps:

12. Select the customer site. N-central then displays the overview screen for that site.

13. Access Setup > Probes. N-central then displays the probes listing for the customer site. The list of probes should include the probe you just installed at that customer site.

14. Select the name of the probe for which you will verify communications. N-central will then display a screen for editing communication parameters for the probe.


You should see the current probe version number near the middle of the screen.

Integration Guide:


- 115 -

Troubleshooting: Windows firewall Table 5-5 briefly describes common problems encountered as a result of Windows firewall settings.

Table 5-5. Troubleshooting: Windows firewall problems


Receive error messages when I try to recon-figure PCs to continue to use the Windows firewall

You do not have the latest hotfix installed for your service pack.

Refer to the N-able documentation about enabling the remote-administrator exception and reconfiguring the Windows firewall settings on PCs in order to use the Windows firewall in a remote management environment. Also refer to Microsoft Knowledge Base article 842933.

Can’t configure Windows firewall

Or,

Can’t configure Windows Security Center settings

You cannot configure Windows firewall settings or Security Center settings on a Windows XP SP2-based client computer that is in a Windows Small Business Server (SBS) 2003-based network.

For more information, refer to Microsoft Knowledge Base article 872769. Microsoft has issued an update to resolve this issue. This update enables and configures the Windows firewall in Windows XP SP2 on Windows Small Business Server 2003 networks.

If you are having issues with firewalls on Windows Vista, you should report them to Microsoft and/or N-able.

Troubleshooting: Status indicators Table 5-6 briefly describes common networking problems that may be indicated in the dashboard or status screens of N-central.

Table 5-7 briefly describes issues that could be indicated by the general Intel vPro service indicator.

Table 5-8 briefly describes issues that could be identified through the specific network-availability and power-status indicators for the Intel vPro service.

Integration Guide:


- 116 -

Table 5-6. Troubleshooting: General status indicators


The proxy server may be blocking communications between N-central and the probe.

Test connectivity between N-central and the probe, as described in your N-central documentation.

Target site is listed as failed (down) for all services



The probe cannot communicate with the N-central server or the target PC because default security features of Windows XP SP2 conflict with the probe.

Temporarily disable the Windows firewall to identify the problem. Then enable the remote administration exception and reconfigure the Microsoft personal firewall settings on each PC in the network to enable remote management in the Windows firewall environment. This procedure is described in detail in your N-central documentation.

The proxy server may be blocking communications between the probe and the N-central server.

Test connectivity between the probe and the N-central server, as described in your N-central documentation.

Network services: failed

(includes Intel vPro service: failed)



Network services: misconfigured

and

Intel vPro service: green

A personal firewall is interfering with communication between the probe and the PC.

Reconfigure the firewall to allow communication between the probe and the PC, as described in your N-central documentation.

Integration Guide:


- 117 -

Table 5-7. Troubleshooting: Intel vPro service indicator


Intel AMT is not yet configured in SMB mode

In MEBx, verify that Intel AMT is set to SMB mode. If not, change the default settings (enterprise) to SMB mode, then configure other the networking and operational parameters of Intel AMT as appropriate for your SMB environment. Refer to the Intel AMT configuration guide for SMB environments for these procedures.

MEBx settings are not appropriate for your SMB environment.

Refer to the Intel AMT configuration guide for SMB environments for procedures that explain how to configure Intel AMT in SMB mode for DHCP and static IP environments.

Network services: green but

Intel vPro service: failed

Intel AMT has not been configured on the PC

You must configure Intel AMT and then integrate the Intel AMT-enabled PC into N-central before you can access Intel AMT capabilities through N-central.

Refer to the integration section of this guide for integration procedures. Refer to the Intel AMT configuration guide for SMB environments for information about configuring Intel AMT.

Intel AMT version setting is wrong

Use the Intel AMT Web console to verify and/or correct the IP address via BIOS and MEBx. For more information, refer to the discussion earlier in this section about using the Web console.

Network services: green but

PC power status: failed

Intel AMT sleep states are not set for always-on operation.

Set the Intel AMT management-engine sleep states to always-on.

Integration Guide:


- 118 -

Table 5-7. Troubleshooting: Intel vPro service indicator – continued


Intel vPro service: green

But I can’t access the power-control feature or see UUID or motherboard information

The configuration settings in the probe may have been changed so that the proxy server is blocking communications between the probe and the N-central server. The AMT indicator is still green because N-central is reporting the last known status of the device.

(The site is also probably down in the dashboard.)

Check the dashboard for the customer site and see if the site is down. If so, test connectivity between N-central and the probe, as described in your N-central documentation.

Note that DNS solutions must be able to solve this name and local proxy servers and firewalls must allow this communication from the probe device. Refer to your N-central documentation for the IP address or URL used to communicate with the probe.

Intel vPro service: failed

The proxy server may be blocking communications between N-central and the probe. The vPro status indicator is still green because N-central is still reporting the last known status of the device.

Check the dashboard for the customer site and see if the site is down. If so, test connectivity between N-central and the probe, as described in your N-central documentation.

Intel vPro service is not available

You have not yet integrated the Intel AMT-enabled PC into N-central.

Power up the PC, then discover it and integrate it into N-central, as described in the integration section of this guide.

Integration Guide:


- 119 -

Table 5-8. Troubleshooting: Intel vPro network-availability and power-status indicators


Connectivity service: failed

and,

Intel vPro network availability: failed

and,


AMT has two MAC addresses. Some network switches (and routers) have default port security settings that allow only one MAC address per port. On these devices, when port security takes effect, the Intel AMT-enabled PC is disconnected from the network.

After 14 days (of the PC being disconnected), N-central will indicate that the device is disconnected.

Change the network configuration on the switch so that port security allows two MAC addresses.

Caution: Intel does not recommend disabling port security to eliminate this problem.

Intel vPro network availability status: failed

and

PC power status: green

One or more parameters for Intel AMT may be misconfigured

Use the Intel AMT Web console to verify and/or correct the networking and operational parameters of Intel AMT via BIOS and MEBx. Refer to the Intel AMT configuration guide for SMB environments for procedures and considerations to configure Intel AMT.

Network cable is disconnected.

Reconnect the network cable.

Power cable is disconnected from PC

Reconnect the power cable.

Intel AMT has not been configured on the PC

You must configure Intel AMT and then integrate the Intel AMT-enabled PC into N-central before you can access Intel AMT capabilities through N-central.

Refer to the integration section of this guide for integration procedures. Refer to the Intel AMT configuration guide for SMB environments for information about configuring Intel AMT.

Intel vPro network availability status: failed

and


Intel AMT was configured with the wrong IP address

Use the Intel AMT Web console to verify and/or correct the IP address via BIOS and MEBx. For more information, refer to the discussion earlier in this section about using the Web console.

Integration Guide:


- 120 -

Table 5-8. Troubleshooting: Intel vPro network-availability and power-status indicators — continued



and possibly also,


AMT is misconfigured, possibly because of a CMOS error (rare).

If this occurs, it is likely that CMOS remembered an old BIOS / MEBx configuration and did not load the new Intel AMT configuration values properly after the Intel AMT configuration process.

First use the DOS-based utility called MEdata (included in the Intel AMT software development kit) to check the configuration of the Intel Management Engine.

If the configuration does not match the values you input during configuration, try reconfiguring Intel AMT again.

If you receive an error after configuration (“AMT error” or “Check failed”), after BIOS finishes POST and checks the AMT configuration, you may have to force CMOS to read from the new BIOS and MEBx settings. In order to do this, you must clear the CMOS.

Refer to the motherboard manufacturer’s guide for information about doing a CMOS clear.

The MEBx setting for after-power failure is not set to Power on.

In MEBx, set the Intel ME after-power failure back Power on.


and,


after power is interrupted to the PC. (Intel AMT doesn’t come back up after a power failure.)

The MEBx setting for sleep-state power policies is not set to Always / Enabled.

If you didn’t set the Intel AMT power-policies to be always on, AMT is enabled based on the host (PC’s OS) power policies, and the system will behave like a regular PC. In other words, when the OS goes to sleep, so will the Intel Management Engine.

In MEBx, change two settings:

1. Set the Intel ME sleep states to be Always / Enabled.

2. Set the idle timeout value to 0.

Integration Guide:


- 121 -

Troubleshooting: Discovery The tables in this discussion will help you identify and fix problems that might appear to be problems discovering the PC, discovering the system as an Intel AMT-enabled PC, or dealing with double-reporting.

The most common reasons you can’t discover an Intel AMT-enabled PC or access Intel AMT capabilities relate to Windows firewall settings. Be particularly careful in setting up your firewalls and WMI.

However, you may have simply forgotten to enable and configure Intel AMT on the target PC for your SMB environment. Remember that N-central is designed for SMB environments. You must configure Intel AMT for SMB operation in order to access the Intel AMT-enabled PC from N-central. You must also configure the networking and other operational parameters of Intel AMT before you can integrate the PC into N-central and access the Intel AMT capabilities.

Tables 5-9 explains common reasons you might have problems with discovery or access to Intel AMT features, and possible fixes.

Table 5-9. Troubleshooting: PC doesn’t show up as an Intel AMT-enabled PC


PC is not powered on. N-central requires that the PC be powered on for its first discovery. After that, N-central can discover the Intel AMT-enabled PC anytime, even if PC power is off.

Power up the PC for the first discovery by N-central.

PC is not connected to the network.

Plug the PC into the network and verify network communication, then try discovery again.

Can’t discover the PC

Windows firewall settings is blocking communication.

Windows XP SP2 default settings conflict with the correct operation of the probe.

Temporarily disable the Windows firewall to identify the problem. Then reconfigure the Microsoft personal firewall settings on each PC (that you want the probe to monitor) for use in the Windows firewall environment, as described in detail in your N-central documentation.

Integration Guide:


- 122 -

Table 5-9. Troubleshooting: PC doesn’t show up as an Intel AMT-enabled PC — continued


Can’t discover the PC out-of-band

Intel AMT respond-to-ping is not enabled on the PC.

By default, Intel AMT-enabled PCs can respond to an ICMP Echo request when powered down. You must enable the Intel AMT respond-to-ping feature in order to allow N-central to discover the PC using ICMP Echo requests.

Enable the Intel AMT respond-to-ping feature so that Intel AMT will respond to an ICMP Echo request when powered down. Refer to the integration section of this guide for steps to use the Intel AMT Web console to enable the Intel AMT ability to respond-to-ping.

Intel AMT networking is not set up to match the host (PC’s OS) network settings.

If the PC’s OS is up and working, make sure the DHCP/Static IP settings for MEBx and for the PC’s OS driver are compatible. For example, if the PC’s OS driver is configured to DHCP, but Intel AMT is configured to use a static IP, then the Intel AMT-enabled PC is basically isolated from the network.

Intel AMT has not yet been configured.

Configuring Intel AMT is a separate step from integrating the PC into N-central. Using BIOS and MEBx, establish the administrator password and configure the required BIOS and MEBx parameters, as described in your Intel AMT configuration guide for SMB environments.

Intel AMT is still configured for enterprise mode operation, not SMB operation.

On the PC, in MEBx, set the AMT operational mode to SMB (the default mode is enterprise mode), as described in your Intel AMT configuration guide for SMB environments.

You have not yet integrated the PC into N-central.

Power up the PC, then discover it and integrate it into N-central, as described in the integration section of this guide.

PC doesn’t show up in the list of available devices

Your DNS solution can’t solve for the N-central server.

Probes must be able to communicate with the N-central server. Refer to your N-central documentation for steps to resolve DNS issues between the probe and the N-central server.

Integration Guide:


- 123 -



Intel AMT has not yet been enabled on the PC.

In MEBx, set the AMT compatibility mode to Intel AMT, as described in your Intel AMT configuration guide for SMB environments.

Caution: If you select any option other than Intel AMT, then Intel AMT will be disabled and all configuration information erased. To reconfigure Intel AMT, you would have to follow the configuration procedure again for Intel AMT.

Intel AMT has not yet been configured.

Configuring Intel AMT is a separate step from integrating the PC into N-central. Using BIOS and MEBx, establish the administrator password and configure the required BIOS and MEBx parameters, as described in your Intel AMT configuration guide for SMB environments.

You have not yet integrated the Intel AMT-enabled PC into N-central.

To integrate the PC, follow these general steps, scan the network for the new Intel AMT-enabled PC, import the PC into the list of available devices, then continue with integration as described in the integration section of this guide.

Authentication failure. This error might be seen in an HP PC.

MEBx has both a local password and a remote password (for remote access to the PC). When you set the local administrator password in MEBx, the system should automatically set the remote password to the same string. In an HP system, passwords might not be synchronized.

To resolve this problem, follow these general steps:

1. On the target PC, set (if necessary) the administrator password via the MEBx feature.

2. From a different machine, launch the Intel AMT Web console using the local administrator password.

3. Using the user accounts screen, change the administrator password for Intel AMT on the PC.

The remote password will also be changed to match the local password.

Intel AMT power-control feature, UUID, and motherboard information does not show up for the PC

The PC is not a PC with Intel vPro processor technology.

Purchase a PC with Intel vPro processor technology.

Integration Guide:


- 124 -



Intel AMT is configured, and I integrated the PC, but now it doesn’t show up in discovery

The Windows probe stops scanning after a certain period of time on Windows XP Professional, Service Pack 2 machines. The problem is appearing (over time) due to scans and probes to IP addresses that do not respond (because there is nothing there) Microsoft is "interpreting" this as a potential worm and soon, the requests begin to back up in a queue and eventually stop going out all together.

This behavior is intentional on Microsoft's part, designed to protect a user's workstation that may be infected with a worm (like W32.Blaster, Sasser or Nimda, for example) from spreading very quickly. Refer to the Microsoft site for more information:

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2netwk.mspx#EIAA

Two devices are being reported for the same PC

Intel AMT networking is not set up to match the host (PC’s OS) network settings.

If the PC’s OS is up and working, make sure the DHCP/Static IP settings for MEBx and for the PC’s OS driver are compatible. For example, if the PC’s OS driver is configured to DHCP, but Intel AMT is configured to use a static IP, then the Intel AMT-enabled PC is basically isolated from the network.

Troubleshooting: Remote power on/off In some cases, PCs are in use before Intel AMT is configured for remote management. In these environments, the administrator password for Intel AMT might be established in BIOS/MEBx. However, Intel AMT is not usually configured into its operational mode. Because the capabilities are not configured, the PC with Intel vPro processor technology shows up in N-central as a typical PC. N-central cannot yet remotely access the Intel AMT capabilities for this PC.

When you want to make the PC’s Intel AMT capabilities available to N-central, you must, 1) configure Intel AMT, then 2) assign the Intel vPro service to the PC in N-central, and 3) rediscover the PC as an Intel AMT-enabled PC. This process is described in the integration section of this guide.

During rediscovery, you manually assign the Intel vPro service to the PC. In some cases, the Intel AMT remote power on/off/reset capability may not work properly through N-central if you manually assign the N-central Intel vPro service to the PC. To resolve this issue, you may have to remove the PC from the N-central management domain, then add the PC back as a newly discovered Intel AMT-enabled PC.

Integration Guide:


- 125 -


Follow these steps to remove a PC from the N-central device list, and add it back in as an Intel AMT-enabled PC:

Step A: Verify Intel AMT configuration on the PC

1. Make sure PC power is on.

2. Make sure the Intel AMT parameters on the PC have been configured in SMB mode via BIOS and MEBx. Refer to the Intel AMT configuration guide for SMB environments for this procedure.

3. Verify that the networking and operational settings of Intel AMT are appropriate for your SMB environment. You can use the Intel AMT Web console to validate Intel AMT parameters, as described in the Intel AMT configuration guide for SMB environments, or in the troubleshooting section of this guide.

Once you have verified that Intel AMT is configured correctly for your SMB environment, you should verify that the PC is available to N-central, as described next.

Step B: Verify the PC is available to N-central

4. Select the customer site and All Devices View. • Make sure you can see the target PC in the list of devices available at the

customer site. • Make sure the PC power/management status is on (green).

If the PC is powered on, you are ready to add the PC to the Intel AMT device list.

Step C: Delete the PC from the device list

You will now delete the PC name from the N-central device list, then rediscover it as an Intel AMT-enabled PC.


Follow these steps:

5. If necessary, select the customer site and All Devices View.

6. Access Setup > Devices

7. Check the checkbox next to the name of the PC you want deleted from the device list (see Figure 5-5).

8. Click Delete Device(s).

9. If prompted, confirm that you want to delete the specified PC.

Integration Guide:


- 126 -

Figure 5-5. Deleting a PC from the device list

Step D: Rediscover the PC as an Intel AMT-enabled PC

This procedure is the same as the typical discovery procedure described earlier in this guide.



12. In the task screen, select Scan Now, select the probe for the site, enter the IP range to scan, and select a recipient to be notified when the scan completes.

13. Choose Scan Now.

When the scan is complete, N-central will change the task status from “Pending” to “Completed.”

Note: Depending on the size of the network, it can take 3 to 10 minutes or longer to complete the scan and discover “new” PCs.

Step E: Import the Intel AMT-enabled PC into the device list

This procedure is the same as the typical procedure for importing PCs.


15. Access Setup > Asset Management > Access Auto Discovery

Integration Guide:


- 127 -

16. Access Create Task > Scan > Import Discovered Assets. N-central displays the list of PCs recently discovered for the customer site.



19. Click Import Devices.

N-central then imports the PC and returns to the device list. You should see the rediscovered PC in the device list.

Step F: Verify that the PC is recognized as an Intel AMT-enabled PC

Follow these steps to make sure the PC is now recognized as an Intel AMT-enabled PC:


21. Access Status > Devices.

22. Select the target PC.

N-central should display a screen with a list of tabs for the PC, including the Intel AMT power-control tab. If you see the power-control tab, the PC has been recognized as an Intel AMT-enabled PC.

For more information The solutions architecture section of this guide includes a list of related documentation and resources for Intel vPro processor technology and N-able N-central.

Integration Guide:


- 128 -

Appendix A: Quick Start for Integration

Introduction This section provides a streamlined process for deploying PCs with Intel vPro processor technology in an N-able N-central service environment for SMB customers. For a nonhosted solution, the overall deployment process follows three general steps, as shown in Figure A-1.

Note: This appendix assumes you have already: ▪ Installed N-central ▪ Installed the probe at the customer’s location ▪ Verified network communication ▪ Verified communication between components of N-central ▪ Create and set up the customer site in N-central



Integration Guide:


- 129 -

Figure A-1. Deployment process

Integration Guide:


- 130 -

Table A-1 lists the processes required to deploy a PC with Intel vPro processor technology. Optional procedures and other procedures that may be useful to you are included in the integration section of this guide.

Table A-1. Deploying Intel AMT-enabled PCs and N-central

Step Process

Step 1 Configure Intel AMT on the user PC

Step 2 Make sure respond to ping is enabled on the user PC

Step 3 Validate connectivity between N-central components

Step 4 Verify network communication

Step 5 Log into N-central

Step 6 In N-central, set Intel AMT credentials for the probe

Step 7 Discover new Intel AMT-enabled PCs

Step 8 Import the Intel AMT-enabled PCs into the N-central management domain

Step 9 Verify that the Intel vPro service is assigned to the PC

Step 10 Configure the PC with the Intel vPro service and other details

Step 11 Select the probe for the Intel AMT power-control feature

Once the PC is integrated into N-central, you can use other N-central features to customize the way N-central monitors the PC, displays information, categorizes alerts, and creates reports. For more information about N-central features, refer to your N-able documentation.

Integration Guide:


- 131 -

Deployment procedure The rest of this appendix explains the deployment procedure for PCs with Intel vPro processor technology in an N-central service environment.

Step 1: Configure and validate Intel AMT via BIOS and MEBx 1. Set up security, networking, and operational parameters of Intel AMT via BIOS

and MEBx. Refer to the Intel AMT configuration guide for SMB environments for step-by-step procedures that explain how to configure Intel AMT.


Step 2: Enable the Intel AMT respond-to-ping setting

Note: N-central requires that you enable the Intel AMT respond-to-ping feature on the target PC in order to allow out-of-band discovery.

Note: Make sure the firewall does not prevent the ping response. Refer to your N-able documentation for recommended settings for firewalls.

Note: You must use the Web console from another PC to access the Intel AMT respond-to-ping feature on the target PC.

2. Determine the IP address or host (OS) name of the target PC.

3. On the remote PC, open a Web browser.

4. In the URL field, enter the target PC’s name or IP address, and the port number. • If the network can resolve the target PC’s host name to a TCP/IP address, enter

the host name in the URL field, like this: http://host_name:16992 For example: http://TestSystem:16992

• If a static TCP/IP address is defined for the target PC, enter the PC’s IP address in the URL field, like this: http://ip_address:16992 For example: http://192.168.1.7:16992

5. Select the logon option.

Integration Guide:


- 132 -

6. When prompted, login using the Intel AMT administrator username and password. The Intel AMT Web console is then opened.

7. In the left navigation bar, select Network Settings.

8. Make sure the Intel AMT respond-to-ping setting is checked (enabled).

9. Click Submit.

Step 3: Validate connectivity between N-central components Validate communication between the probe device, probe, and the N-central server:

10. Verify remote-management fields in N-central server: Use the administrator’s network setup screen to check the remote management settings for N-central.

11. Test connectivity between N-central server and probe: Verify that probe version information is displayed in the Setup > Probes > [target probe] > System Communication tab.

12. Test connectivity between probe device and N-central server: Use a Web browser and secure port to display the N-central login page.

Note: For more information about important considerations, recommendations, and validation procedures regarding network and solution connectivity, refer to your N-central documentation.

If you have trouble with installation or validation... If you have trouble verifying the installation of N-central, the most likely problem is:

• The network firewall is not correctly set up. • You have not correctly and completely reconfigured each PC to allow the exception

for remote administration while using Windows firewall. • WMI services are not configured correctly on user PCs or on the probe device. • You forgot to configure Intel AMT in SMB mode.

First make sure you have set up all networking and security parameters correctly, including firewalls and remote-communication parameters.

Then use the troubleshooting section of this guide or from your N-central documentation to help identify and resolve apparent setup, installation, or configuration problems.

Integration Guide:


- 133 -

Step 4: Verify network communication

Note: Most deployment and connectivity problems occur because Microsoft Windows firewall and/or WMI are not set up correctly for your SMB environment. Make sure you follow the important configuration and installation requirements, recommendations, and considerations for networking, firewalls, and other elements of the SMB environment, as described in detail your N-able documentation. Considerations are also described briefly in the deployment requirements section of this guide.

13. Validate that Windows firewall is configured properly: Verify the Windows firewall settings via the control panel on the target PC.

14. Validate that WMI is configured properly: Run the Microsoft wbemtest utility to test that WMI is configured properly on the PCs you are remotely managing, and that the correct user permissions are set on each PC.

Step 5: Log into N-central 15. Launch N-central. N-central will display the login screen.

16. When prompted, enter your administrator username and password.

17. Click Sign In.

18. If prompted, answer (yes/no) whether you are available to respond to requests for remote desktop support.

Step 6: In N-central, set Intel AMT credentials for the probe

Note: For the N-able probe to identify the PC as an Intel AMT-enabled PC, Intel AMT must be enabled and the Intel AMT security, networking, and operational parameters must be configured correctly on the PC via BIOS and MEBx.

Note: The security credentials set in this procedure must match the credentials (administrator username and password) set in the Intel AMT parameters on the PC. You set these credentials on the PC when you configure Intel AMT via BIOS and MEBx.

19. Select the customer site.

20. Access Setup > Probes to display the probes screen.

21. Open the edit-probe screen so that you can enter Intel AMT credentials:

22. If necessary, enter the probe name, type, network routable address, and description.

Integration Guide:


- 134 -

23. If necessary specify the auto update parameter.

24. Enter the Intel AMT administrator username in the User Name field. This is the same username you used to access the Intel AMT feature in BIOS/MEBx on the target PC during configuration of Intel AMT.

25. Enter the Intel AMT administrator password in the Password field. This must be the same password used to log into the Intel AMT feature in BIOS/MEBx on the target PC during configuration of Intel AMT.

26. Enter the administrator password again in the Confirm Password field to confirm the credentials.

27. Save and finish.

Step 7: Discover the PC Note: You will need the IP address for each PC in order to discover the PCs the

first time. To discover the Intel AMT-enabled PCs, follow these steps:

28. Select the customer site and All Devices view.

29. Access Setup > Asset Management > Auto Discovery.

30. Click Create Auto Discovery Task. N-central then displays the screen for creating discovery tasks and importing devices.


32. Select the probe to use for discovery. For example, select Scan Now.

33. Click the appropriate task button. N-central then executes the discovery task and when finished, updates the status field to “Completed” or something similar. • If this is a new task, click New Task. • If you are modifying the discovery parameters for an existing task, click

Update Task.


Note: N-central does not automatically show you a list of discovered devices when the scan is complete. You must import the list of discovered devices into N-central in order to view the list of new PCs found at the customer site.

If you have trouble discovering the PC If you have trouble establishing remote communications to the PC, check the deployment requirements in this guide, then your system settings, then refer to troubleshooting information in this guide and your N-central documentation.

Integration Guide:


- 135 -

• Check the system requirements and special considerations listed in this section. Make sure your equipment, OSs, network, and other elements are appropriate for your environment.

• Check the configuration or installation settings listed in the solution architecture section and in the three deployment sections (configuring Intel AMT, installing N-central, and integrating the PC with N-central). Make sure you have set up networking and security properly for the PC, servers, and environment.

• Refer to the troubleshooting section of this guide. • Refer to your N-central documentation for more information about discovering PCs

and troubleshooting the process.

Step 8: Import the newly discovered PC 34. Select the customer site.


36. Access Create Autodiscovery Task > Scan.

37. Click Import Discovered Assets. N-central then displays the list of newly discovered PCs for the customer site.



Note: Because you are integrating a desktop PC, do not check the Monitor Local Services checkbox.

40. Click Import Devices. N-central then imports the PCs and displays the list of probes to assign to the PCs.


42. In the Services area, select the services to assign to the PC.

43. Click Finish. N-central then assigns the probe and returns to the device list. You should see the discovered PC in the device list.

Verify that the PC was imported into the management domain 44. Select the customer site and All Devices View. N-central should show the new

Intel AMT-enabled PC in the device list.

45. Click on the name of the Intel AMT-enabled PC. N-central will then display the N-central features for that PC, including the Intel AMT power-control tab.

Integration Guide:


- 136 -

Step 9. Verify that the Intel vPro service is assigned to the PC



47. Select the target PC to which you want to assign the Intel vPro service.

48. If necessary, select the Details tab and verify that the Intel vPro service is checked. N-central should automatically assign this service to any Intel AMT-enabled PC that is found during discovery.

49. Select the Services tab and verify that the Intel vPro service is included in the list of services currently assigned to the PC.

50. Click on the name of the Intel vPro service. N-central then displays details for the service.

51. Make sure the network availability status for Intel vPro is green (active).

Step 10: Configure each PC Follow these steps to set the minimum required fields for an Intel AMT-enabled PC:



54. If necessary, click Add Device to display the screen where you can enter device details.




57. Verify that the monitoring option called Intel vPro Enabled is checked.


Integration Guide:


- 137 -


59. Click OK. N-central then saves the device details and returns the display to the device list.

Step 11: Select the probe for power control 60. If necessary, select the customer site and All Devices View.

61. In the device list, select the name of the PC.

62. Select the power-control tab. N-central then displays the power-control features.

63. Select the probe to use for the Intel AMT power-control feature.

64. Click OK.

N-central then saves your changes and returns the display to the device list.

The Intel AMT-enabled PC is now integrated into N-central. You can now customize N-central for Intel AMT-enabled PCs, or verify integration, as described next.

Verify integration To verify that you have successfully integrated the Intel AMT-enabled PC(s) into N-central, you should verify the settings listed in Table A-2.

Integration Guide:


- 138 -

Table A-2. Settings that help verify integration

Location You should see:

All Devices View for the customer site

• The new Intel AMT-enabled PC should be included in the device list.

Status > Devices > [target PC] • The power-control tab should be available.

Status > Devices > [target PC] > Device Details

• The Intel vPro service should be checked. This service should have been automatically enabled when N-central discovered the Intel AMT-enabled PC

Status > Devices > [target PC] > Device Details

• The UUID and motherboard information should be included in the asset list. This information is pulled from the dedicated, protected Intel AMT memory, which is available regardless of PC power state.

Status > Devices > [target PC] > Services

• The Intel vPro service should be included in the list of available services.

Status > Devices > [target PC] > Services > Intel vPro service > Status tab

• Network availability for the Intel Management Engine should be green (available).

• Power status for the PC should be green (powered on).

Status > Devices > [target PC] > Services > Intel vPro service > Service Details tab

• Monitoring should be enabled.

If you have verified the elements in the procedure, you have verified integration of the PC into N-central, as well as access to the Intel AMT capabilities.

If you have trouble with integration If you have trouble integrating the PC into N-central, the problem is typically with the Windows firewall or WMI settings.

First make sure all elements of your network meet the deployment requirements. Pay special attention to the network and firewall considerations described earlier in this guide.

Refer to the troubleshooting section of this guide for additional information that can help you identify and resolve configuration, installation, or integration problems for PCs, networking, and N-central.

For more information Once you have configured Intel AMT, installed the N-central components, and integrated the PC into N-central, you are ready to begin using the powerful new capabilities of Intel AMT. The use-case section of this guide provides brief procedures to help you get started using the new remote management and security capabilities.

Integration Guide:


- 139 -

Appendix B Accessing BIOS

The commands and/or keys used to access BIOS depend on your PC’s manufacturer. Table B-1 describes typical ways to access BIOS and MEBx for common PC manufacturers.

Refer to your PC manufacturer’s documentation for specific information on how to access BIOS and MEBx for your PC.

Table B-1. Commands/keys to access BIOS

BIOS type Access BIOS via Access MEBx via

ASUS BIOS F10 key During power-on self-test (POST), press Ctrl-P

HP BIOS F10 key During power-on self-test (POST), press Ctrl-P

Intel BIOS F2 key From BIOS, Select Intel(R) ME option

Lenovo BIOS Enter key, then F1 From the BIOS setup utility, access Advanced > AMT submenu

Integration Guide:


- 140 -

Appendix C Acronyms and Glossary

Glossary agent presence. Part of the Intel AMT system defense capabilities, agent presence

provides a mechanism for third-party software applications (such as virus scan or antispyware) to register with Intel AMT and check in at regular intervals with hardware-based timers.

alerting. Intel AMT can send alerts to the remote management console regardless of PC power state or the state of the OS. IT administrators can subscribe or unsubscribe to specific alerts through the event manager service.

configured state. A fully configured state, in which Intel AMT has been configured with power policies, security credentials (in SMB mode, credentials are established via the administrator password), and the settings that activate Intel vPro processor technology capabilities. A PC whose Intel AMT capabilities have been configured, is ready to be integrated into and interact with a third-party management application.

console redirection (SOL). A hardware-based Intel AMT capability. Console redirection allows an authorized IT technician to remotely and securely control a PC’s keyboard and mouse through serial-over-LAN (SOL).

enterprise IT mode. An operational mode for large organizations that have a dedicated IT staff. This is an advanced networking mode that supports TLS and requires a setup application (the configuration service). Most MSP management applications are designed to work in SMB environments. If you are configuring Intel AMT for an SMB environment, you must change the operational mode to SMB mode in order for the MSP third-party management application to access Intel AMT capabilities.

event log. An Intel AMT event log, stored in dedicated, tamper-resistant memory that is not on the hard drive. The event log is accessible to authorized technicians even if the PC is powered down, the OS becomes inoperative, management agents are missing, or hardware (such as a hard drive) has failed.

factory-default state. A state in which security credentials have not been established for AMT capabilities. The factory-default settings for Intel AMT are typically defined for enterprise mode. Typically this means that Intel AMT is enabled, networking is set to enterprise mode, TLS is enabled, and DHCP is enabled. To use Intel AMT capabilities in an SMB environment, you must reconfigure Intel AMT from its factory-default and enterprise-mode settings. Typically, this means setting the operational mode to SMB, disabling TLS, and entering the DHCP or static IP addressing information appropriate for your SMB environment.

host. The PC’s operating system. For static IP addressing in enterprise mode, the host can have a different MAC address than the manageability MAC address used for the Intel Management Engine (which includes Intel AMT). For static IP addressing in SMB mode, you should use the same IP address for both the host (the PC’s OS) and Intel AMT.

local site. In this guide, the term “local site” refers to the customer site.

Integration Guide:


- 141 -

MEBx. The Intel Management Engine BIOS extension. The MEBx settings that are available to IT administrators, and the default values of those settings are vendor-dependent.

networking mode. See operational mode.

networking type. PCs with Intel AMT can be set up for two types of networking: dynamic IP or static IP. Both types of networking are supported by enterprise mode and small-business (SMB) mode.

nonvolatile memory. A hardware-based Intel AMT capability. Nonvolatile memory is dedicated, tamper-resistant memory that is not stored on the hard drive. The information stored in this memory is available to authorized technicians anytime, even if PC power is off, the OS is unresponsive, or hardware (such as a hard drive) has failed. Information stored in nonvolatile memory can include the PC’s unique ID, hardware-asset information, BIOS configuration information, and the Intel AMT event log.

operational mode. Intel AMT can be set up for two types of operational networking (also called networking models): enterprise mode and small-business mode. Both modes support dynamic and static IP addressing. The PC manufacturer typically specifies the default networking type when building the Intel vPro processor technology flash image.

remote boot/redirected boot. A hardware-based Intel AMT capability that allows authorized technicians to remotely boot a PC to a clean state, or redirect the boot device for a problem PC to a clean image on local storage, a CD at the help desk, an image on a remediation server, or to some other remote device. Remote boot is provided through integrated drive electronics redirect (IDE-R).

remote power-up. A hardware-based Intel AMT capability that allows authorized technicians to securely power up, power down, or power reset PCs from the management console.

remote site. In this guide, the term “remote site” refers to the MSP service center or centralized help desk.

setup state. Intel AMT has three states: factory-default state, setup state (initial security credentials are loaded), and configured state (Intel AMT is enabled and configured for remote management). Setup state is the state in which the initial, bootstrap security credentials have been established for Intel AMT. In enterprise mode, credentials include initial administrator password, provisioning passphrase (the PPS, or preshared key), and provisioning identifier (PID). In SMB mode, security credentials are typically only the administrator password. As soon as security credentials have been established Intel AMT is “set up” and ready to be configured. In enterprise mode, setup and configuration are often separate processes. In SMB mode, setup and configuration can be performed as part of the same manual process.

small-business mode. A simplified networking mode that does not support TLS, does not require a setup application, and does not require DHCP or DNS.

simple object access protocol (SOAP). A protocol that allows IT administrators to communicate with PC hardware across the network.

system isolation and recovery. Part of the Intel AMT system defense capabilities, system isolation and recovery provides hardware-based filters for inbound and outbound network traffic, port isolation based on IT-defined policies, and the ability to rate-limit network traffic to allow more time to investigate a threat.

Integration Guide:


- 142 -

third-party data store (3PDS). A persistent space in the Intel AMT nonvolatile memory where third-party vendors can store information, such as software version numbers, .DAT file information, machine IDs, pointers to database information, or other data.

universal unique identifier (UUID). The UUID is the universally unique identifier for the Intel AMT system, as defined by RFC 2459; section 4.1.2.8. The UUID is stored in the Intel AMT persistent, dedicated memory in each PC, and is protected by various security technologies and methodologies depending on your operational mode (enterprise or SMB), such as HTTP digest authentication, TLS, username-password pairs, and access control lists (ACLs).

Acronyms 3PDS Third-party data store

AD Microsoft Active Directory

AMT Intel® Active Management Technology (Intel® AMT)

API Application programming interface

BIOS Basic input/output system

DHCP Dynamic host configuration protocol

DNS Domain name server

FQDN Fully qualified domain name

GUI Graphical user interface

HTTP HyperText transfer protocol

HTTP-S HyperText transfer protocol, security standard

iamt Intel® Active Management Technology (Intel® AMT)

ID Identifier

IDE-R Integrated device electronics redirect. See glossary entry for remote boot.

IP Internet protocol

ISV Independent software vendor, a third-party software vendor

IT Information technology

LAN Local area network

MAC Media access controller

ME Management engine

MEBx Management engine BIOS extension

MEI Intel Management Engine interface

OEM Original equipment manufacturer

Integration Guide:


- 143 -

OS Operating system

PC Personal computer

POST Power-on self-test

PXE Preexecution boot environment. See glossary entry for remote boot.

SDK Software development kit

SMB Small- or medium-business

SNMP Simple network management protocol

SOAP Simple object access protocol

SOL Serial-over-LAN. See glossary entry for console redirection.

SSL Secure sockets layer

SX Sleep state 1 through 5. (Note that S0 is the fully operational state.)

TCP/IP Transmission control protocol/internet protocol

TLS Transport layer security

UI User interface

UUID Universally unique identifier. See glossary entry for UUID

WOL Wake-on-LAN. See glossary entry for remote boot

WSUS Microsoft Windows Server Update Services

XML Extensible markup language

intel integration guide

Documents

contributors contributors

party proprietary rights

nable technologies ncentral

loss of use

intended purpose

theory of liability

lost data

lost profits