View
226
Download
0
Tags:
Embed Size (px)
Citation preview
Intel vPro Webinars for Q3 ’09http://www.intel.com/go/vproexpert
Topic Time & Registration Link
Introduction to Intel® vPro™ Technology
August 19, 20098:00 AM to 9:30 AM PDTRecorded Session Available
Enhancing the Symantec Management Platform (Altiris) with Intel® vPro™ Technology
September 2, 20098:00 AM to 9:30 AM PDTRecorded Session Available
Beyond the Firewall: Using Fast Call for Help to manage PCs with vPro Technology
September 16, 20098:00 AM to 9:30 AM PDTTodays Session
GoToWebinar Attendee Interface
Viewer Window Control Panel
Type yourquestions
here
• Enter your Audio PIN when joining the webinar• Submit your questions via the GoToWebinar Control Panel• This session is being recorded for future viewing• For support, send e-mail during this session to:
– Michele Gartner ([email protected])– Ramesh Dontha ([email protected])
Beyond the Firewall: Using Fast Call for Help to Manage PCs with Intel vPro
technologyBrad Lund
Sr. Systems Engineer, Intel CorporationGuy Offer
Check Point Software Technologies
Intel® vPro Training
Agenda• Intel® vPro Overview• Fast Call for Help Overview• vPro Enabled Gateway – Check Point• Fast Call for Help Usages• Client Connection and Manageability outside Firewalls –
Demo (~ 6 Mins)• FCH Deployment Considerations• Summary• Links to Important Documents• Contact Information• Questions
4
Intel® vPro Training
Processor
• Intel® Core™2 Duo processor or
• Intel® Core™2 Quad processor
Security• Intel® Virtualization
Technology
• Intel® Trusted Execution Technology
Chipset Network
What is Intel® vPro™ Technology?
Intel® vPro™ technology: security and manageability on the chip
Network Access Independent of Operating System State• Intel® Active Management
Technology
Security and Manageability
• Manageability Engine
• Non-Volatile Memory
• Intel® Active Management Technology
• Intel® Virtualization Technology
Encrypted, remote power-on and update
Remote diagnostics and repair
Intel® vPro™ Technology Usage CasesExamples
Hardware and software inventory
Agent presence checking
Hardware-based isolation and recovery
Intel® vPro Training
Fast Call for Help(FCH)Extending the reach of Intel vPro via Checkpoint
MANAGEMENT CONSOLECLIENT OUTSIDE FIREWALL GATEWAY INSIDE DMZ
FIR
EW
ALL
FIR
EW
ALL
Intel® vPro Training
Fast Call for Help (FCH) Overview• New feature (introduced in AMT4) that enables an AMT client
that resides in a remote location to initiate a secure (TLS) out of band communication back to the organization
• Scenarios/Usages: – Reaching clients located outside enterprise– Remote Diagnostics/Repair– Remote Scheduled Maintenance
• Requires a vPro Enabled Gateway (vPEG) in the Corporate Demilitarized Zone (DMZ)
• Fast Call for Help only available on wired connections
8
Intel® vPro Training
Fast Call for Help (FCH) Flow
DMZ
vPro Enabled Gateway Management
ConsoleGateway sends connection events to Management Console
Internet
Firewall
Secured Out of Band management session between client and Gateway
User initiated request during pre-boot or operating system utility1
5Out-Of-Band management communication sent from console via Gateway
4
Client Desktop or LaptopFirewall
2 Out of Band connection request to Intel® vPro Technology Enabled Gateway
Solution
3
LAN
9
vPro Enabled Gateway
Intel® vPro Training
Check Point vPro enabled gateway• Management Presence Server (MPS) is embedded inside the Check Point
Security Gateway (one box). • SSL tunnels from vPro machines are being terminated by the Check Point
VPN-1 remote access termination point.• The security gateway protects the vPro SSL termination point.• SSL traffic from vPro machines undergoes IP and TCP security inspections.• vPro authentication methods: client certificate (SSL mutual
authentication), password or none (server only). • vPro machines credentials are managed by a LDAP server (e.g. using
Microsoft Active Directory Server).• Administrator can either register all the machines names in a database or
provide the general structure of the enterprise machines’ certificates.• More security inspections to be added in the future.
The enterprise network
vPro PCs inside the local network
Check Point SmartCenter security management
Altiris vPro management console
vPro PCs outside the enterprise network.
Check Point vPro enabled security gateway
Internet
Enterprise network Internet
Users and machines database
APF/SSL
LDAPSOAP, SOL/IDER
vPro management protocols
SOAP, SOL/IDER
Intel® vPro Training
Check Point vPro enabled gateway advantages
• Full integration of the Intel Fast Call for Help architecture into the Check Point security gateway.
• vPro remote-access SSL termination point is secured and supported by Check Point.
• One box solution – the MPS component is integrated with the security gateway in one box.
• Total management – all IT security policy aspects: fw rules, SmartDefence protections, VPN, together with the vPro remote-access issues, are managed integrally by the Check Point SmartCenter management.
• Users and machines database – users and machines credentials are managed comfortably together in one database. Same users and machines database can be used for company security issues and the vPro issues.
• Additional benefits that comes with the security gateway such as high availability, logging, security updates, etc.
Fast Call for Help Usages
15
Remote Diagnostics and Repair
Network
vPro™ Enabled Gateway
Enterprise IT Management
Console
vPro™ Enabled Gateway sends connection events to Management Console
Internet Firewall
Management console operator makes the required repairs required to client system
6
Remote worker experiences system failure. IT instructs user to initiate FCH connection. A secure tunnel is created between system and vPro™ enabled gateway
1
4
Management Console Operator connects to vPro system; begins diagnostic process
Management Console list pre registered in the vPro™ Enabled Gateway
2
3
Firewall
DMZ
Desktop or Notebook PCs with Intel® vPro™ technology
Reduce Costly Site Visits – Reach Out and Repair in Real Time
vPro™ Enabled Gateway mediates connection with the TLS Session
5
16
Remote Scheduled Maintenance
Network
vPro™ Enabled Gateway
vPro™ Enabled Gateway sends connection events to Management Console
Internet Firewall
Management console pushes update to client system
6
Scheduled ‘TLS call home’ opens secure tunnel between system and vPro™ enabled gateway
1
4
Management Console looks to see if updates need to be made
Management Console list pre registered in the vPro™ Enabled Gateway
2
3
Firewall
DMZ
Desktop or Notebook PCs with Intel® vPro™ technology
Schedule Maintenance When It’s Convenient for You – While Everyone is Asleep
vPro™ Enabled Gateway mediates connection with the TLS Session
5
Enterprise IT Management
Console
Manage Client Outside Enterprise
Demo
Intel® vPro Training
Demo – Using MC to Manage Clients Outside Enterprise
• Clients use vPro Icon to connect to vPro Gateway• vPro Gateway issues Notification to MC• Use Altiris 7 to assign image files for IDE redirection
to clients• Show various reboot options
Intel® vPro Training
Fast Call for Help Flow - Revisited
FCH Event triggeredAMT opens TLS
connection to vPEG in the DMZ
vPEGauthenticates AMT
vPEG proxies traffic between consoles
and AMTClient
19
DEMO
Deployment Considerations
Intel® vPro Training
Planning FCH Deployment1. Active Directory must be configured for AMT
Note: AD Setup out of scope for this presentation, however currently configured vPro environments will have much of the required modifications. Consult your management console ISV for specific requirements
2. Activate Client with proper AMT settings – AMT must be provisioned while inside the corporate network.
3. Setup the vPro Gateway4. Adjust the internal and external firewalls
– Gateway vendors use different ports for listening, HTTP and SSL
5. Setup the Management Console <-> vPro Enabled Gateway communication
Intel® vPro Training
Base Requirements / ChecklistRequirement Checklist ItemClientPlatform AMT >=4.0
Environment Detection Option 15 value
Gateway settings IP(s), FQDN(s), SSL listen port
Desired Usages At least one Policy defined (see next slide)
Certificates Certificates; choose a CA and define templates – Note: LANDesk pre-assigns
GatewayISV Checkpoint or LANDesk
IP / FQDN IP(s), FQDN(s)
SSL port accessible from the Internet SSL Listen port
Socks & http proxy ports accessible from the Intranet
Socks port, HTTP Proxy port
ISV Alert Listen address Alert Listen URI, Username, Password
Certificates Certificates; choose a CA, define templates, and create certificates – Note: LANDesk pre-configures this
ConsoleISV Altiris or LANDesk
Gateway settings IP(s), FQDN(s), Socks port, HTTP Proxy port
Client PoliciesPolicy Name Usage Description
User Initiated Connection Fast Call for HelpDiagnostics and
Repair
Knowledge Worker needs help from IT Support. They can use an OS tool (In Band) or a BIOS / MEBx tool (OOB) to initiate the connection. This may be used to augment a phone call or may replace it.
Periodic Connection Remote Scheduled Maintenance
AMT client connects to vPEG based on a timer (number of seconds).
Intel® vPro Training
Summary• FCH Solves Real Problems
– Remote Diagnose/Repair, Scheduled Maintenance• Create Profiles and Provision Clients
– Create Client and Trusted Certificates• Install vPro Gateway in DMZ
– Adjust Firewall Rules to allow AMT/MC to connect• Fast Call for Help - Ready for Action!
Intel® vPro Training
Further Reading
• Fast Call for Help - Considerations For Enterprise Integration– http://communities.intel.com/docs/DOC-3183
• Intel® vPro™ Technology - Technical Use Cases– http://communities.intel.com/docs/DOC-1560
• Quick Start Guide for Altiris* and Intel® AMT– http://communities.intel.com/docs/DOC-1400
• List of resources and insights to provisioning Intel vPro in an Altiris environment– http://communities.intel.com/docs/DOC-2032
Questions