Intel vPro Webinars for Q3 ’09http://www.intel.com/go/vproexpert

Topic Time & Registration Link

Introduction to Intel® vPro™ Technology

August 19, 20098:00 AM to 9:30 AM PDTRecorded Session Available

Enhancing the Symantec Management Platform (Altiris) with Intel® vPro™ Technology

September 2, 20098:00 AM to 9:30 AM PDTRecorded Session Available

Beyond the Firewall: Using Fast Call for Help to manage PCs with vPro Technology

September 16, 20098:00 AM to 9:30 AM PDTTodays Session

GoToWebinar Attendee Interface

Viewer Window Control Panel

Type yourquestions

here

• Enter your Audio PIN when joining the webinar• Submit your questions via the GoToWebinar Control Panel• This session is being recorded for future viewing• For support, send e-mail during this session to:

– Michele Gartner (michele.gartner@intel.com)– Ramesh Dontha (ramesh.k.dontha@intel.com)

Beyond the Firewall: Using Fast Call for Help to Manage PCs with Intel vPro

technologyBrad Lund

Sr. Systems Engineer, Intel CorporationGuy Offer

Check Point Software Technologies

Intel® vPro Training

Agenda• Intel® vPro Overview• Fast Call for Help Overview• vPro Enabled Gateway – Check Point• Fast Call for Help Usages• Client Connection and Manageability outside Firewalls –

Demo (~ 6 Mins)• FCH Deployment Considerations• Summary• Links to Important Documents• Contact Information• Questions

4

Intel® vPro Training

Processor

• Intel® Core™2 Duo processor or

• Intel® Core™2 Quad processor

Security• Intel® Virtualization

Technology

• Intel® Trusted Execution Technology

Chipset Network

What is Intel® vPro™ Technology?

Intel® vPro™ technology: security and manageability on the chip

Network Access Independent of Operating System State• Intel® Active Management

Technology

Security and Manageability

• Manageability Engine

• Non-Volatile Memory

• Intel® Active Management Technology

• Intel® Virtualization Technology

Encrypted, remote power-on and update

Remote diagnostics and repair

Intel® vPro™ Technology Usage CasesExamples

Hardware and software inventory

Agent presence checking

Hardware-based isolation and recovery

Intel® vPro Training

Fast Call for Help(FCH)Extending the reach of Intel vPro via Checkpoint

MANAGEMENT CONSOLECLIENT OUTSIDE FIREWALL GATEWAY INSIDE DMZ

FIR

EW

ALL

FIR

EW

ALL

Intel® vPro Training

Fast Call for Help (FCH) Overview• New feature (introduced in AMT4) that enables an AMT client

that resides in a remote location to initiate a secure (TLS) out of band communication back to the organization

• Scenarios/Usages: – Reaching clients located outside enterprise– Remote Diagnostics/Repair– Remote Scheduled Maintenance

• Requires a vPro Enabled Gateway (vPEG) in the Corporate Demilitarized Zone (DMZ)

• Fast Call for Help only available on wired connections

8

Intel® vPro Training

Fast Call for Help (FCH) Flow

DMZ

vPro Enabled Gateway Management

ConsoleGateway sends connection events to Management Console

Internet

Firewall

Secured Out of Band management session between client and Gateway

User initiated request during pre-boot or operating system utility1

5Out-Of-Band management communication sent from console via Gateway

4

Client Desktop or LaptopFirewall

2 Out of Band connection request to Intel® vPro Technology Enabled Gateway

Solution

3

LAN

9

vPro Enabled Gateway

Intel® vPro Training

Check Point vPro enabled gateway• Management Presence Server (MPS) is embedded inside the Check Point

Security Gateway (one box). • SSL tunnels from vPro machines are being terminated by the Check Point

VPN-1 remote access termination point.• The security gateway protects the vPro SSL termination point.• SSL traffic from vPro machines undergoes IP and TCP security inspections.• vPro authentication methods: client certificate (SSL mutual

authentication), password or none (server only). • vPro machines credentials are managed by a LDAP server (e.g. using

Microsoft Active Directory Server).• Administrator can either register all the machines names in a database or

provide the general structure of the enterprise machines’ certificates.• More security inspections to be added in the future.

The enterprise network

vPro PCs inside the local network

Check Point SmartCenter security management

Altiris vPro management console

vPro PCs outside the enterprise network.

Check Point vPro enabled security gateway

Internet

Enterprise network Internet

Users and machines database

APF/SSL

LDAPSOAP, SOL/IDER

vPro management protocols

SOAP, SOL/IDER

Intel® vPro Training

Check Point vPro enabled gateway advantages

• Full integration of the Intel Fast Call for Help architecture into the Check Point security gateway.

• vPro remote-access SSL termination point is secured and supported by Check Point.

• One box solution – the MPS component is integrated with the security gateway in one box.

• Total management – all IT security policy aspects: fw rules, SmartDefence protections, VPN, together with the vPro remote-access issues, are managed integrally by the Check Point SmartCenter management.

• Users and machines database – users and machines credentials are managed comfortably together in one database. Same users and machines database can be used for company security issues and the vPro issues.

• Additional benefits that comes with the security gateway such as high availability, logging, security updates, etc.

Fast Call for Help Usages

15

Remote Diagnostics and Repair

Network

vPro™ Enabled Gateway

Enterprise IT Management

Console

vPro™ Enabled Gateway sends connection events to Management Console

Internet Firewall

Management console operator makes the required repairs required to client system

6

Remote worker experiences system failure. IT instructs user to initiate FCH connection. A secure tunnel is created between system and vPro™ enabled gateway

1

4

Management Console Operator connects to vPro system; begins diagnostic process

Management Console list pre registered in the vPro™ Enabled Gateway

2

3

Firewall

DMZ

Desktop or Notebook PCs with Intel® vPro™ technology

Reduce Costly Site Visits – Reach Out and Repair in Real Time

vPro™ Enabled Gateway mediates connection with the TLS Session

5

16

Remote Scheduled Maintenance

Network

vPro™ Enabled Gateway

vPro™ Enabled Gateway sends connection events to Management Console

Internet Firewall

Management console pushes update to client system

6

Scheduled ‘TLS call home’ opens secure tunnel between system and vPro™ enabled gateway

1

4

Management Console looks to see if updates need to be made

Management Console list pre registered in the vPro™ Enabled Gateway

2

3

Firewall

DMZ

Desktop or Notebook PCs with Intel® vPro™ technology

Schedule Maintenance When It’s Convenient for You – While Everyone is Asleep

vPro™ Enabled Gateway mediates connection with the TLS Session

5

Enterprise IT Management

Console

Manage Client Outside Enterprise

Demo

Intel® vPro Training

Demo – Using MC to Manage Clients Outside Enterprise

• Clients use vPro Icon to connect to vPro Gateway• vPro Gateway issues Notification to MC• Use Altiris 7 to assign image files for IDE redirection

to clients• Show various reboot options

Intel® vPro Training

Fast Call for Help Flow - Revisited

FCH Event triggeredAMT opens TLS

connection to vPEG in the DMZ

vPEGauthenticates AMT

vPEG proxies traffic between consoles

and AMTClient

19

DEMO

Deployment Considerations

Intel® vPro Training

Planning FCH Deployment1. Active Directory must be configured for AMT

Note: AD Setup out of scope for this presentation, however currently configured vPro environments will have much of the required modifications. Consult your management console ISV for specific requirements

2. Activate Client with proper AMT settings – AMT must be provisioned while inside the corporate network.

3. Setup the vPro Gateway4. Adjust the internal and external firewalls

– Gateway vendors use different ports for listening, HTTP and SSL

5. Setup the Management Console <-> vPro Enabled Gateway communication

Intel® vPro Training

Base Requirements / ChecklistRequirement Checklist ItemClientPlatform AMT >=4.0

Environment Detection Option 15 value

Gateway settings IP(s), FQDN(s), SSL listen port

Desired Usages At least one Policy defined (see next slide)

Certificates Certificates; choose a CA and define templates – Note: LANDesk pre-assigns

GatewayISV Checkpoint or LANDesk

IP / FQDN IP(s), FQDN(s)

SSL port accessible from the Internet SSL Listen port

Socks & http proxy ports accessible from the Intranet

Socks port, HTTP Proxy port

ISV Alert Listen address Alert Listen URI, Username, Password

Certificates Certificates; choose a CA, define templates, and create certificates – Note: LANDesk pre-configures this

ConsoleISV Altiris or LANDesk

Gateway settings IP(s), FQDN(s), Socks port, HTTP Proxy port

Client PoliciesPolicy Name Usage Description

User Initiated Connection Fast Call for HelpDiagnostics and

Repair

Knowledge Worker needs help from IT Support. They can use an OS tool (In Band) or a BIOS / MEBx tool (OOB) to initiate the connection. This may be used to augment a phone call or may replace it.

Periodic Connection Remote Scheduled Maintenance

AMT client connects to vPEG based on a timer (number of seconds).

Intel® vPro Training

Summary• FCH Solves Real Problems

– Remote Diagnose/Repair, Scheduled Maintenance• Create Profiles and Provision Clients

– Create Client and Trusted Certificates• Install vPro Gateway in DMZ

– Adjust Firewall Rules to allow AMT/MC to connect• Fast Call for Help - Ready for Action!

Intel® vPro Training

Further Reading

• Fast Call for Help - Considerations For Enterprise Integration– http://communities.intel.com/docs/DOC-3183

• Intel® vPro™ Technology - Technical Use Cases– http://communities.intel.com/docs/DOC-1560

• Quick Start Guide for Altiris* and Intel® AMT– http://communities.intel.com/docs/DOC-1400

• List of resources and insights to provisioning Intel vPro in an Altiris environment– http://communities.intel.com/docs/DOC-2032

Presenters: Brad Lund

Brad.Lund@intel.comGuy Offer

guyof@checkpoint.com

Thank you!

Questions