1,205 Posts served

4,986 Conversations started

Intel AMT Reflector and local manageability

By Ylian Saint-hilaire (Intel) (76 posts) on May 14, 2008 at 2:01 am

As many of you may know, there are two ways of contacting Intel AMT: The remote network interface and the local LMS/HECI interface. These interfaces are very different; the remote interface that is available thru the wired and sometimes wireless Ethernet and is rich with features while the local Intel AMT interface is very limited. Intel AMT was designed this way from the start for security. Intel AMT acting as an IT agent on desktops and laptops could not be allowed to be meddled with by the local user or local applications that could try to use or deactivate Intel AMT. That at least was the original design intent.

Times have changed it seems and many users of Intel AMT don’t see local users and applications as being always hostile. There are many reasons why it would be very interesting to access all of the features of Intel AMT locally. For example

• If the user changes the name of the computer is the OS, it would be nice to have a local agent sync up the Intel AMT network with the OS name automatically. This way, when the computer goes to sleep next, Intel AMT will report the correct new name.
• Circuit breaker policies could be used as a local firewall implemented in hardware. Set it once and the gigabit network chip does all the filtering and counters at gigabit speeds.
• On a mobile platform, wireless profiles could also be synched up automatically. The user adds a new wireless profile with a WPA key and this profile is automatically added to Intel AMT.
• Enterprise provisioning of Intel AMT could be done entirely locally using local software removing the need for complicated centralized servers.

Instead of seeing the local user as hostile, the local application now cooperate to setup Intel AMT so that if something goes wrong, it’s ready to be used to recover the computer. All this and more would be possible if Intel AMT allows the local applications full access to all the remote interface features.

A local application can’t simply connect to TCP port 16992 or 16993 and access all of the Intel AMT features since the traffic has to flow thru the gigabit network interface. Connecting to 127.0.0.1 will not work, that will access the more limited local interface.

The solution is to use a reflection application like Intel AMT Reflector found in the Intel AMT DTK. This tool runs on a central always on server and simply reflects back all TCP connections back to the source on ports 16992 to 16995. Using this tool an Intel AMT console or even a web browser can connect to “http://reflector:16992” and log into its own Intel AMT remote services. However, there are issues with this solution: You need this reflector tool running and know where on the network it is running. Also, a rogue application could log into the remote interface and put an annoying circuit breaker policy to drop all packets, etc.

In the future, Intel AMT itself could be modified to allow all services on the local interface removing the need for the reflector. There are security considerations of course, but feedback from users of Intel AMT on this idea would be appreciated.

Ylian

Categories: Manageability

Comments (7) 

By Maria Camila Gomez-silva on May 14th, 2008 at 3:41 pm
I couldn't agree more!

I have not considered before the Local access as a way to have a provisioning alternative! But it sounds like a good solution for the provisioning process!

Maria

By quantumbinary on May 23rd, 2008 at 8:13 pm
Bought a server and 4 workstations with Intel AMT after having read many articles concerning it. I then find out that Intel has ceased distribution of the software at the following link.

http://softwarecommunity.intel.com/articles/eng/1034.htm

My problem: No other download version of it exists on the net (after MUCH searching). Intel has informed me to: "Please check back to this page after June 15, 2008 to download the Intel AMT DTK." I was eager to spend a few days of vacation time playing with the AMT DTK.

By Ylian Saint-hilaire (Intel) on May 25th, 2008 at 8:20 am
Actualy, the software was put back for download a few weeks ago. It was removed for about one week.

By quantumbinary on May 26th, 2008 at 11:30 am
The only available download link I can find is the following:
http://softwarecommunity.intel.com/articles/eng/1034.htm
Looking at the HTML source, I noticed that they have REMOVED the ahref tag (meaning we can not download the files) for all versions. The text displays that the file IS available for download but the ahref tag has not been put back and thus, we can not download the Intel ATM DTK.

I am looking forward to playing with this technology; I have used the (limited) browser functions and am eager to check out the Commander software...

I am intrigued by the technical support potential that Intel AMT offers... In fact, I plan to document my... "adventures" with Intel AMT relating to troubleshooting and supporting small business n/ws. The potential intrigues me... Would there, by any chance, be an FTP download option?

My thanks,

Alex

By cool on June 18th, 2008 at 6:39 am
how can i find the code of the web interface of the DTK?? i have the source code of the DTK version0.48 but i can't find the source code of the url link in intel AMT commander... plz reply as soon as possible, i need it urgently, thnx

By piotrburda on July 1st, 2008 at 12:29 am
Why download is disabled?
http://softwarecommunity.intel.com/articles/eng/1034.htm

I need this software for presentation....

By Sam on July 2nd, 2008 at 4:34 am
This is a great blog, one of the best I've found on AMT and it's great to see someone doing something impressive with the technology. I can't find any reason for the download being disabled and I got here too late for an earlier version, does anyone know if there is a date for when it might be back up?

What do you think?

Name (required)

Email (required; will not be displayed on this page)

Your URL (optional)

Comments (required)