I want to be able to make out-of-band KVM connections to computers running Intel AMT 9 (vPro). I initially thought this would require the $99 VNC Viewer Plus from RealVNC, but it seems to work fine with the free UltraVNC Viewer in combination with the free Manageability Commander Tool.
The RealVNC approach requires that you set up TLS for the connection. The UltraVNC approach can work without that, but I prefer the connection to be encrypted anyway. The RealVNC site has some decent documentation on this but I wanted to add some pictures and some info about self-signed certificates.
First, before discussing self-signed certificates, I found that if the server has an SSL certificate from a trusted certification authority, e.g. for a a web site, all I had to do was set that as the TLS certificate using the Manageability Commander Tool. I did not have to install any certificates on the client as the server’s certificate is already from a trusted root.
Image may be NSFW.
Clik here to view.
Set Up AMT with Self-Signed Certificates
I decided to use self-signed certificates so I could connect to machines that don’t have a certificate from a trusted root. Self-signed certificates are also good for 20 years, so they should require less maintenance than standard SSL certificates, which may expire every year or two.
The Manageability Commander Tool version 1.32 has some simple, built-in tools for creating and installing self-signed certificates.
Create a Root Certificate
- From the Manageability Commander Tool, connect to a server using your AMT user and password.
- On the Security tab, select Certificate & CRL Store. (It may take it a moment before the button is available.)
Image may be NSFW.
Clik here to view.
- In the Intel AMT Certificate Store dialog, on the Certificates tab, click New.
- In the New Certificate dialog, click New Root Certificate….
- Fill in the Common name and Organization name. Set the Hash to SHA256 since SHA1 is being deprecated. Do allow it to make this a trusted certificate.
Image may be NSFW.
Clik here to view. - Click Generate. You’ll be prompted about installing an unknown root certificate. Confirm that prompt with Yes.
- Run Certificate Manager (certmgr.msc) and you should see the new certificate under both Personal and Trusted Root Certificates. That means any certificates signed by this root certificate will be trusted on this machine only. You can import the certificate into other machines to make it trusted there.
- In Certificate Manager, right-click on the certificate and click Export. Export the certificate with its private key to a secure location.
Set Up TLS on a Server
Now we need to issue a certificate signed by our new CA root for each machine we need to connect to.
- From the Manageability Commander Tool, connect to a server.
- On the Security tab, select Certificate & CRL Store.
- In the Intel AMT Certificate Store dialog, on the Certificates tab, click New.
- In the New Certificate dialog, the Issuer certificate should already show your new CA root, and the Certificate name should already be populated with the name you used to connect to the server. Fill in the Organization name, perhaps using the name of the company that owns the server. Change the Hash to SHA256 and the Key size to 2048.
Image may be NSFW.
Clik here to view. - Click OK and the new certificate will be installed in the server for use with AMT:
Image may be NSFW.
Clik here to view. - In the AMT Certificate Store dialog, click Close.
- Back in the main Manageability Commander window, you can see that the certificate has been installed on the server. Click the button next to Transport Layer Security (TLS).
Image may be NSFW.
Clik here to view. - In the Edit TLS Settings dialog, check Use Transport Layer Security (TLS). Click the button next to Required.
Image may be NSFW.
Clik here to view. - In the Network Security Certificate dialog, confirm that the selected certificate is the one you just created above. Click OK.
Image may be NSFW.
Clik here to view. - In the Edit TLS Settings dialog, click OK to confirm that you now require TLS.
- After a moment, the main Manageability Commander window, you can see the server is now set up for TLS.
Image may be NSFW.
Clik here to view. - Repeat these steps for each machine you want to connect to.
Connect with VNC
- From the Manageability Commander Tool, connect to a server. You’ll need to make the ports accessible through the remote firewall. Note that if you connect to an IP address but the certificate has a different name, you’ll see a warning about a name mismatch.
- On the Remote Control tab, click the button next to Remote Desktop Viewer. In the Remote Desktop Viewer dialog, elect the Viewer Type and, if necessary, supply the Viewer Path. I’m using UltraVNC Click OK.
Image may be NSFW.
Clik here to view.![AMT Certs A]( "AMT Certs A")
- On the Remote Control tab, click the button next to Remote Desktop Settings. Set State to Enabled and Redirection Port (16993/16995) to Enabled. Make sure Standard Port (5900) is Disabled; that’s a security risk.
Image may be NSFW.
Clik here to view.![AMT Certs B]( "AMT Certs B")
- In the Manageability Commander Tool main window, you should now see both Take Control and Launch Viewer buttons available. (If you have a connection warning—see step 1 above—the Take Control button will be grayed out.) The Remote Desktop Settings show that we will be connecting using redirection ports.
Image may be NSFW.
Clik here to view.![AMT Certs C]( "AMT Certs C")
- Click Launch Viewer to establish a KVM connection to the desktop.
Image may be NSFW.
Clik here to view.![AMT Certs D]( "AMT Certs D")
- Click Take Control to establish a connection for remote commands, disk redirection, etc.
Image may be NSFW.
Clik here to view.![AMT Certs E]( "AMT Certs E")
Testing
As a test, I shut down a server, then used the Manageability Terminal to power it back on.
Image may be NSFW.
Clik here to view.
I was able press Enter then F1 to get into the BIOS.
Image may be NSFW.
Clik here to view.
I was even able to get into the RAID setup.
Image may be NSFW.
Clik here to view.
And therein lies the benefit of out-of-band control: if the server crashes or hangs, or even if Windows updates seem to be taking forever, sometimes you can get control of the machine and even fix the issue without having to go on-site.