McAfee Deep Command Installation Guide - Introduction

Version 3

    Installing McAfee Deep Command

    Use the following documents to install, configure and deploy McAfee Deep Command.

     

    Step 1: Discover and Report All Intel AMT Capable Systems in the Environment
    Step 2: Configure Certificates for Intel AMT
    Step 3: Install Intel AMT and McAfee ePO Server Components

    Step 4: Configure Intel AMT Clients and Deploy McAfee Deep Command

     

    Appendix A: Installing Microsoft Certificate Authority with Web Enrollment

    Appendix B: Manually Importing the Microsoft Certificate Authority Root Certificate on McAfee ePO Server or Agent Handler

    Appendix C: McAfee Deep Command Setup Checklist

    Introduction

    McAfee Deep Command requires Intel® vPro™ technology hardware. This hardware offers Intel® Active Management Technology (AMT) which provides services in the firmware that enable McAfee Deep Command to perform out of band management tasks.  Intel AMT is shipped disabled on all hardware and must be enabled prior to using with McAfee Deep Command. This document contains McAfee’s recommended process for enabling and configuring Intel AMT. Following this process will ensure compatibility with McAfee Deep Command.

     

    Note: There are a number of methods to configure Intel AMT that are not referenced in this document.  Those other methods can be explored on Intel’s vPro Expert Center (http://www.intel.com/go/vproexpert) .

     

    Because McAfee Deep Command is dependent on Intel AMT capable hardware, installing McAfee Deep Command should be thought of as a four step process

     

    Step 1: Discover and Report All Intel AMT Capable Systems in the Environment
    Step 2: Configure Certificates for Intel AMT
    Step 3: Install Intel AMT and McAfee ePO Server Components

    Step 4: Configure Intel AMT Clients and Deploy McAfee Deep Command

     

    Tip: Print the McAfee Deep Command Setup Checklist and check each step as you progress through the installation.

     

    Before You Begin

    The following items should be considered before starting the installation.

    1. McAfee ePO must be version 4.6 patch 1 or higher
    2. McAfee Agent must be version 4.5 patch 2 or higher
    3. Your domain must have a Microsoft Certificate Authority with Web Enrollment and IIS enabled. Both Windows Server 2003 and 2008 are supported. McAfee does not recommend using the ePO server for this purpose in production deployments. If you do not have a Microsoft CA environment, please see Appendix A for instructions.
    4. You must have rights to create a domain user that will function as a service account.
    5. You must have rights to create certificate signing requests and request SSL certificates from Verisign, GoDaddy, Comodo, Starfield, Entrust, or Cybertrust.
    6. TCP traffic on ports 16992-16995 must be allowed in your environment.

     

    High Level Process

    Per the main steps listed above, here is a summarized list of all the tasks that must be performed to both configure Intel AMT and deploy McAfee Deep Command.

     

    1. Discovery and Report All Intel AMT Capable Systems in the Environment
      • Deploy ePO Deep Command Discovery and Reporting Plug-in
      • Analyze Intel® AMT Summary Dashboard in the ePO Console
    2. Configure Certificate for Intel AMT
      • Create AMT Configuration Service Account
      • Export the Public Root Certificate from your Microsoft Certificate Authority
      • Grant Service Account Privileges to Microsoft Certificate Authority
      • Get SSL Certificate for Remote Intel AMT Configuration
      • Export SSL Certificate for Remote Intel AMT Configuration
      • Import SSL Certificate for Remote Intel AMT Configuration to User Certificate Store
    3. Install Intel and McAfee ePO Server Components
      • Install Intel SCS on the McAfee ePO Server
      • Create Intel AMT Configuration Profile
      • Install and Configure McAfee Deep Command in ePO
      • Create Deep Command Deployment Task
    4. Configure Intel AMT Clients and Deploy McAfee Deep Command
      • Manually Configure an Intel AMT Client
      • Set WMI Permissions for Automated Intel AMT Configuration
      • Identify and Tag Systems Ready for Intel AMT Configuration
      • Create AMT Configuration Package
      • Create Deployment Task for AMT Configuration Package
      • Track AMT Configuration and Deep Command Installation Progress

     

     

    Product Architecture

    McAfee Deep Command is implemented with an extension for McAfee ePO and a package that can be deployed to systems managed by the McAfee agent. An additional piece of software called STunnel can be installed on an agent handler to facilitate communication with remote clients. Intel AMT configuration is implemented by installing Intel Setup and Configuration software on a server (the McAfee ePO server in this example). This software then leverages Microsoft Active Directory, DNS, DHCP and a Microsoft Certificate Authority to configure Intel AMT clients.

    arch diag.png

     

    Note: Initial configuration of Intel AMT clients must be done with a wired connection while the system is on the local area network.

     

    Configuration of Intel AMT occurs between the Intel RCS and the client firmware over TCP port16993. Direct TCP\IP communications occur to the Intel AMT firmware, which shares the same IP address and FQDN as the host operating system. Intel AMT traffic is designated by TCP ports 16992-16995 at the network interface of the endpoint.

     

    Configuration of Intel AMT in a Deep Command environment requires a web server certificate to be assigned to each endpoint. Once Intel AMT is configured on the endpoint device, it is a network service awaiting an authenticated and authorized request. Installing and configuring McAfee Deep Command will enable administrators to make valid connections to that network service and leverage the capabilities of Intel AMT via McAfee ePO.

     

     

    Product Components

    The following tables list and describe all of the components used in the McAfee Deep Command product. The rest of the installation guide will walk through the configuration of each component, but it is useful to get a baseline understanding of what each component does before you begin the installation.

     

     

    Client Component
    Function
    McAfee AgentVersion 4.5 patch 2 or later. This facilitates communication with McAfee ePO and allows you to deploy the AMT Discovery and Reporting component to the system.
    McAfee AMT Discovery and ReportingVersion 1.0 or later. This collects AMT properties from the system and reports them to McAfee ePO. This data is then used to determine the status of AMT on the system. Only systems that are fully provisioned can support McAfee Deep Command.
    Intel MEI DriverThis driver must be present on systems in order for software to interact with the AMT firmware. Without it, the Discovery and Reporting data will be incomplete and both AMT configuration and Deep Command installation will fail.  MEI drivers are delivered by Windows update for all hardware from 2010 and 2011. MEI drivers for older hardware must e obtained from the hardware manufacturer.
    Intel AMT FirmwareMcAfee Deep Command features are dependent on the version of the AMT firmware. For best results McAfee recommends updating to the latest version of AMT firmware provided by your hardware manufacturer.
    Intel Client Configurator (ACUconfig.exe)Version 7.1 or later. This program performs AMT configuration. It reads the AMT configuration file and applies those settings to the firmware on an AMT client. These files can be packaged, deployed and executed by any systems management software. In this example, we provide a custom package that can be deployed by McAfee ePO.
    McAfee Deep CommandVersion 1.0 or later. McAfee Deep Command leverages Intel AMT to perform out of band management and security tasks. It can only be deployed to systems that first report to ePO as Fully Provisioned in the AMT Discovery and Reporting Dashboard.
    NetworkA wired network connection on internal LAN is required for initial AMT configuration.
    Operating SystemMicrosoft Windows XP SP3 or later

     

     

     

     

    Server Component
    Function
    McAfee ePOVersion 4.6 patch 1 or later is required to manage McAfee Deep Command. The Discovery and Reporting software can be managed from McAfee ePO 4.6 or later.
    McAfee ePO AMT Discovery and ReportingThis dashboard provides individual monitors that indicate the readiness of client systems for both AMT configuration and Deep Command deployment.
    Microsoft Certificate Authority with Web Enrollment

    The Microsoft CA is established by adding the Active Directory Server Certificates role to a server in your environment. Then, the Certificate Authority Web Enrollment role service must also be added; this requires the IIS role service to also be added. McAfee recommends running these roles on a separate server that is acting as an enterprise certificate authority, not on the McAfee ePO server.

     

    All AMT clients will request a TLS web server certificate from this CA during AMT configuration.

    Service Account for Intel Remote Configuration ServiceA domain account must be created. This service account will run the Remote Configuration Service on the McAfee ePO server. This account must  have local admin rights on the server. In addition, this account must have permission to request certificates and to issue and manage certificates on the Microsoft CA server.
    Intel AMT Setup and Configuration ApplicationIntel Setup and Configuration Service (SCS) 7.1 and later. This is used to install the Remote Configuration Service on the McAfee ePO server, provide the Intel AMT Configuration Wizard, and program files to be executed on the client.

     

    Intel SCS is available at http://downloadcenter.intel.com/Detail_Desc.aspx?lang=eng&DwnldID=19881

     

    Please note that other client configuration applications (like Microsoft SCCM) can also function as Setup and Configuration Applications. Using those applications is beyond the scope of this document.
    Intel Remote Configuration ServiceThis will be installed on the server as part of the SCS installation. During configuration this service receives connections from the AMT client and authenticates them by using the AMT Remote Configuration Certificate. It then negotiates the client’s TLS enrollment and sends the configuration settings to the client’s AMT firmware.
    Active Management Technology Configuration Utility Wizard (ACUwizard)This will be installed on the server as part of the SCS installation. It is used to create Intel AMT configuration profiles.

     

    McAfee requires the AMT configuration profile to be configured to use admin control mode and to use TLS. McAfee recommends using digest authentication rather than Kerberos authentication.
    DHCPOn your DHCP server, validate the DHCP server Scope Options. DNS Domain Name (Option 15) is critical for the Remote Configuration Certificate. It is important that this domain name is what you expect it to be. Please note the domain name in Option 15 prior creating the certificate signing request for the Remote Configuration SSL Certificate.

     

    For the purposes of this guide, the IP v6 scope should be disabled.
    Remote Configuration SSL CertificateIntel AMT provisioning requires an SSL certificate to establish trust between the client firmware and the RCS server. Only certificates from Verisign, GoDaddy, Comodo, Starfield, Entrust, or Cybertrust are supported. Self-signed root certificates are not supported because a corresponding hash for that certificate will not exist in the AMT firmware.

     

    More information at http://communities.intel.com/docs/DOC-2225


    TIP: When creating the certificate signing request, be sure that the common name field contains the actual connection-specific DNS suffix found on your client’s wired LAN interface. This should match option 15 in your DHCP settings.
    PortsThe following ports should be open between the McAfee ePO servers and the AMT clients.

     

    16992 TCP/UDP bidirectional
    16993 TCP/UDP bidirectional
    16994 TCP/UDP bidirectional
    16995 TCP/UDP bidirectional

     

     

     

    Client Configuration Workflow

    The diagram below illustrates what happens when an Intel AMT client goes through the configuration process. It shows each component involved and describes what role each component plays in the configuration process.config steps v2.pngDuring the configuration process, special permissions will be required as summarized below and detailed later in the installation documentation.

    • Step 10 - Successful execution of the Intel AMT Configuration Package requires local administrative rights.   The process communicates with the Intel MEI, a kernel level driver.   The Local System Account can used.   If a local user account with administrator rights, elevated privileges are required for Microsoft Windows Vista, 7, or higher operating systems.    When opening a command prompt, select Run as Administrator.
    • Step 11 - The account used to execute the command in Step 10 must have rights to the Intel_RCS WMI namespace on the system running Intel services.   Specific Intel_RCS WMI namespace security rights include Execute Methods, Full Write, and Enable Remote.
    • Step 12 - The account used to request certificates via Web Enrollment must have the following rights to the Microsoft Certificate Authority.   In this installation document, the Service Account used to logon the RCSserver service will be granted these rights
      • WebServer Certificate Template: Read and Enroll
      • Microsoft Certificate Authority Security permissions: Issued and Manage Certificates, Request Certificates
    -->                  

    McAfee   Agent

     

    4.5 patch   2 or later. This facilitates communication with McAfee ePO and allows you to   deploy the AMT Discovery and Reporting component to the system.

     

    McAfee   AMT Discovery and Reporting

     

    1.0 or   later. This collects AMT properties from the system and reports them to McAfee   ePO. This data is then used to determine the status of AMT on the system.   Only systems that are fully provisioned can support McAfee Deep Command.

     

    Intel MEI   Driver

     

    This   driver must be present on systems in order for software to interact with the   AMT firmware. Without it, the Discovery and Reporting data will be incomplete   and both AMT configuration and Deep Command installation will fail.

     

    Intel AMT   Firmware

     

    McAfee   Deep Command features are dependent on the version of the AMT firmware. See   appendix F to a feature matrix.

     

    For best   results McAfee recommends updating to the latest version of AMT firmware   provided by your hardware manufacturer.

     

     

     

     

     

    Intel   Client Configurator (ACUconfig.exe)

     

    7.1 or   later. This program performs AMT configuration. It reads the AMT   configuration file and applies those settings to the firmware on an AMT   client. These files can be packaged, deployed and executed by any systems   management software. In this example, we will use McAfee Package Builder and   McAfee ePO.

     

    McAfee   Deep Command

     

    1.0 or   later. McAfee Deep Command leverages Intel AMT to perform out of band   management and security tasks. It can only be deployed to systems that first   report to ePO as Fully Provisioned in the AMT Discovery and Reporting   Dashboard.

     

    Network

     

    Wired   network connection on internal LAN is required for initial AMT configuration.

     

    Operating   System

     

    Windows   2000 or later – KB

     

     

     

     

     
    Header 1Header 2