Guidance on McAfee ePO Deep Command Gateway Services

Version 3

    NOTE: Article written for ePO Deep Command 1.5 environments.   Starting with version 2.0, the certificates used with stunnel can be generated via ePO instead of using OpenSSL.   See McAfee ePO Deep Command product documentation.

    Introduction

     

    McAfee ePO Deep Command works with Intel® Active Management Technology (AMT) to provide beyond-the-operating-system security management.    An advanced feature enables Intel® AMT clients outside of the enterprise network to connect with McAfee ePO Deep Command hosted inside the corporate environment.   This advanced feature is called McAfee ePO Deep Command Gateway Services.

     

    In the architectural diagram below, the Remote Client and External AH (Agent Handler) are the focus points of this article.
    gw_services1.png


    This article is targeted to those who already have McAfee ePO Deep Command working within their production environment, are benefitting by the capabilities therein, and want to extend their reach for systems that will be outside of the enterprise.   The article is meant to complement the existing product documentation.

     

    Prerequisites and Required Components

    The following items should already exist within your environment:

    • McAfee ePO Deep Command is deployed with configured Intel® AMT systems inside the environment successfully completing beyond-the-operating-system functions
    • Microsoft Certificate Authority used to issue TLS WebServer certificates to Intel® AMT systems
    • An internet facing Agent Handler to host the McAfee ePO Deep Command Gateway Services
    • An Internet resolvable address for the McAfee ePO Gateway Service (Note: This is the published DNS or IP address as denoted in the Agent Handler List within McAfee ePO Console).  
    • The EPODCGateway.zip file which is included with purchased download of ePO Deep Command

     

    The following additional software components are required:

     

    The following environment values must be identified to complete the setup:

    • Network ports for traversing the firewall\DMZ and connection.    More will be shared in the next section
    • DCHP option 15 values within your environment.   This is the Connection-Specific DNS Suffix within your environment.   This value will be used to determine whether a system is inside or outside the enterprise.

     

    The following drivers and software should be installed on your client, at least for initial testing purposes:

    • Intel Management and Security Status, which is included with the complete Intel AMT drivers provided by your OEM.   If installed, the following icon will appear in your task tray  

     

    gw_services2.png

     

    Two final points of prerequisites that should already be in place:

    • Configured Intel AMT systems must be connected to the intranet, or internal network, for the McAfee ePO Deep Command action of Enforce Policies to complete.   Alternative methods of applying Intel AMT Remote Access policies outside of the McAfee ePO console are beyond the scope of this document.


    Architecture and Communication Ports

    The following diagram provides a visual of the communications that will be occurring across your demilitarized zone (DMZ)
    gw_services3.png


    In some environments, the Agent Handler hosting McAfee ePO Deep Command Gateway Services may be on the intranet side of the internal firewall.   The important parts of this diagram are the ports used for communication.   The exact ports, number of firewalls, and so forth will be unique to your environment.

     

    The ports and placement of the McAfee ePO Deep Command Gateway Services are configurable based on your specific environmental requirements.  

     

    For the purposes of this document and the attached files, the following ports were used:

    • Internet-to-stunnel port: 2002
    • Stunnel-to-gateway port (AMT Listen Port) : 1234
    • SOCKSv5 Proxy Listen Port: 4331
    • HTTP Proxy Listen Port: 8080

     

    As stated previously, these are example ports apply only to this document for your reference.   The specific ports used in your environment will vary based on your specific requirements.

    Install McAfee ePO Deep Command Gateway Services

    The following summary steps will guide you through the basic process

     

    • Locate and extract the EPODCGateway.zip file included with the complete McAfee ePO Deep Command download.
    • Copy the three files to your Agent Handler where the Gateway Services will be installed

    gw_services4.png

    • Start the installation by running SetupAGS.exe.
    • Step through the installation screens until prompted for three of the networking ports
    • In the example below, the AMT Listen Port, SOCKv5 Listen Port, and HTTP Proxy Listen Port have been entered.    Use the port values specific to your environment
      • Note: The Internet-to-Stunnel port will be defined and inserted later in this article

    gw_services5.png

     

    Once the Gateway Services installation is complete, the next key step is to configure stunnel.


    Install and Configure Stunnel

    Note: The guidance provided in this section applies to the current implementation of McAfee ePO Deep Command Gateway Services.   Third party utilities are involved to effectively create a VPN tunnel between Intel AMT firmware and the Gateway Services component.   In theory, an existing VPN or SSL Tunnel solution could be used to establish the connection between an internet based Intel AMT device and the Gateway Services.    Further investigation and assessment is on-going to simplify and fully integrate this step of the process without use of third party utilities.   Until then, please follow the proven process provided below for your proof-of-concept purposes.

     

    To establish an SSL Tunnel connection between the Intel AMT firmware and McAfee ePO Gateway Services, the free Stunnel application is used.   This application can be obtained at http://www.stunnel.org/downloads.html.

      
    Configuration and use of stunnel will require TLS certificate to be generated for the environment.   To generate the request, OpenSSL is used and can be obtained at http://slproweb.com/products/Win32OpenSSL.html.    Per the guidance of OpenSSL, installation may require the product Visual C++ 2008 Redistributables (vcredist_x86.exe).   Please refer to the OpenSSL link provided.

     

    The attached OpenSSL.conf and stunnel.conf examples files are provided for your convenience.   The settings of the CONF files are specific to this document.   Specific changes to the files are referenced below as needed.

     

    For the purposes of this document, the core steps are as follows:

    • Install stunnel using the default options.  
      • File version used when creating this article: stunnel-4.36.installer.exe
    • Install vcredist_x86.exe using the default options
    • Install OpenSSL.   When prompted, select option for The OpenSSL Binaries (/bin)

    gw_services6.png

    • Copy the attached openssl.conf file to C:\OpenSSL-Win\Bin
    • Generate the certificate signing request (CSR) using OpenSSL per the following steps
      • Open a command prompt to the c:\Open-Win32\bin
      • Run the following command: openssl.exe req –new –config openssl.conf –newkey rsa:1024 –nodes –keyout cira.key –out cira.csr
      • A few prompts will occur to complete the CSR.   The most important value is the Common Name, which designates the server address where McAfee ePO Deep Command Gateway Services is hosted.   For the purposes of this article, the responses in BOLD were used.   Adjust these responses for your respective environment
        • Country Name: US
        • State of Province Name: Oregon
        • Locality Name: Hillsboro
        • Organization Name: Intel
        • Organizational Units Name: vprodemo.com
        • Common Name: dc1.vprodemo.com
          • Note: Ensure this value is the FQDN of your server where McAfee ePO Deep Command Gateway Services is running
        • Email address:  (press enter, do not enter value)
        • "Extra” attributes: (press enter, do not enter a value)
      • The following shows an example screen based on the above values used.  

    gw_services7.png

      • Once completed, the cira.key and cira.csr files will appear at C:\OpenSSL-Win\BIN

     

    • Complete the certificate signing request using your internal Microsoft Certificate, which was also used during the Intel AMT configuration events.   The following sub-steps will guide your through the process:
      • Open a browser page to your internal Microsoft Certificate Server (http://server/certsrv)
      • Select Request a Certificate, followed by Advanced Certificate Request
      • Select the second option to Submit a Certificate Request by using a base-64-encoded file
      • Open the cira.csr file in Notepad.
      • Copy and paste the entire contents of cira.csr into the Saved Request field
      • Select the WebServer certificate template option similar to the following example

    gw_services8.png

       

        • When prompted to download the certificate, select Base-64 encoded and save the file with a PEM file extension to c:\OpenSSL-Win32\Bin\cira.pem

       

      • The created PEM certificate file needs Diffie-Hellman values appended to the end.   This is done via the OpenSSL tools.   Perform the following from a command prompt at the C:\OpenSSL-Win32\Bin directory
        • Run the following command: OpenSSL.exe dhparam –rand – 512 >> cira.pem
          • Note: Spaces exists between “-rand”, “-“, and “512” in the command
        • The following cira.pem example shows the certificate file with DH parameters

      gw_services9.png

        • Copy the newly created cira.key and cira.pem files from C:\OpenSSL-Win32 to c:\Program Files\Stunnel
        • Obtain the public root certificate in Base 64 format from your internal Microsoft Certificate Authority and save to the same Stunnel directory as certnew.cer
          • One approach is to connect to http://server/certsrv, where “server” refers to your internal Microsoft Certificate Authority.   Select to Download CA Certificate
        • Copy the attached stunnel.conf file to the Stunnel directory.
        • Adjust the stunnel.conf file for you environment as follows
          • Provide the correct path\filename for the cert, key, and CAfile designations
          • Provide the correct ports for the accept and connect values
            • Note: The “Accept” value refers to your internet-to-stunnel port value, which has not already been used in this article.   The “Connect” value refers to the AMT Listen Port, which is the first port value entered when installing the McAfee ePO Deep Command Gateway Services.
          • Perform the following actions via a command prompt with the C:\Program Files\Stunnel directory.   If an error occurs, the stunnel log will appear with messages indicating the cause of the error:
            • Install stunnel as a service: stunnel.exe –install
            • Start the stunnel application: stunnel.exe stunnel.conf

       

      Stunnel is now configured and running within your environment.  

       

      To test the connection, open a web browser and attempt to contact the internet facing address with port specified.   For this example, https://dc1.vprodemo.com:2002 was used.   The stunnel.log will show a connection attempt.

      In the next section, the Remote Access policy settings are applied to the supporting Intel AMT clients.

      Configure and Apply Remote Access Policies

      With the Stunnel and McAfee ePO Gateway Services configured, the focus shifts to defining the Intel AMT Remote Access policies within the McAfee ePO Console.

       

      When applied to an Intel AMT system, the remote access policies designate important items such as:

      • Determining whether the system is inside or outside the enterprise
      • Target Agent Handler in the DMZ and Stunnel-to-Gateway Port value
      • How long the tunnel or connection remains active
      • Whether a user is allowed to initiate the tunnel
      • Whether the Intel AMT system should “call-home” at regular intervals

       

      The values must set and applied to the target Intel AMT systems while they are connected to the intranet of your environment.   The ability to configure these values for systems already outside of the enterprise is beyond the scope this article.

       

      The Intel AMT policies are located in the Policy Catalog under the ePO Deep Command product.   Below is an example of the Remote Access settings for the Intel AMT policies

       

      gw_services10.png

       

      A summary explanation of the above settings:

      • The CIRA capabilities of the Intel AMT client will be enabled and settings applied
      • Clients that are outside “vprodemo.com” as reported by Connection-Specific DNS Suffix or received DCHP option 15.   When this happens, the Intel AMT firmware environmental detection will change to outside of the enterprise.   All Intel AMT network interface will be disabled unless a CIRA event occurs.   CIRA refers to “Client Initiated Remote Access”, which is the connection to the McAfee ePO Deep Command Gateway Service
      • The target Agent Handler hosting the McAfee ePO Deep Command Gateway Service is noted
        • Note: The example image above comes from a lab demonstration environment.   A production example requires the Agent Handler to have a Published DNS Name or Published IP address similar to the following example.    The DMZ Agent Handler selection will denote the Published DNS address.   This address and associated port number MUST be resolvable from an Internet connection.    The following Handler List is only an example

      Gateway Services.png

      • The Port Number refers to the Internet inbound port.   In this article, port 2002 is used to connect from the Internet to Stunnel.
      • The established tunnel will remain open until an idle timeout of 300 seconds (i.e. 5 minutes)
      • The user at the client system is able to initiate a “call-home” event
      • The Intel AMT system will automatically “call-home” ever stated 43,200 seconds (i.e. 12 hours)

       

      Once the Remote Access settings within the Policy Catalog have been defined and saved, they must be applied to the target systems.   This is done by selecting the targets from the ePO console followed by Actions > AMT Actions > Enforce AMT Policies

       

      Note: With ePO Deep Command version 1, “Out-of-Band” is the AMT Action

       

      If viewing the AMTservice.log, the Enforce AMT actions will generate entries similar to below.

      gw_services11.png

       

      Test Deep Command Gateway Services

      With the core components configured and the Remote Access policies set into the Intel AMT firmware, you are now ready to test a connection through McAfee ePO Deep Command Gateway Services.

      • Connect the target Intel AMT client outside of your enterprise environment. 
        • Note: The connection must issue an IP address via DHCP, and the option 15 value (i.e. Connection-Specific DNS Suffix) must not match the Home Domains values set in prior steps.  
      • Open the Intel Management and Security Status window, available via your Task Tray

      gw_services12.png

       

      • On the Intel® AMT tab, the Connection Status will show Disconnected, indicating your system is connected outside the organization’s network, similar to the following example

      gw_services13.png

      • Click the Get Technical Help button
      • The connection status will change to Connected

       

      A successful connection will appear in the McAfee ePO console Threat Event Log

      gw_services14.png

       

      Once the client is connected via the Gateway Services, Intel AMT Actions can now be performed.   The connection to the proxy will remain active per the designated settings (i.e. 5 minutes).

       

      Troubleshooting the McAfee ePO Gateway Services

      If a connection was not successful or Intel AMT Actions through the gateway were not responding correctly, the following logs will assist in determining the underlying issue:

      Note: The <ProgramFiles> designation will differ depending on the host operating system.   For 32-bit Microsoft Windows servers, use c:\Program Files\.    For 64-bit Microsoft Windows servers, use c:\Program Files (x86)\

      • Stunnel.log – Located at c:\<ProgramFiles>\stunnel\stunnel.log
        • Logs connections from the internet to the enterprise.
      • AMTGatewayService.log – Located at c:\<Program Files>\McAfee\Agent Handler\DB\Logs
        • Logs tunnel connections between stunnel and McAfee ePO Gateway Service
      • Amtservice.log – Located at c:\<Program Files>\McAfee\Agent Handler\DB\Logs
        • View on the Agent Handler where AMTGatewayService.log is located
        • Denotes when a system is connected via the Gateway
        • Every AMT Action from the will check is the system is connected via the Gateway, as shown in this log

       

      Related Articles and Materials

       

      Interested in other articles associated to Intel AMT and McAfee ePO Deep Command? Click here for an index listing

       

       

      The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries