McAfee ePO Deep Command 1.5 Installation Guide - Introduction

Version 4

                                                                                                               

    Announcement: McAfee ePO Deep Command 2.0 Released June 25th!

    The information provided below is based on McAfee ePO Deep Command version 1.5.    The new version 2.0 release includes Host Based Configuration, McAfee ePO generated TLS certificates, integrated User Consent for specific boot\reboot operations, and more.    The improvements simplify the Intel® AMT configuration experience enabling a faster path to using the technology solution

     

    Click here for the McAfee ePO Deep Command 2.0 Index of Resources

                                                                   

     

     

    Install McAfee ePO Deep Command 1.5

    Use the following documents to install, configure and deploy McAfee Deep Command 1.5.

     

    McAfee ePO Deep Command 1.5 Installation Guide - Introduction

     

    Step 1: Discover and Report All Intel AMT Capable Systems in the Environment

    Step 2: Install Intel SCS

    Step 3: Install McAfee ePO Deep Command Server Components

    Step 4: Deploy Deep Command

     

    Note: There are many ways to configure Intel AMT hardware. This document references a method known as remote configuration. This requires the use of an SSL certificate. While this is recommended for production deployments, you might consider an alternative configuration method for test environments. McAfee recommends using the host based configuration method for test or proof-of-concept environments.

     

    Appendix A: Installing Microsoft Certificate Authority with Web Enrollment

    Appendix B: Manually Importing the Microsoft Certificate Authority Root Certificate on McAfee ePO Server or Agent Handler

    Appendix C: McAfee ePO Deep Command 1.5 Setup Checklist

     

     

    Introduction

    McAfee Deep Command requires Intel® vPro™ technology hardware. This hardware offers Intel® Active Management Technology (AMT) which provides services in the firmware that enable McAfee Deep Command to perform out of band management tasks.  Intel AMT is shipped disabled on all hardware and must be enabled prior to using with McAfee Deep Command. This document contains McAfee’s recommended process for enabling and configuring Intel AMT. Following this process will ensure compatibility with McAfee Deep Command.

     

    Because McAfee Deep Command is dependent on Intel AMT capable hardware, installing McAfee Deep Command should be thought of as a four step process

     

    Step 1: Discover and Report All Intel AMT Capable Systems in the Environment

    Step 2: Install Intel SCS

    Step 3: Install Intel AMT and McAfee ePO Server Components

    Step 4: Deploy McAfee ePO Deep Command 1.5 and Configure AMT Clients

     

    Tip: Print the McAfee ePO Deep Command 1.5 Setup Checklist and check each step as you progress through the installation.

     

     

    Before You Begin

    The following items should be considered before starting the installation.

     

    1. McAfee ePO must be version 4.6 patch 4 or higher
    2. McAfee Agent must be version 4.5 patch 2 or higher
    3. Your domain must have a Microsoft Certificate Authority with Web Enrollment and IIS enabled. Both Windows Server 2003 and 2008 are supported. McAfee does not recommend using the ePO server for this purpose in production deployments. If you do not have a Microsoft CA environment, please see Appendix A for instructions.
    4. You must have rights to create certificate signing requests and request SSL certificates from Verisign, GoDaddy, Comodo, Starfield, Entrust, or Cybertrust.
    5. TCP traffic on ports 16992-16995 must be allowed in your environment.

     

     

    High Level Process
    Per the main steps listed above, here is a summarized list of all the tasks that must be performed to both configure Intel AMT and deploy McAfee ePO Deep Command.

     

    1. Discover and Report All Intel AMT Capable Systems in the Environment
      • Deploy ePO Deep Command Discovery and Reporting Plug-in
      • Analyze Intel® AMT Summary Dashboard in the ePO Console
    2. Install Intel SCS
      • Install Intel SCS to use the Network Service Account
      • Import Remote Configuration Certificate to the Network Service Account
      • Configure Intel SCS to use Digest Master Password
      • Create an Intel AMT Configuration Profile
      • Configure communication permissions between Intel SCS and infrastructure components
    3. Install McAfee ePO Deep Command Server Components
      • Install ePO extensions
      • Check in ePO packages
      • Deploy RCS Manager to SCS server
    4. Deploy McAfee ePO Deep Command 1.5 and Configure AMT Clients
      • Set AMT Configuration Policy
      • Create deployment task
      • Monitor deployment
      • Assign AMT tag

     

     

    Product Architecture
    McAfee Deep Command is implemented with an extension for McAfee ePO and a package that can be deployed to systems managed by the McAfee agent. 

     

    Intel AMT configuration is implemented by installing Intel Setup and Configuration software on a server (the McAfee ePO server in this example). This software then leverages Microsoft Active Directory, DNS, DHCP and a Microsoft Certificate Authority to configure Intel AMT clients.   

     

    The McAfee ePO Deep Command Gateway Services facilities Intel AMT communications to remote clients.   Understanding how McAfee ePO Deep Command works in an intranet environment is highly recommend before exploring how to connect remote clients.   Click here for more information on McAfee ePO Deep Command Gateway Services

     

    EDC15_arch_overview.png

     

    Note: Initial configuration of Intel AMT clients must be done with a wired connection while the system is on the local area network. This requirement exists while doing remote configuration. Other configuration methods (like host based configuration) can be done over wireless.

     

    Configuration of Intel AMT occurs between the Intel RCS and the client firmware over TCP port16993. Direct TCP\IP communications occur to the Intel AMT firmware, which shares the same IP address and FQDN as the host operating system. Intel AMT traffic is designated by TCP ports 16992-16995 at the network interface of the endpoint.

     

    Configuration of Intel AMT in a Deep Command environment requires a web server certificate to be assigned to each endpoint. Once Intel AMT is configured on the endpoint device, it is a network service awaiting an authenticated and authorized request. Installing and configuring McAfee Deep Command will enable administrators to make valid connections to that network service and leverage the capabilities of Intel AMT via McAfee ePO.

     

     

    Product Components

    The following tables list and describe all of the components used in the McAfee Deep Command product. The rest of the installation guide will walk through the configuration of each component, but it is useful to get a baseline understanding of what each component does before you begin the installation.

     

    Client Component
    Function
    McAfee AgentVersion 4.5 patch 1 or later. This facilitates communication with McAfee ePO and allows you to deploy the AMT Discovery and Reporting component to the system.
    McAfee AMT Discovery and ReportingVersion 1.5 or later. This collects AMT properties from the system and reports them to McAfee ePO. This data is then used to determine the status of AMT on the system. Only systems that are fully provisioned can support McAfee Deep Command.
    Intel MEI DriverThis driver must be present on systems in order for software to interact with the AMT firmware. Without it, the Discovery and Reporting data will be incomplete and both AMT configuration and Deep Command installation will fail.  MEI drivers are delivered by Windows update for all hardware from 2010 and 2011. MEI drivers for older hardware must be obtained from the hardware manufacturer.
    Intel AMT FirmwareMcAfee Deep Command features are dependent on the version of the AMT firmware. For best results McAfee recommends updating to the latest version of AMT firmware provided by your hardware manufacturer.
    Intel Client Configurator (ACUconfig.exe)Version 8.1 or later. This program performs AMT configuration. It reads the AMT profile and applies those settings to the firmware on an AMT client. These files can be packaged, deployed and executed by any systems management software. Deep Command 1.5 will automatically deploy and execute ACUconfig.exe to perform remote configuration of Intel AMT. If an alternative configuration method is required, then a custom package can be built and deployed from ePO.
    McAfee Deep CommandVersion 1.5 or later. McAfee Deep Command leverages Intel AMT to perform out of band management and security tasks. With version 1.5 and later it can also be used to configure Intel AMT in your environment.
    NetworkA wired network connection on internal LAN is required for initial AMT configuration when using Deep Command to perform AMT remote configuration. Configuration over wireless is possible if AMT host based configuration is performed.
    Operating SystemMicrosoft Windows XP SP3 or later

     

     

     

    Server Component
    Function
    McAfee ePOVersion 4.6 patch 4 or later is required for all components of McAfee Deep Command v1.5.
    McAfee ePO AMT Discovery and ReportingThis dashboard provides individual monitors that indicate the readiness of client systems for both AMT configuration and Deep Command deployment.
    Microsoft Certificate Authority with Web Enrollment

    The Microsoft CA is established by adding the Active Directory Server Certificates role to a server in your environment. Then, the Certificate Authority Web Enrollment role service must also be added; this requires the IIS role service to also be added. McAfee recommends running these roles on a separate server that is acting as an enterprise certificate authority, not on the McAfee ePO server.

     

    All AMT clients will request a TLS web server certificate from this CA during AMT configuration.

    Service Account for Intel Remote Configuration ServiceA domain account must be created. This service account will run the Remote Configuration Service on the McAfee ePO server. This account must  have local admin rights on the server. In addition, this account must have permission to request certificates and to issue and manage certificates on the Microsoft CA server. In this document, we recommend using the NetworkService account
    Intel AMT Setup and Configuration ApplicationIntel Setup and Configuration Service (SCS) 8.1 and later. This is used to install the Remote Configuration Service on the McAfee ePO server, provide the Intel AMT Configuration Wizard, and program files to be executed on the client.

     

    Intel SCS is available at http://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&DwnldID=20921

     

    Please note that other client configuration applications (like Microsoft SCCM) can also function as Setup and Configuration Applications. Using those applications is beyond the scope of this document.
    Intel Remote Configuration ServiceThis will be installed on the server as part of the SCS installation. During configuration this service receives connections from the AMT client and authenticates them by using the AMT Remote Configuration Certificate. It then negotiates the client’s TLS enrollment and sends the configuration settings to the client’s AMT firmware.
    Active Management Technology Configuration Utility Wizard (ACUwizard)This will be installed on the server as part of the SCS installation. It is used to create Intel AMT configuration profiles.

     

    McAfee requires the AMT configuration profile to be configured to use admin control mode and to use TLS. McAfee recommends using digest authentication rather than Kerberos authentication for test and POC environments. For production environments, we recommend the use of digest master password.
    DHCPOn your DHCP server, validate the DHCP server Scope Options. DNS Domain Name (Option 15) is critical for the Remote Configuration Certificate. It is important that this domain name is what you expect it to be. Please note the domain name in Option 15 prior creating the certificate signing request for the Remote Configuration SSL Certificate.

     

    For the purposes of this guide, the IP v6 scope should be disabled.
    Remote Configuration SSL CertificateRemote Configuration of Intel AMT requires an SSL certificate to establish trust between the client firmware and the SCS server. Only certificates from Verisign, GoDaddy, Comodo, Starfield, Entrust, or Cybertrust are supported. Self-signed root certificates are not supported because a corresponding hash for that certificate will not exist in the AMT firmware.

     

    More information at http://www.intel.com/content/www/us/en/remote-support/intel-vpro-certificates.ht ml


    TIP: When creating the certificate signing request, be sure that the common name field contains the actual connection-specific DNS suffix found on your client’s wired LAN interface. This should match option 15 in your DHCP settings.

     

    Note: If obtaining an SSL certificate is not possible, then please consider alternative configuration methods.

    PortsThe following ports should be open between the McAfee ePO servers and the AMT clients.

     

    16992 TCP/UDP bidirectional
    16993 TCP/UDP bidirectional
    16994 TCP/UDP bidirectional
    16995 TCP/UDP bidirectional

     

     

    Client Configuration Workflow

    The diagram below illustrates what happens when an Intel AMT client goes through the configuration process. It shows each component involved and describes what role each component plays in the configuration process.

     

    EDC15_Simplified_Config.png