Three Insights to Improve McAfee KVM Viewer Experience

Version 1

    Introduction

     

    McAfee KVM Viewer is a standalone application that enables communication to the Keyboard-Video-Mouse (KVM) functionality on select Intel vPro Technology systems.    Included with McAfee ePO Deep Command 2.0, the viewer can be started on any Windows platform within the environment.   If the Intel vPro configuration includes domain users, a pass-through authentication via Kerberos can enable a seamless experience.

     

    In addition to the guidance provided with in the McAfee ePO Deep Command Product guide, the following three insights may help in your experience with the McAfee KVM Viewer:

    1. Inserting the McAfee ePO Deep Command Trusted Root Certificate
    2. Command line options when starting the McAfee KVM Viewer
    3. Minimizing application load latencies

     

    The insights are applicable primarily to version 2.0 of the software.  


    Inserting Trusted Root Certificate

    All McAfee ePO Deep Command communications to configured Intel vPro systems require TLS.   The application initiating the session must present a Trusted Root public certificate.

     

    If McAfee ePO console based "AMT Actions" are functioning, this is due in part to the Trusted Root Certificate as shown in the Intel AMT Credentials under server settings.

     

    Shown below is the Trusted Root certificate for McAfee ePO Deep Command as generated when the extension was installed.

     

    EDC trusted root1.png

    Attempts to start a McAfee KVM Viewer session on systems outside of the McAfee ePO infrastructure will fail without this Trusted Root Certificate.

     

    Click the "Export Active Certificate" to obtain a zip file containing the desired certificate file in a .CRT format.

     

    The exported zip file will have a long name similar to "CN_McAfee_ePO_Deep_Command_Root_2013-10-25_12_22_37".  

     

    For convenience of this document, I renamed the exported and extract file to "EDC_root.crt".   

    EDC trusted root2.png

    Copy the CRT file to the target platform where McAfee KVM Viewer will be started.   The certificate must be imported into the LocalMachine Trusted Root certificate store.

     

    One method to complete the import is by using the built-in Microsoft Windows utility "certutil.exe".

     

    Shown in the example below is the completed import of the Trusted Root certificate by running the command:

     

    certutil.exe -addstore -root EDC_root.crt

     

    EDC trusted root3.png

    Now, when McAfee KVM Viewer is started the trusted root certificate can be accessed for the KVM session to connect.

     

     

     

    Command line options

     

    The McAfee KVM Viewer can be started with the following command line options

     

    • -host <hostname|IP>
    • -user <digest username>
    • -pass <digest user password>
    • -dns <resolve host\IP to FQDN using DNS>

     

    If using Kerberos authentication, the <user> and <pass> options are not needed.   It is recommend to use the <dns> command line switch as the TLS session will require correct resolution of the target FQDN.

     

    An example in using the command line options is shown.   This example uses a Kerberos authentication, generating a pass through authentication of the current logged on user.  

     

    MKVMview.exe -host x220.vprodemo.com -dns

     

    (Note: For a foundational understanding how Kerberos authentication to Intel® AMT works and is different from Digest authentication, see https://community.mcafee.com/docs/DOC-4253.)


    kvm cmdline.png

     

    Minimizing application load latencies

    As stated in the McAfee ePO Deep Command product guide, the McAfee KVM Viewer requires Microsoft .NET Framework 3.5 SP1 or higher along with Windows Remote Management (WInRM).

     

    When starting the application on systems that are unable to connect to the Internet, a one to two minute delay might be observed.    This is due to certificate revocation checking of the .NET application software.

     

    The following screenshot shows MKVMview.exe is running according to Microsoft Windows Task Manager.   However, the application interface is not yet viewable or accessible.

    KVM latency.png

     

    One workaround solution for testing and early pilot purposes is to disable certificate revocation checking on the client platform.   There is an inherit risk in this workaround in that other code with expired or incorrect certificates could run on the platform.   Again - this workaround is primarily meant for testing\pilot purposes on platforms with no Internet access or connectivity.

     

    To disable certificate revocation checking, open Microsoft Internet Explorer and navigate to the Internet Options menu.  

     

    Select the Advanced Tab.  

     

    Scroll down to the Security section.  

     

    Unselect "Check for publisher's certificate revocation" and "Check for server certificate revocation" as shown below

    KVM latency 2.png

    Save the settings and retry opening McAfee KVM Viewer.

     

    If you were experiencing several minutes of delay before, the application should now start and be ready to use within seconds.