McAfee ePO Deep Command works with Intel® Active Management Technology (AMT) to provide beyond-the-operating-system security management. An advanced feature enables Intel® AMT clients outside of the enterprise network to connect with McAfee ePO Deep Command hosted inside the corporate environment. This advanced feature is called McAfee ePO Deep Command Gateway Services.
In the architectural diagram below, the Remote Client and External AH (Agent Handler) are the focus points of this article.
This article is targeted to those who already have McAfee ePO Deep Command working within their production environment, are benefitting by the capabilities therein, and want to extend their reach for systems that will be outside of the enterprise. The article is meant to complement the existing product documentation.
The following items should already exist within your environment:
The following additional software components are required:
The following environment values must be identified to complete the setup:
The following drivers and software should be installed on your client, at least for initial testing purposes:
Two final points of prerequisites that should already be in place:
The following diagram provides a visual of the communications that will be occurring across your demilitarized zone (DMZ)
In some environments, the Agent Handler hosting McAfee ePO Deep Command Gateway Services may be on the intranet side of the internal firewall. The important parts of this diagram are the ports used for communication. The exact ports, number of firewalls, and so forth will be unique to your environment.
The ports and placement of the McAfee ePO Deep Command Gateway Services are configurable based on your specific environmental requirements.
For the purposes of this document and the attached files, the following ports were used:
As stated previously, these are example ports apply only to this document for your reference. The specific ports used in your environment will vary based on your specific requirements.
The following summary steps will guide you through the basic process
Once the Gateway Services installation is complete, the next key step is to configure stunnel.
Note: The guidance provided in this section applies to the current implementation of McAfee ePO Deep Command Gateway Services. Third party utilities are involved to effectively create a VPN tunnel between Intel AMT firmware and the Gateway Services component. In theory, an existing VPN or SSL Tunnel solution could be used to establish the connection between an internet based Intel AMT device and the Gateway Services. Further investigation and assessment is on-going to simplify and fully integrate this step of the process without use of third party utilities. Until then, please follow the proven process provided below for your proof-of-concept purposes.
To establish an SSL Tunnel connection between the Intel AMT firmware and McAfee ePO Gateway Services, the free Stunnel application is used. This application can be obtained at http://www.stunnel.org/downloads.html.
Configuration and use of stunnel will require TLS certificate to be generated for the environment. To generate the request, OpenSSL is used and can be obtained at http://slproweb.com/products/Win32OpenSSL.html. Per the guidance of OpenSSL, installation may require the product Visual C++ 2008 Redistributables (vcredist_x86.exe). Please refer to the OpenSSL link provided.
The attached OpenSSL.conf and stunnel.conf examples files are provided for your convenience. The settings of the CONF files are specific to this document. Specific changes to the files are referenced below as needed.
For the purposes of this document, the core steps are as follows:
Stunnel is now configured and running within your environment.
To test the connection, open a web browser and attempt to contact the internet facing address with port specified. For this example, https://dc1.vprodemo.com:2002 was used. The stunnel.log will show a connection attempt.
In the next section, the Remote Access policy settings are applied to the supporting Intel AMT clients.
With the Stunnel and McAfee ePO Gateway Services configured, the focus shifts to defining the Intel AMT Remote Access policies within the McAfee ePO Console.
When applied to an Intel AMT system, the remote access policies designate important items such as:
The values must set and applied to the target Intel AMT systems while they are connected to the intranet of your environment. The ability to configure these values for systems already outside of the enterprise is beyond the scope this article.
The Intel AMT policies are located in the Policy Catalog under the ePO Deep Command product. Below is an example of the Remote Access settings for the Intel AMT policies
A summary explanation of the above settings:
Once the Remote Access settings within the Policy Catalog have been defined and saved, they must be applied to the target systems. This is done by selecting the targets from the ePO console followed by Actions > AMT Actions > Enforce AMT Policies
Note: With ePO Deep Command version 1, “Out-of-Band” is the AMT Action
If viewing the AMTservice.log, the Enforce AMT actions will generate entries similar to below.
With the core components configured and the Remote Access policies set into the Intel AMT firmware, you are now ready to test a connection through McAfee ePO Deep Command Gateway Services.
A successful connection will appear in the McAfee ePO console Threat Event Log
Once the client is connected via the Gateway Services, Intel AMT Actions can now be performed. The connection to the proxy will remain active per the designated settings (i.e. 5 minutes).
If a connection was not successful or Intel AMT Actions through the gateway were not responding correctly, the following logs will assist in determining the underlying issue:
Note: The <ProgramFiles> designation will differ depending on the host operating system. For 32-bit Microsoft Windows servers, use c:\Program Files\. For 64-bit Microsoft Windows servers, use c:\Program Files (x86)\
Interested in other articles associated to Intel AMT and McAfee ePO Deep Command? Click here for an index listing
The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries