cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

McAfee Deep Command Installation Guide - Introduction

Installing McAfee Deep Command

Use the following documents to install, configure and deploy McAfee Deep Command.

Step 1: Step 2: Step 3:

Step 4:

Appendix A:

Appendix B:

Appendix C: McAfee Deep Command Setup Checklist

Introduction

McAfee Deep Command requires Intel® vPro™ technology hardware. This hardware offers Intel® Active Management Technology (AMT) which provides services in the firmware that enable McAfee Deep Command to perform out of band management tasks.  Intel AMT is shipped disabled on all hardware and must be enabled prior to using with McAfee Deep Command. This document contains McAfee’s recommended process for enabling and configuring Intel AMT. Following this process will ensure compatibility with McAfee Deep Command.

Note: There are a number of methods to configure Intel AMT that are not referenced in this document.  Those other methods can be explored on Intel’s vPro Expert Center (http://www.intel.com/go/vproexpert) .

Because McAfee Deep Command is dependent on Intel AMT capable hardware, installing McAfee Deep Command should be thought of as a four step process

Step 1: Discover and Report All Intel AMT Capable Systems in the Environment
Step 2: Configure Certificates for Intel AMT
Step 3: Install Intel AMT and McAfee ePO Server Components

Step 4: Configure Intel AMT Clients and Deploy McAfee Deep Command

Tip: Print the McAfee Deep Command Setup Checklist and check each step as you progress through the installation.

Before You Begin

The following items should be considered before starting the installation.

  1. McAfee ePO must be version 4.6 patch 1 or higher
  2. McAfee Agent must be version 4.5 patch 2 or higher
  3. Your domain must have a Microsoft Certificate Authority with Web Enrollment and IIS enabled. Both Windows Server 2003 and 2008 are supported. McAfee does not recommend using the ePO server for this purpose in production deployments. If you do not have a Microsoft CA environment, please see Appendix A for instructions.
  4. You must have rights to create a domain user that will function as a service account.
  5. You must have rights to create certificate signing requests and request SSL certificates from Verisign, GoDaddy, Comodo, Starfield, Entrust, or Cybertrust.
  6. TCP traffic on ports 16992-16995 must be allowed in your environment.

High Level Process

Per the main steps listed above, here is a summarized list of all the tasks that must be performed to both configure Intel AMT and deploy McAfee Deep Command.

  1. Discovery and Report All Intel AMT Capable Systems in the Environment
    • Deploy ePO Deep Command Discovery and Reporting Plug-in
    • Analyze Intel® AMT Summary Dashboard in the ePO Console
  2. Configure Certificate for Intel AMT
    • Create AMT Configuration Service Account
    • Export the Public Root Certificate from your Microsoft Certificate Authority
    • Grant Service Account Privileges to Microsoft Certificate Authority
    • Get SSL Certificate for Remote Intel AMT Configuration
    • Export SSL Certificate for Remote Intel AMT Configuration
    • Import SSL Certificate for Remote Intel AMT Configuration to User Certificate Store
  3. Install Intel and McAfee ePO Server Components
    • Install Intel SCS on the McAfee ePO Server
    • Create Intel AMT Configuration Profile
    • Install and Configure McAfee Deep Command in ePO
    • Create Deep Command Deployment Task
  4. Configure Intel AMT Clients and Deploy McAfee Deep Command
    • Manually Configure an Intel AMT Client
    • Set WMI Permissions for Automated Intel AMT Configuration
    • Identify and Tag Systems Ready for Intel AMT Configuration
    • Create AMT Configuration Package
    • Create Deployment Task for AMT Configuration Package
    • Track AMT Configuration and Deep Command Installation Progress

Product Architecture

McAfee Deep Command is implemented with an extension for McAfee ePO and a package that can be deployed to systems managed by the McAfee agent. An additional piece of software called STunnel can be installed on an agent handler to facilitate communication with remote clients. Intel AMT configuration is implemented by installing Intel Setup and Configuration software on a server (the McAfee ePO server in this example). This software then leverages Microsoft Active Directory, DNS, DHCP and a Microsoft Certificate Authority to configure Intel AMT clients.

arch diag.png

Note: Initial configuration of Intel AMT clients must be done with a wired connection while the system is on the local area network.

Configuration of Intel AMT occurs between the Intel RCS and the client firmware over TCP port16993. Direct TCP\IP communications occur to the Intel AMT firmware, which shares the same IP address and FQDN as the host operating system. Intel AMT traffic is designated by TCP ports 16992-16995 at the network interface of the endpoint.

Configuration of Intel AMT in a Deep Command environment requires a web server certificate to be assigned to each endpoint. Once Intel AMT is configured on the endpoint device, it is a network service awaiting an authenticated and authorized request. Installing and configuring McAfee Deep Command will enable administrators to make valid connections to that network service and leverage the capabilities of Intel AMT via McAfee ePO.

Product Components

The following tables list and describe all of the components used in the McAfee Deep Command product. The rest of the installation guide will walk through the configuration of each component, but it is useful to get a baseline understanding of what each component does before you begin the installation.

Client Component
Function
McAfee AgentVersion 4.5 patch 2 or later. This facilitates communication with McAfee ePO and allows you to deploy the AMT Discovery and Reporting component to the system.
McAfee AMT Discovery and ReportingVersion 1.0 or later. This collects AMT properties from the system and reports them to McAfee ePO. This data is then used to determine the status of AMT on the system. Only systems that are fully provisioned can support McAfee Deep Command.
Intel MEI DriverThis driver must be present on systems in order for software to interact with the AMT firmware. Without it, the Discovery and Reporting data will be incomplete and both AMT configuration and Deep Command installation will fail.  MEI drivers are delivered by Windows update for all hardware from 2010 and 2011. MEI drivers for older hardware must e obtained from the hardware manufacturer.
Intel AMT FirmwareMcAfee Deep Command features are dependent on the version of the AMT firmware. For best results McAfee recommends updating to the latest version of AMT firmware provided by your hardware manufacturer.
Intel Client Configurator (ACUconfig.exe)Version 7.1 or later. This program performs AMT configuration. It reads the AMT configuration file and applies those settings to the firmware on an AMT client. These files can be packaged, deployed and executed by any systems management software. In this example, we provide a custom package that can be deployed by McAfee ePO.
McAfee Deep CommandVersion 1.0 or later. McAfee Deep Command leverages Intel AMT to perform out of band management and security tasks. It can only be deployed to systems that first report to ePO as Fully Provisioned in the AMT Discovery and Reporting Dashboard.
NetworkA wired network connection on internal LAN is required for initial AMT configuration.
Operating SystemMicrosoft Windows XP SP3 or later

Server Component
Function
McAfee ePOVersion 4.6 patch 1 or later is required to manage McAfee Deep Command. The Discovery and Reporting software can be managed from McAfee ePO 4.6 or later.
McAfee ePO AMT Discovery and ReportingThis dashboard provides individual monitors that indicate the readiness of client systems for both AMT configuration and Deep Command deployment.
Microsoft Certificate Authority with Web Enrollment

The Microsoft CA is established by adding the Active Directory Server Certificates role to a server in your environment. Then, the Certificate Authority Web Enrollment role service must also be added; this requires the IIS role service to also be added. McAfee recommends running these roles on a separate server that is acting as an enterprise certificate authority, not on the McAfee ePO server.

All AMT clients will request a TLS web server certificate from this CA during AMT configuration.

Service Account for Intel Remote Configuration ServiceA domain account must be created. This service account will run the Remote Configuration Service on the McAfee ePO server. This account must  have local admin rights on the server. In addition, this account must have permission to request certificates and to issue and manage certificates on the Microsoft CA server.
Intel AMT Setup and Configuration ApplicationIntel Setup and Configuration Service (SCS) 7.1 and later. This is used to install the Remote Configuration Service on the McAfee ePO server, provide the Intel AMT Configuration Wizard, and program files to be executed on the client.

Intel SCS is available at http://downloadcenter.intel.com/Detail_Desc.aspx?lang=eng&DwnldID=19881

Please note that other client configuration applications (like Microsoft SCCM) can also function as Setup and Configuration Applications. Using those applications is beyond the scope of this document.
Intel Remote Configuration ServiceThis will be installed on the server as part of the SCS installation. During configuration this service receives connections from the AMT client and authenticates them by using the AMT Remote Configuration Certificate. It then negotiates the client’s TLS enrollment and sends the configuration settings to the client’s AMT firmware.
Active Management Technology Configuration Utility Wizard (ACUwizard)This will be installed on the server as part of the SCS installation. It is used to create Intel AMT configuration profiles.

McAfee requires the AMT configuration profile to be configured to use admin control mode and to use TLS. McAfee recommends using digest authentication rather than Kerberos authentication.
DHCPOn your DHCP server, validate the DHCP server Scope Options. DNS Domain Name (Option 15) is critical for the Remote Configuration Certificate. It is important that this domain name is what you expect it to be. Please note the domain name in Option 15 prior creating the certificate signing request for the Remote Configuration SSL Certificate.

For the purposes of this guide, the IP v6 scope should be disabled.
Remote Configuration SSL CertificateIntel AMT provisioning requires an SSL certificate to establish trust between the client firmware and the RCS server. Only certificates from Verisign, GoDaddy, Comodo, Starfield, Entrust, or Cybertrust are supported. Self-signed root certificates are not supported because a corresponding hash for that certificate will not exist in the AMT firmware.

More information at http://communities.intel.com/docs/DOC-2225


TIP: When creating the certificate signing request, be sure that the common name field contains the actual connection-specific DNS suffix found on your client’s wired LAN interface. This should match option 15 in your DHCP settings.
PortsThe following ports should be open between the McAfee ePO servers and the AMT clients.

16992 TCP/UDP bidirectional
16993 TCP/UDP bidirectional
16994 TCP/UDP bidirectional
16995 TCP/UDP bidirectional

Client Configuration Workflow

The diagram below illustrates what happens when an Intel AMT client goes through the configuration process. It shows each component involved and describes what role each component plays in the configuration process.config steps v2.pngDuring the configuration process, special permissions will be required as summarized below and detailed later in the installation documentation.

  • Step 10 - Successful execution of the Intel AMT Configuration Package requires local administrative rights.   The process communicates with the Intel MEI, a kernel level driver.   The Local System Account can used.   If a local user account with administrator rights, elevated privileges are required for Microsoft Windows Vista, 7, or higher operating systems.    When opening a command prompt, select Run as Administrator.
  • Step 11 - The account used to execute the command in Step 10 must have rights to the Intel_RCS WMI namespace on the system running Intel services.   Specific Intel_RCS WMI namespace security rights include Execute Methods, Full Write, and Enable Remote.
  • Step 12 - The account used to request certificates via Web Enrollment must have the following rights to the Microsoft Certificate Authority.   In this installation document, the Service Account used to logon the RCSserver service will be granted these rights
    • WebServer Certificate Template: Read and Enroll
    • Microsoft Certificate Authority Security permissions: Issued and Manage Certificates, Request Certificates
-->                  

McAfee   Agent

 

4.5 patch   2 or later. This facilitates communication with McAfee ePO and allows you to   deploy the AMT Discovery and Reporting component to the system.

 

McAfee   AMT Discovery and Reporting

 

1.0 or   later. This collects AMT properties from the system and reports them to McAfee   ePO. This data is then used to determine the status of AMT on the system.   Only systems that are fully provisioned can support McAfee Deep Command.

 

Intel MEI   Driver

 

This   driver must be present on systems in order for software to interact with the   AMT firmware. Without it, the Discovery and Reporting data will be incomplete   and both AMT configuration and Deep Command installation will fail.

 

Intel AMT   Firmware

 

McAfee   Deep Command features are dependent on the version of the AMT firmware. See   appendix F to a feature matrix.

For best   results McAfee recommends updating to the latest version of AMT firmware   provided by your hardware manufacturer.

 

 

 

Intel   Client Configurator (ACUconfig.exe)

 

7.1 or   later. This program performs AMT configuration. It reads the AMT   configuration file and applies those settings to the firmware on an AMT   client. These files can be packaged, deployed and executed by any systems   management software. In this example, we will use McAfee Package Builder and   McAfee ePO.

 

McAfee   Deep Command

 

1.0 or   later. McAfee Deep Command leverages Intel AMT to perform out of band   management and security tasks. It can only be deployed to systems that first   report to ePO as Fully Provisioned in the AMT Discovery and Reporting   Dashboard.

 

Network

 

Wired   network connection on internal LAN is required for initial AMT configuration.

 

Operating   System

 

Windows   2000 or later – KB

 

 

 
Header 1Header 2
















Labels (1)
Comments

Since this material was posted, Intel SCS 8 was released.   See http://www.intel.com/go/scs

Included with the Intel SCS 8 release is the Deployment Guide.   A common question raised with this McAfee Deep Command Online installation guide relates to "is remote configuration required to configure Intel AMT for Deep Command usage".

The short answer to that question is No.   Please review the Intel SCS 8 Deployment Guide.    There are three primary approaches mentioned for the initial Intel AMT configuration.   You only need to complete one of those approaches.   Once that is done, review the guidance on Delta Configurations and Advanced Configuration options.    As an example - you can configure Intel AMT via the SMB\Manual approach and then adjust the configuration to be compliant with McAfee ePO Deep Command.

Version history
Revision #:
1 of 1
Last update:
‎12-15-2011 12:35 PM
Updated by:
 

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community