Copyright (C) 2003 Intel Corporation Intel(R) Active Management Technology (Intel(R) AMT): A short description of the Management Presence Server (MPS) Introduction: ------------- The Management Presence Server (MPS) enables enterprise management consoles located behind the enterprise firewall to connect to Intel AMT platforms located outside the enterprise. The MPS mediates between the Intel AMT platform and Intel AMT management console, using a tunneling protocol to secure the communication with the Intel AMT platform. For more information about the MPS please refer to the user-guide: Management Presence Server Supporting Client-Initiated Remote Access.pdf Located in the Docs folder. Note: To ensure that security is maintained, the application should be run from a directory that can be accessed only by the Administrator user. This is to prevent unauthorized manipulation of files in the directory. How to Configure the MPS: ------------------------- 1. Stunnel configuration - needed in order to allow TLS connections between AMT and the MPS. More details about stunnel and its parameters can be found at: http://www.stunnel.org/ The stunnel.conf file already contains the configuration parameters suitable for MPS, except for the following parameters that still need to be configured: - CAfile = . use the CA created during ES - cert = . use the certificate created during ES - key = use the key created during ES - accept = - connect = This address is also configured in MPS.config (see in section 3). Usually 'IP' equals to 'localhost'. 2. Apache HTTP proxy see Apache_Proxy_Manual.txt, located in the 'Docs' folder. 3. Configure the following parameters in the Bin\Conf\MPS.config file which is read when the MPS starts: In the networking section: a) AMTListenIP = NOTE: * The Intel AMT data that MPS receives comes through stunnel. * This address MUST be equal to the one entered in stunnel.config in the "connect" parameter b) AMTListenPort = NOTE: * This port MUST be equal to the one entered in stunnel.config in "connect" parameter c) SocksListenIP = NOTE: * Some of the incoming SOCKS connections arrive through Apache * This address MUST be equal to the one entered in httpd.conf in the ProxySocksIP parameter d) SocksListenPort = NOTE: * This port MUST be equal to the one entered in httpd.conf in the ProxySocksPort parameter e) HttpListenPort = NOTE: * The incoming HTTP connections come through Apache * This address MUST be equal to the one entered in httpd.conf in the Listen parameter In the AMT_Authenticate section: a) NeedAuthentication (boolean) = NOTE: * If set to true, set the parameters below it accordingly. In the Socks_Authenticate section: a) NeedAuthentication (boolean) = NOTE: * If set to true, set the parameters below it accordingly. In the Notification_Authentication section: a) NeedNotificationAuthentication (boolean) = NOTE: * If set to true, set the parameters below it accordingly. In the Filtering section: a) FilterUnauthorizedServers (boolean) = NOTE: Bin\Conf\mps.config file is an example, you can modify per your need. 4. Configure the NotificationList file (located at Bin\Conf\NotificationList.config) so it includes all the consoles to notify of a AMT connection. The file's format is a list of line separated internet addresses in the following format: ://:/ NOTE: * This step is not needed if FilterUnauthorizedServers was set to false. * There can be up to 8 valid notification entries. Any entry exceeding that limit is discarded. 5. Configure the AuthorizedServersList (located at Bin\Conf\AuthorizedServersList.config) file name file so it includes all the autherized servers for outgoing connections. The file's format is a list of line seperated internet addresses in the following format: : 6. Connection Authentication: The MPS can be configured to support SOCKS/APF Authentication in the following manner: a) Create a dll that will perform the authentication. The function that preforms the authentication MUST have the following prototype: extern "C" __declspec(dllexport) bool Authenticate(string userName, string userPassword, string paramStr, string &errorString); Where * paramStr - string given in MPS.config file (see section (g) in the configuration paragraph) * errorString - in case of an error, this string will hold the error root cause. NOTE: * Intel provides 3 DLL samples, that implement the above function. AMTFileAuth.dll and SocksFileAuth.dll authenticate by looking for the name and password in a given file. SOAPAuthentication.dll authenticates by sending SOAP message to an authentication server. The usage of these dlls is as follows, in the mps.config: [AMT_Authenticate] / [Socks_Authenticate] NeedAuthentication = false DllName = Example: C:\Program Files\Intel\MPS\AuthenticationSamples\AMTFileAuth.dll DllParameters = For AMTFileAuth.dll and SocksFileAuth.dll the parameters should be in this form: -file For SOAPAuthentication.dll the parameters should be in this form: -target [-krb] [-user -pass ] [-cert ] [-tls] [-proxy -proxyUserName -proxyPass ] Example: -target http://hostname:7792/MPSAuthenticationService -user admin -pass Admin!123\n" * The dlls for APF and SOCKS authentication MUST be different (i.e. different names) * The dlls sources can be found in Src\MPS_Src\Authentication folder. * Compiled dlls can be found under Bin\Compiled Authentication Samples folder. b) Add to MPS.config the authenticate data (see section (g) in the configuration paragraph) How to compile the MPS ---------------------- 1. The MPS uses the gSOAP library with WinHTTP extension. 2. Run Src\MPS_Src\makewsdl.bat. This will generate the gSoapGeneratedCode directory. 3. ACE compilation: The MPS uses the ACE compiled library. You'll need to download ACE sources in order to compile MPS. a) Download ACE sources from: https://download.dre.vanderbilt.edu/previous_versions/ We recommend that you download the ACE+TAO version specified in the MPS release notes file. b) Unzip the files. c) Set a system variable named ACE_ROOT to the directory "ACE_wrappers" where the ACE sources have been extracted to. d) Copy the file config.h to the %ACE_ROOT%\ace directory The config.h file is located at: Src\MPS_Src\ACE_Configuration\config.h e) Compile ACE using the ACE_vs2017.sln\ACE_vs2019.sln solution located at the %ACE_ROOT%\ace directory. 4. In order to compile the MPS you must have the Microsoft* Platform SDK. 5. The MPS can be compiled using Visual Studio* A few parameters should be defined: a) Set a system variable named MSSDK to the Microsoft Platform SDK directory. b) Set a system variable named ACE_LIB_ROOT to be the same as the ACE_ROOT system variable. C) Open 'MPS.sln' and compile (located at Src\MPS_Src) Notes: 1. In order to compile the code it is essential to keep all the directories WSDLs, gSOAP, SOAP, Include and UTILS in the same directory structure as in the given MPS directory structure. 2. You may face a linkage error when compiling MPS solution. Solution for linkage error: Go to project properties -> Linker -> input -> additional dependencies: Add full path to ACE.lib. How to run the MPS Service (also after compilation) --------------------------------------------------- 1. Copy %ACE_ROOT%\lib\ACE.dll and %ACE_ROOT%\lib\ACEd.dll (for debug mode), to the directory where the MPS binaries were compiled to. The ACE.dll should be already located in the Bin folder. 2. Set up the MPS as a service: from a Windows* admin command run: sc create binPath = example: sc create MPS binpath = C:\Bin\MPS.exe 3. Run the MPS service: a) Open Services on the MPS computer b) Choose the service you've created and start it by clicking on 'start'. ------------------------------------------------------------------ * Other names and brands may be claimed as the property of others.