221 lines
10 KiB
Plaintext
221 lines
10 KiB
Plaintext
Copyright (C) 2003 Intel Corporation
|
|
|
|
Intel(R) Active Management Technology (Intel(R) AMT):
|
|
A short description of the Management Presence Server (MPS)
|
|
|
|
Introduction:
|
|
-------------
|
|
The Management Presence Server (MPS) enables enterprise management consoles
|
|
located behind the enterprise firewall to connect to Intel AMT platforms located
|
|
outside the enterprise. The MPS mediates between the Intel AMT platform and
|
|
Intel AMT management console, using a tunneling protocol to secure the
|
|
communication with the Intel AMT platform.
|
|
For more information about the MPS please refer to the user-guide:
|
|
Management Presence Server Supporting Client-Initiated Remote Access.pdf
|
|
Located in the Docs folder.
|
|
|
|
Note: To ensure that security is maintained, the application should be run from
|
|
a directory that can be accessed only by the Administrator user. This is
|
|
to prevent unauthorized manipulation of files in the directory.
|
|
|
|
How to Configure the MPS:
|
|
-------------------------
|
|
1. Stunnel configuration - needed in order to allow TLS connections between AMT
|
|
and the MPS.
|
|
More details about stunnel and its parameters can be found at:
|
|
http://www.stunnel.org/
|
|
The stunnel.conf file already contains the configuration parameters suitable
|
|
for MPS, except for the following parameters that still need to be
|
|
configured:
|
|
- CAfile = <path to trusted root certificate authority>.
|
|
use the CA created during ES
|
|
- cert = <path to trusted server certificate>.
|
|
use the certificate created during ES
|
|
- key = <path to certificate key>
|
|
use the key created during ES
|
|
- accept = <port that AMT device uses to connect to MPS>
|
|
- connect = <ip:port that stunnel will use to send the received data
|
|
to MPS>
|
|
This address is also configured in MPS.config (see in
|
|
section 3). Usually 'IP' equals to 'localhost'.
|
|
|
|
2. Apache HTTP proxy see Apache_Proxy_Manual.txt, located in the 'Docs' folder.
|
|
|
|
3. Configure the following parameters in the Bin\Conf\MPS.config file which is
|
|
read when the MPS starts:
|
|
|
|
In the networking section:
|
|
a) AMTListenIP = <IP address that MPS listens to for new Intel AMT
|
|
connection requests>
|
|
NOTE:
|
|
* The Intel AMT data that MPS receives comes through stunnel.
|
|
* This address MUST be equal to the one entered in stunnel.config in the
|
|
"connect" parameter
|
|
b) AMTListenPort = <port that MPS listens to for new Intel AMT
|
|
connection requests>
|
|
NOTE:
|
|
* This port MUST be equal to the one entered in stunnel.config in
|
|
"connect" parameter
|
|
c) SocksListenIP = <IP address that MPS listens to for new SOCKS
|
|
connection requests>
|
|
NOTE:
|
|
* Some of the incoming SOCKS connections arrive through Apache
|
|
* This address MUST be equal to the one entered in httpd.conf in the
|
|
ProxySocksIP parameter
|
|
d) SocksListenPort = <port that MPS listens to for new socks connection
|
|
requests>
|
|
NOTE:
|
|
* This port MUST be equal to the one entered in httpd.conf in the
|
|
ProxySocksPort parameter
|
|
e) HttpListenPort = <port that MPS listens to for new HTTP connection
|
|
requests>
|
|
NOTE:
|
|
* The incoming HTTP connections come through Apache
|
|
* This address MUST be equal to the one entered in httpd.conf in the
|
|
Listen parameter
|
|
|
|
In the AMT_Authenticate section:
|
|
a) NeedAuthentication (boolean) = <parameter specifying if connection
|
|
authentication data is needed for AMT connection.>
|
|
NOTE:
|
|
* If set to true, set the parameters below it accordingly.
|
|
|
|
In the Socks_Authenticate section:
|
|
a) NeedAuthentication (boolean) = <parameter specifying if connection
|
|
authentication data is needed for SOCKS connection.>
|
|
NOTE:
|
|
* If set to true, set the parameters below it accordingly.
|
|
|
|
In the Notification_Authentication section:
|
|
a) NeedNotificationAuthentication (boolean) = <indicates if authentication
|
|
is needed when notifying management consoles of new AMT tunnels>
|
|
NOTE:
|
|
* If set to true, set the parameters below it accordingly.
|
|
|
|
In the Filtering section:
|
|
a) FilterUnauthorizedServers (boolean) = <indicates if the authorized
|
|
servers list should be used. If not, then direct connection and UDP
|
|
message are always forwarded.>
|
|
NOTE: Bin\Conf\mps.config file is an example, you can modify per your need.
|
|
|
|
4. Configure the NotificationList file (located at
|
|
Bin\Conf\NotificationList.config) so it includes all the consoles to notify
|
|
of a AMT connection. The file's format is a list of line separated internet
|
|
addresses in the following format:
|
|
<HTTP/HTTPS>://<IP/FQDN>:<port>/<the rest of the URL>
|
|
NOTE:
|
|
* This step is not needed if FilterUnauthorizedServers was set to false.
|
|
* There can be up to 8 valid notification entries. Any entry exceeding that
|
|
limit is discarded.
|
|
|
|
5. Configure the AuthorizedServersList (located at
|
|
Bin\Conf\AuthorizedServersList.config) file name file so it includes all the
|
|
autherized servers for outgoing connections. The file's format is a list of
|
|
line seperated internet addresses in the following format:
|
|
<IP/FQDN>:<port>
|
|
|
|
6. Connection Authentication:
|
|
The MPS can be configured to support SOCKS/APF Authentication in the
|
|
following manner:
|
|
a) Create a dll that will perform the authentication. The function that
|
|
preforms the authentication MUST have the following prototype:
|
|
|
|
extern "C" __declspec(dllexport)
|
|
bool Authenticate(string userName, string userPassword,
|
|
string paramStr, string &errorString);
|
|
|
|
Where
|
|
* paramStr - string given in MPS.config file (see section (g) in the
|
|
configuration paragraph)
|
|
* errorString - in case of an error, this string will hold the error
|
|
root cause.
|
|
|
|
NOTE:
|
|
* Intel provides 3 DLL samples, that implement the above function.
|
|
AMTFileAuth.dll and SocksFileAuth.dll authenticate by looking for the
|
|
name and password in a given file.
|
|
SOAPAuthentication.dll authenticates by sending SOAP message to an
|
|
authentication server.
|
|
|
|
The usage of these dlls is as follows, in the mps.config:
|
|
[AMT_Authenticate] / [Socks_Authenticate]
|
|
NeedAuthentication = false
|
|
DllName = <full path DLL name>
|
|
Example:
|
|
C:\Program Files\Intel\MPS\AuthenticationSamples\AMTFileAuth.dll
|
|
DllParameters = <parameters for the DLL>
|
|
|
|
For AMTFileAuth.dll and SocksFileAuth.dll the parameters should be in
|
|
this form:
|
|
-file <full path name of the authentication file>
|
|
|
|
For SOAPAuthentication.dll the parameters should be in this form:
|
|
-target <target> [-krb] [-user <username> -pass <password>]
|
|
[-cert <name>] [-tls] [-proxy <proxy> -proxyUserName <proxyUserName>
|
|
-proxyPass <proxyPassword>]
|
|
Example: -target http://hostname:7792/MPSAuthenticationService
|
|
-user admin -pass Admin!123\n"
|
|
|
|
* The dlls for APF and SOCKS authentication MUST be different
|
|
(i.e. different names)
|
|
* The dlls sources can be found in Src\MPS_Src\Authentication folder.
|
|
* Compiled dlls can be found under Bin\Compiled Authentication Samples
|
|
folder.
|
|
|
|
b) Add to MPS.config the authenticate data (see section (g) in the
|
|
configuration paragraph)
|
|
|
|
|
|
How to compile the MPS
|
|
----------------------
|
|
1. The MPS uses the gSOAP library with WinHTTP extension.
|
|
2. Run Src\MPS_Src\makewsdl.bat. This will generate the gSoapGeneratedCode
|
|
directory.
|
|
3. ACE compilation:
|
|
The MPS uses the ACE compiled library. You'll need to download ACE sources
|
|
in order to compile MPS.
|
|
a) Download ACE sources from:
|
|
https://download.dre.vanderbilt.edu/previous_versions/
|
|
We recommend that you download the ACE+TAO version specified in the MPS
|
|
release notes file.
|
|
b) Unzip the files.
|
|
c) Set a system variable named ACE_ROOT to the directory "ACE_wrappers"
|
|
where the ACE sources have been extracted to.
|
|
d) Copy the file config.h to the %ACE_ROOT%\ace directory
|
|
The config.h file is located at: Src\MPS_Src\ACE_Configuration\config.h
|
|
e) Compile ACE using the ACE_vs2017.sln\ACE_vs2019.sln solution located at
|
|
the %ACE_ROOT%\ace directory.
|
|
4. In order to compile the MPS you must have the Microsoft* Platform SDK.
|
|
5. The MPS can be compiled using Visual Studio*
|
|
A few parameters should be defined:
|
|
a) Set a system variable named MSSDK to the Microsoft Platform SDK
|
|
directory.
|
|
b) Set a system variable named ACE_LIB_ROOT to be the same as the
|
|
ACE_ROOT system variable.
|
|
C) Open 'MPS.sln' and compile (located at Src\MPS_Src)
|
|
|
|
Notes:
|
|
1. In order to compile the code it is essential to keep all the directories
|
|
WSDLs, gSOAP, SOAP, Include and UTILS in the same directory structure as
|
|
in the given MPS directory structure.
|
|
2. You may face a linkage error when compiling MPS solution.
|
|
Solution for linkage error:
|
|
Go to project properties -> Linker -> input -> additional dependencies:
|
|
Add full path to ACE.lib.
|
|
|
|
|
|
How to run the MPS Service (also after compilation)
|
|
---------------------------------------------------
|
|
1. Copy %ACE_ROOT%\lib\ACE.dll and %ACE_ROOT%\lib\ACEd.dll (for debug mode), to
|
|
the directory where the MPS binaries were compiled to. The ACE.dll should
|
|
be already located in the Bin folder.
|
|
2. Set up the MPS as a service: from a Windows* admin command run:
|
|
sc create <Service Name> binPath = <MPS binary file with absolute path>
|
|
example: sc create MPS binpath = C:\Bin\MPS.exe
|
|
3. Run the MPS service:
|
|
a) Open Services on the MPS computer
|
|
b) Choose the service you've created and start it by clicking on 'start'.
|
|
|
|
------------------------------------------------------------------
|
|
* Other names and brands may be claimed as the property of others.
|