Before you can use Intel SCS to configure Intel AMT, you will need to collect some data about your network and make some decisions. In many organizations, responsibilities and knowledge about the network is located in several departments. You can print out this checklist and use it as a reference as you collect the necessary data.
Getting Started Checklist for Intel SCS |
|||
---|---|---|---|
1 | FQDN |
How is Domain Name System (DNS) resolution done in your network? On an Intel AMT system, the host platform and the Intel AMT device both have a Fully Qualified Domain Name (FQDN). These FQDNs are usually the same, but they can be different. Intel SCS configures the FQDN of the Intel AMT device. This is one of the most important configuration settings. You must define an FQDN that can be resolved by the DNS in your network. If you do not, after configuration you might not be able to connect to the device. By default, this is how Intel SCS configures the FQDN (hostname.suffix): If this default is not correct for your network, change the setting in the configuration profile. For information about the available settings, see Defining IP and FQDN Settings. |
![]() |
2 | IP |
How does your network assign Internet Protocol (IP) addresses? On an Intel AMT system, the host platform and the Intel AMT device both have an IP address. These IP addresses are usually the same, but they can be different. Intel SCS configures the IP address of the Intel AMT device. By default, Intel SCS configures the Intel AMT device to get the IP address from a DHCP server. If this default is not correct for your network, change the setting in the configuration profile. For information about the available settings, see Defining IP and FQDN Settings. |
![]() |
3 |
Domains |
Do you want to limit access to Intel AMT based on domain location? Intel AMT includes an option to limit access to the Intel AMT device based on the location of the host system. If you want to use this option, you must define a list of trusted domains. When the host system is not located in one of the domains in the list, access to the Intel AMT device is blocked. The list of domains is defined in the Home Domains window of the configuration profile (see Defining Home Domains). Note:
|
![]() |
4 |
VPN |
Do you want to permit access to Intel AMT via a VPN? By default, Intel AMT devices are configured to block access via Virtual Private Network (VPN) connections. If you want to manage systems outside of the organization’s network and are connected to it using VPN, you will need to change this setting. This setting is defined in the Home Domains window of the configuration profile. Note: A prerequisite for this setting is to define a list of Home Domains (see item #3 in this checklist). |
![]() |
5 |
AD |
Do you want to integrate Intel AMT with Active Directory (AD)? If your network uses AD, you can integrate Intel AMT with your AD. Intel AMT supports the Kerberos authentication method. This means that Intel SCS and management consoles can authenticate with the Intel AMT device using “Kerberos” users. The users are defined in the Intel AMT device using the Access Control List. If integration is enabled, during configuration Intel SCS creates an AD object for the Intel AMT device. Some of the entries in this object define parameters used in Kerberos tickets. Before you can integrate Intel AMT with your AD, you must:
After the OU is created, you must define it in the configuration profile (see Defining Active Directory Integration). |
![]() |
6 |
CA |
Does your network use a Certification Authority (CA)? For these Intel AMT features, a CA is a prerequisite: TLS, 802.1x, EAC, and Remote Access. If you have a CA and want to use these features, this is the data that you need to collect:
If you have an Enterprise CA, you must create certificate templates in the CA before you define the profile. For more information, see Defining Enterprise CA Templates. |
![]() |
7 |
TLS |
Does your management console require the Intel AMT system to use Transport Layer Security (TLS)? When TLS is enabled, the Intel AMT device authenticates itself with other applications using a server certificate. If mutual TLS authentication is enabled, any applications that interact with the device must supply client certificates that the device uses to authenticate the applications. TLS is defined in the Transport Layer Security window of the configuration profile (see Defining Transport Layer Security (TLS)). Note: A Certification Authority is a prerequisite for TLS (item #6 in this checklist). If using Microsoft CA, the CA can be an Enterprise CA or a Standalone CA. |
![]() |
8 |
802.1x |
Does your network use the 802.1x protocol? If your network uses the 802.1x protocol, you must define 802.1x setups in the configuration profile. If you do not do this, you will not be able to connect to the Intel AMT device after it is configured. If you need to define 802.1x setups, this is the data that you need to collect:
802.1x is defined in the Network Configuration window of the configuration profile (see Creating 802.1x Setups). Note: These are prerequisites for 802.1x:
|
![]() |
9 |
EAC |
Does your network use End-point Access Control (EAC)? If the 802.1x protocol used in your network supports End-Point Access Control (EAC), you can use NAC/NAP authentication with a RADIUS server to authenticate the Intel AMT device. If you need to define EAC, this is the data that you need to collect:
EAC is defined in the Network Configuration window of the configuration profile (see Defining End-Point Access Control). Note: These are prerequisites for EAC:
|
![]() |
10 |
Remote Access |
Does your network have a Management Presence Server (MPS)? The remote access feature lets Intel AMT systems (versions 4.x and higher) located outside an enterprise connect to management consoles inside the enterprise network. The connection is established via an MPS located in the DMZ of the enterprise. If you need to define Remote Access, this is the data that you need to collect:
Remote Access is defined in the Remote Access window of the configuration profile (see Defining Remote Access). Note: A Home Domain is a prerequisite for Remote Access (item #3 in this checklist). |
![]() |