Setting up an Intel VPro with AMT infrastructure - windows

I'm trying to set up a remote management system with VPro supported computers under the same network. I've done a good amount of research into this topic and now i'm trying choose the right path to suit my needs. The system needs to follow certain parameters.
Parameters:
Remote KVM control without User Consent
Power on, off, control bios of selected computers
Control a network of computer within a wired internet connection
Allow remote connection from outside the network to client PCs within the network (i.e at home)
Remote AMT Configuration with Admin Controls
I understand that VPro supports all of these actions, however it's the server system that handles them. I had looked into Intel SCS Lite, however i believe this is just a configuration tool and database for the profiles and i cannot actually control client actions. Tools like Microsoft SCCM look promising, however would it fulfill all my needs? Are their cheaper alternatives? There is also Intel VPro platform solutions manager. For this option, do i create a database of the AMT PC's with intel SCS console than connect to that through the platform solutions manager so i can operate on my client PCs? Any information regarding the setup and configuration of remote management of a compute network supporting VPro would be helpful.
Edit: This was a great site i found for anyone else who is researching VPro
http://windowsmasher.wordpress.com/2013/10/05/intel-vpro-the-basics-of-vpro/
I still welcome any additional information.

Blindly assuming that you're not bound to windows solutions and regarding your parameters, I think...
Remote KVM control without User Consent
Allow remote connection from outside the network to client PCs within the network (i.e at home)
You don't really need no enterprise tool integration for this... do you?
Just set up a html page that contains links like vnc://your-client-xxx and let
realvnc plus
handle the rest? For the KVM/VNC-Sessions, you don't need a middleman SCCM/whatever.
VNC will connect to your AMT-enabled client directly, using TCP port 16992 (or 16993 when
using TLS which you surely want...?).
Allowing remote connection from outside has nothing to do with SCCM or vPro... You'll most likely have a VPN connection to your 'work network'? The vPro-enabled clients will (by default) share the DHCP-obtained IP with the client, so you should be able to protect vPro access by a ('real') firewall as desired.
Power on, off, control bios of selected computers
Control a network of computer within a wired internet connection
Again, no need for a paid tool. For the requirement "power on/off",
you might consider amttool, at least
for pre-AMT-9.0-systems (as 9.0 dropped the older vPro SOAP protocol EOI in favour of DASH). DASH was supported since vPro 6.0 IIRC, so you could also use
AMD's free dashcli.
Shell tools are great for scripting (read: scheduled power management / cron) but
you surely were looking for a nice GUI tool. You may want to look at amtc / amtc-web, its demo site or github-wiki. It should be easy
to add vnc:// links to that currently power-management-focussed (fast!) webapp.
Ahh, and I never used it myself, but there's also vTul, a PowerShell based GUI...
If it's all about really rarely power-cycling a single machine: Don't forget that vPro comes with a web-interface, which also allows to do this...
Remote AMT Configuration with Admin Controls
As stated by ChileAddict, SCS Lite should be fine. AFAIK it will also take care
of certificate renewals for TLS-enabled clients. And you can use it to push/update
AMT configuration.
Any information regarding the setup and configuration of remote management of a compute network supporting VPro would be helpful.
Check with your PC supplier. They can deliver your hosts with RCFG (Remote Configuration) enabled. The new clients will then send HELLO packets to your provisioner.example.com,
where example.com is taken from the DHCP reply received. The provisioner must have
a certificate installed that is accepted by AMT, see intel's page.
An alternative is to deploy configuration using USB sticks -- or by hand. Where by hand will not allow TLS-secured communications...

You have definitely done your homework and that windowsmasher site sums things up nicely. Unfortunately, the free tools, like the AMT Commander, the Platform Solution Manager, the Web UI that is part of AMT, etc are not enterprise level solutions and do not have databases to hold the information for each system in your environment. (I think the AMT Commander uses your registry to store system information and you can connect to many systems and not have to input them every time you start it. However you can't do an operation on multiple systems, for example "shut all my systems down and apply some patch".) It's a one system at a time deal.
You can provision multiple systems using the Intel SCS and when I was last using it, there was a database involved. I do not know much about SCCM. There are other Enterprise-level tools such as Landesk that offer management of many systems simultaneously (not free, of course.)
If you wanted to be able to manage multiple systems at a time without purchasing the software, you would have to write your own management console using the AMT SDK. (Sorry!)
You might want to look at Meshcentral.com (same developer who wrote the AMT Commander/Open Manageability Toolkit) he is always adding new features and you can also download the source code.
I hope this helps.

Related

Communication between Windows Store app and native desktop application

! For the sake of simplifying things I will refer to Windows Store applications (also known as Metro or Modern UI) as "app" and to common desktop applications as "application" !
I believe this is still one of the most unclear yet important questions concerning app-development for developers who already have established applications on the market:
How to manage communication between apps and applications on a Windows 8 system? (please let's not start a debate on principles - there're so many use cases where this is really required!)
I basically read hundrets of articles in the last few days but still it remains unclear how to proceed doing it right from the first time. Mainly because I found several conflicting information.
With my question here I'd like to re-approach this problem from the viewpoint of the final Windows 8 possibilities.
Given situation:
App and application run on same system
1:1 communication
Application is native (written in Delphi)
Administrator or if required even system privileges are available for the application
In 90% of the use cases the app requests an action to be performed by the application and receives some textual result. The app shouldn't be left nor frozen for this!
In 10% the application performs an action (triggered by some event) and informs the app - the result might be: showing certain info on the tile or in the already running and active app or if possible running the app / bringing it to the foreground.
Now the "simple" question is, how to achieve this?
Is local webserver access actually allowed now? (I believe it wasn't for a long time but now is since the final release)
WCF? (-> apparently MS doesn't recommend that anymore)
HTTP requests on a local REST/SOAP server?
WinRT syndication API? (another form of webservice access with RSS/atom responses)
WebSockets (like MessageWebSocket)?
Some other form of TCP/IP communication?
Sharing a text file for in- and output (actually simply thinking of this hurts, but at least that's a possibility MS can't block...)
Named Pipes are not allowed, right?
There are some discussions on this topic here on SO, however most of them are not up-to-date anymore as MS changed a lot before releasing the final version of Windows 8. Instead of mixing up old and new information I'd like to find a definite and current answer to this problem for me and for all the other Windows application and app developers. Thank you!
If you are talking about an application going into the Store, communication with the local system via any mechanism is not allowed. Communication with the local system is supported in some debug scenarios to make app development easier.
You can launch desktop applications from Windows Store applications with file or protocol handlers, but there is no direct communication.
So, to reiterate the point... communication between WinRT and the desktop is not allowed for released Windows Store applications. Communication between the two environments is allowed in debug only.
The PG has posted in different places reasons for why communication is not allowed, ranging from security, to the WinRT lifecycle (i.e., you app gets suspended - how does that get handled re: resources, sockets, remote app, etc. -- lots of failure points) and the fact that Store apps cannot have a dependency on external programs (i.e., I need your local desktop app/service for the app to run, but how do I get your app/service installed? You cannot integrate into the Store app. You can provide another Store desktop app entry, but that is a bad user experience.) Those are high level summaries, of course.

Personal Internet use monitoring

How could a (Windows) desktop application be created to monitor the amount of time spent on a particular website?
My first idea was to play with the Host file to intercept requests, log, and proxy. This feels a bit clunky; and I suspect my program would look like malware.
I feel like there is a smarter way? Any ideas?
There is a tool similar to what you are looking for called K-9 Web Protection. It is more used for parents to monitor what their kids are up to when hooked up to the internet. I have installed this for my niece's computer with good results and praises as it blocks, content filter, restrict internet times. This may be OTT for your needs but worth a shot as you can see what sites were visited.
The other, is to use a dedicated firewall monitoring solution such as IPCOP which is a Linux based distribution with a sole purpose in providing a proxy, stateful packet inspection (SPI) firewall, Intrusion Detection System (IDS).
Hope this helps,
Best regards,
Tom.
You could do this by monitoring active connections via netstat, or if you need more advanced data you can install The Windows Packet Capture Library and get any data about network use, and inside your desktop app, find network traffic that relates to 'spending time' on a website (which might just be GET requests for you, but I don't know), and record various statistics as required.
Route the traffic through a scriptable proxy and change the browser settings to point to that proxy.

Antivirus on application servers which deal with lots of network traffic. Yes or No?

Interested in people's opinion.
You have an application server running 3/4 services that do lots of TCP based communication to/from the server.
There is also a fairly heafty amount of MSSQL work going on too.
Do you run something like Symantec Anti-Virus with proactive/real time/heuristic/foo protection on the server?
Or do you perform full system scan nightly during a maintenance period?
This is all within the context of performance is of upmost importance.
All comments appreciated.
TIA
No. The attacks that servers and the custom apps running on them are vulnerable to are not the desktop malware problems that anti-virus targets. All AV on a server will do is reduce performance and stability.
(Unless of course the server is also being used as a desktop machine, to browse on and so on. But that's a really bad idea already.)
Depending on what the application is doing AV might have a role to play in that: for example if you've got a user file store as part of one of the apps it wouldn't hurt to check the files uploaded into it for viruses. And of course it's normal for an app that deals with mail to pass incoming mail to a checker.

bandwidth and traffic simulator for web apps?

Can you suggest how to create a test environment to simulate various types of bandwidths and traffic in a web app?
Or maybe an open source program which does this against localhost?
I think this is a very important subject when programming web apps but it is not a usual topic, the only way i can imagine to create such kind of environment is to use some kind of proxy in a local network but before start looking into the squid documentation i would like to hear your suggestions.
if you're using apache you may want to take a look at apache ab
There are two approaches to shape network traffic to simulate a network link:
Run some software on the client or server that sits somewhere in the networking stack and shapes the traffic between the app and the network interface
Run the traffic shaping software on a dedicated machine with 2 network interfaces through which your traffic is routed
(2) is a better solution if you don't want to install software on the client or server (and possibly impact performance), but requires more hardware fiddling.
Some other features you might want to think about are what shaping parameters can be simulated. Most do delay and packet loss, some do jitter and bandwidth limiting as well. Some solutions can selectively filter traffic (for instance by port number, TCP or UDP etc).
Here is a list of some of the systems I've found:
Open Source or Freeware
DummyNet is an open source BSD Unix-based for dedicated devices. It is not clear if the software is being actively maintained
NistNet is an open source Linux-based system for dedicated devices. The software has not been actively maintained for several years.
Commercial
Apposite Technoligies sell dedicated hardware solutions for simulating WAN links, with a Web based GUI for configuring the settings and collecting traffic measurements
East Coast DataCom sell hardware dedicated simulators for simulating routers and modems
Itrinegy offer both dedicated device solutions, and solutions for running on clients or servers.
Network FX offer several dedicated device products for simulating network impairments between the client & server
NetLimiter is a client side system that allows throttling of individual applications, and includes a firewall.
Shunra Software offer a range of products, from high end enterprise WAN simulation and testing, to a simple client-resident emulator.
The closest I can think of is doing something similar with VEDekstop from Shunra..
Simulating High Latency and Low Bandwidth in Testing of Database Applications
Shunra VE Desktop Standard is a Windows-based client software solution that simulates a wide area network link so that you can test applications under a variety of current and potential network conditions – directly from your desktop.
I wrote a php script awhile back which used CURL to run a sequence of page requests against my server which represented a typical use scenario. I had it output the times that it took for the server to respond to each of the requests. I then had another script which spawned a bunch of these test case scripts simultaneously for a sustained period and correlated the results into a file which I could then look at in a spreadsheet to see average times. This way I could simulate the number of users hitting the site that I wanted. The limitations are that you need to run the test script on a different server to the web server and that the client machine can become too loaded to give meaningful results past a certain point. I've since left the job otherwise I would paste the scripts here.
If you are running a Linux box as your server, Linux box as your client, or have the capability to put (perhaps a VM) a Linux router between your client and server, you can use NetEm.
NetEm is a Linux TC (Traffic Control) discipline which can delay (i.e. add latency) packets leaving a host. Although it's tricky to set up clever rules (e.g. add latency to some traffic, not to others), it's easy to add a simple "delay everything leaving the interface by 50ms" type rules and some recipes are provided.
By sticking a Linux VM between your client and server, you can simulate as much latency as you like. And you can turn it on and off dynamically. Linux has other TC disciplines which can be combined with NetEm to restrict bandwidth (but the script to set this up can be somewhat complicated). NetEm can also randomly drop packets.
I use it and it works a treat :)
Web Application Stress Tool (WAST) from Microsoft is what you need.
http://www.microsoft.com/downloads/details.aspx?familyid=e2c0585a-062a-439e-a67d-75a89aa36495&displaylang=en
I haven't used it for years (lack of need, not because I'd found anything else), but xat webspeed would be the first thing I would point toward
As other people have mentioned, Apache's ab (comes with Apache, so you probably have it already) is good.
Other good options are:
HP's LoadRunner Apache
Jakarta's JMeter
Tsung (if you want to get your erlang on)
I personally like ab and JMeter the best.
We use Loadrunner to do bandwidth and traffic simulation in our App. Loadrunner is can start agents on various machines and you can simulate one machine as running on dialup modem v/s another on DSL v/s another on Cable internet.
We also use Loadrunner to simulate various kinds of traffic conditions from 10 user run to 500 user run. We can also insert think times in the script and simulate a real user executing the http request. The best part is that it comes with a recording studio where it will plug in with Internet explorer and you can record the whole scenario/Usecase that can be as simple as hitting one page to a full blown 50-60 page script or more.
i found this little java program that works great : sloppy
yet not a proffesional solution but it works for simple tests, i guess it uses java streams and buffers to slow down the connection .
Have you looked at Tsung? It's a great utility for seeing if your website will scale in event of attack, I mean massive popularity. We use it for our web frontend, and our internal systems too.
If you're interested in performing your tests out of your browser, there is also a really great Firefox plug-in.
Do not forget about Wanulator (http://www.wanulator.de/).
The name Wanulator comes from "WAN" and "simulator. This pretty much describes what the software does: It simulates different Internet conditions such as delay or packet loss. Furthermore it simulates user access line speeds e.g. modem, ISDN or ADSL.
Wanulator is currently packaged as a Linux boot CD based on SLAX. This will give you a full out of the box experience. You can turn any PC into a test-system within a blink - just by booting the Wanulator CD. The package already includes useful client SW such as web-browser and network sniffer (Wireshark). Nevertheless if the PC has 2 network interfaces the system can run as an intermediate system between your server and your client - as a switch - without any configuration hassles.

Technical issues when switching to an unmanaged Virtual Private Server (VPS) hosting provider?

I'm considering moving a number of small client sites to an unmanaged VPS hosting provider. I haven't decided which one yet, but my understanding is that they'll give me a base OS install (I'd prefer Debian or Ubuntu), an IP address, a root account, SSH, and that's about it.
Ideally, I would like to create a complete VM image of my configured setup and just ship those bits to the provider. Has anyone had any experience with this? I've seen Jeff talk about something like this in Coding Horror. But I'm not sure if his experience is typical. I suppose it also depends on the type of VM server used by the host.
Also, do such hosts provide reverse-DNS? That's kinda useful for sites that send out e-mails. I know GMail tends to bounce anything originating from a server without it.
Finally, I'd probably need multiple IP addresses as at least a couple of the sites have SSL protection which doesn't work with name-based virtual hosts. Has anyone run into trouble with multiple IPs through VPS? I wouldn't think so, but I've heard whisperings to the contrary.
Slicehost (referral link, if you so choose) offers reverse DNS, multiple IPs ($2/month/IP), Ubuntu/Debian (along with others). The only criteria it doesn't support is the ship-a-VM one, but it does let you clone VMs you've set up in their system via snapshots. You could thus set it up once, then copy that VM as many times as you like.
If that's a sacrifice you're willing to make, I highly recommend them - they've had great customer service the few times I've needed to contact them, decent rates, and a great admin backend.
I like XenPlanet, their prices seem to be comparable, but they also allow you to purchase extras like added disk space. Not sure if they let you buy additional bandwidth.
I have used them for a number of different machines and found their service to be very good.

Resources