McAfee FIREWALL 2.1-GETTING STARTED Guide de l'utilisateur

Product GuideMcAfee ePO Deep Command 2.1.0For use with ePolicy Orchestrator 4.6.x, 5.x.x Software

• Intel® AMT-enabled chipset• Network hardware and software• Corporate network connection (with an AC power source)Setting up the environment requires

• From the Intel® AMT systems, click McAfee Agent Status Monitor, then click Collect and Send Properties,Check New Policies, and Enforce Policies.• Cl

7In the System Tree, assign the policy to the required systems or group.• To assign the policy to selected systems, select the systems, click Actions

4In Run the following Command afterward (optional), select the product, task type, and client tasks.Client tasks that require a system restart must be

TaskFor option definitions, click ? in the interface.1In the McAfee ePO console, click Menu | Policy Comparison, select ePO Deep Command 2.1.0 or ePO

cType the Intel® MEBX password, then retype it to confirm.Select Show Password to see the password as you type. Password confirmation is not required

• For Kerberos account,1Select New Kerberos User or New Kerberos Group, as needed, select the required user or group,then click OK.2Select the user or

Tasks• Turn on your systems on page 106The Power On feature allows your Intel® AMT systems to deploy the updated securityprograms ahead of a potential

Obtain User ConsentObtain User Consent to perform Intel® AMT actions using a passcode generated on the Intel® AMTsystem screen to connect.TaskFor opti

4(Optional) In Additional Action, select Launch Serial-over-LAN Terminal (SOL) to access the target system fromthe server side.You can use the arrow k

Connect to a system using the Serial-over-LANSerial-over-LAN (SOL) is a mechanism that enables the input and output of the serial COM port of amanaged

Management Framework moduleThe ePO Deep Command Management Framework module delivers "beyond-the-operating system"security management. This

• The recovery operating system image file must be an .iso file shared on a UNC mount.It must be shared and accessible by the Agent Handler. Also, mak

See also Connect to a system using the Serial-over-LAN on page 109McAfee KVM Viewer options on page 127Stop image redirection You can stop an in-progr

Automate Intel AMT policy enforcementCreate and use the server tasks to enforce Intel® AMT policies and turn on the remote Intel® AMTsystems at a sche

TaskFor option definitions, click ? in the interface.1In the McAfee ePO console, from Server Tasks, click New Task.2In Description, type a name for th

• Renew Active Directory Password — Resets the password of the Active Directory object representing theIntel® AMT system.• Renew Administrative Passwo

TaskFor option definitions, click ? in the interface.1In the McAfee ePO console, click Menu | Client Task Comparison, select ePO Deep Command 2.1.0 as

Name ID Generates when...ConfigurationeventsDeep Command - ConfigureFailure34362 A configuration attempt has failed.Deep Command - UnconfigureFailure3

TaskFor option definitions, click ? in the interface.1In the McAfee ePO console, click Menu | Configuration | Server Settings, select Event Filtering,

File name Location DescriptionAMTRCSMgmtService_out.log..\Program Files\McAfee\ePO Deep Command RCSManager\AMTRCSMgmtService_out.logProvides a log of

9Connecting to Intel AMT systems usingKVMWith the McAfee KVM Viewer, you can remotely access Intel® AMT systems using theKeyboard-Video-Mouse (KVM) fe

McAfee KVM Viewer moduleAdministrators can use the McAfee KVM Viewer module to remotely access Intel® AMT systems that areKVM-enabled and -supported.

KVM Viewer overviewUse the McAfee KVM Viewer to remotely access your Intel® AMT systems and perform actions such asPower on, shutdown, start or restar

KVM requirementsMake sure that your system meets these requirements to connect to a system from McAfee KVMViewer.System RequirementsKVM host system (f

Add McAfee root CA certificateImport the McAfee ePO Deep Command root CA certificate to the KVM host system to authenticate aKVM connection. This task

Use Microsoft Management ConsoleAdd the McAfee ePO Deep Command Root CA certificates, when used, to the certificate store of thesystem where you'

Task1From the KVM host system, browse to the folder where McAfee KVM Viewer is stored, thendouble-click the MKVMView file.2On the McAfee KVM Viewer Co

• Authentication settings — Provide credentials used in the configuration profile policy or under Intel®AMT credentials in Server Settings. Or select

Connect to a local systemConnect to a local Intel® AMT system to send power control commands to the client.Task1From the KVM host system, browse to th

TaskFor option definitions, click ? in the interface.1From the McAfee KVM Viewer screen, click Connection | Stop.The current active session is stopped

Option Suboption DescriptionWireless LinkPreferenceAllows selecting the link preference for a session connected over awireless connection. For a syste

10TroubleshootingError messages are displayed by programs when an unexpected condition occurs that can't be fixed bythe program itself. Use this

Getting startedBefore using ePO Deep Command, make sure that you have specific software, hardware, and networkconfigurations in place.Setting up your

Issue Description Corrective actionExit code 32 A certificate request has beensent to the CertificationAuthority but the createdcertificate has put it

Issue Description Corrective actionConfiguration/unconfiguration taskfails with this error inServer Task Log:Intel® AMTunconfiguration failed.Initial

Issue Description Corrective actionHTTP 401 inAMTservice.logThis issue occurs when theserver is not able toauthenticate and connect tothe Intel® AMT s

Issue Description Corrective actionSocket Error — Redirectionport is not enabled on the Intel®AMT System. This error alsooccurs when a certificate ora

IDE-RedirectionIssue Description Corrective actionIDE-Redirectionsession does notinitiatesThis issue might occur due tovarious reasons.Perform these c

Remote Access using the Gateway serverIssue Description Corrective actionRemote Accessconnection fails with"Unknown CA" error inthe Stunnel

WirelessIssue Description Corrective actionIDE-Redirection over a wirelessconnection fails with this error:Boot disk missing, please insert boot disk

Issue Description Corrective actionIntel® AMT policy enforcementfails with errors similar tothese errors in AMTservice.log:•Failed to convert time of

Issue Description Corrective actionRemote Access request usingGet Technical Help in the Intel®Management and SecurityStatus tool fails with an errorst

Issue Description Corrective actionAlarm Clock policy doesn'tenforceThis issue might occur dueto various reasons.Perform these checks, then perfo

Architecture and how components communicateePO Deep Command is comprised of multiple modules, which help you identify, manage, configure,and troublesh

Issue Description Corrective actionSome AMT commands notwork when selected fromAutomatic Response | New Response| Actions | Run System CommandSome of

11Frequently asked questions Here are answers to frequently asked questions.Power on and Normal boot or restartWhat happens if a normal boot or restar

• Client Tasks are enabled.• Appropriate managed products are installed on the Intel® AMT system.• Intel® AMT system is able to communicate with the A

• Intel® Management and Security Status (IMSS)• ACUconfig status or SystemDiscoveryPropertiesWhen does the Last Power On Time parameter get updated on

3Locate and select the Unconfigure Network Access option.A warning message states that the configuration is reset to the default values appears.4Press

AAdditional informationSee these topics for more information that you may require to set up or manage ePO Deep Command.Contents Create a configurat

4If using Digest authentication, skip to the next step. Otherwise, in the Active Directory Integration page,click ... next to Active Directory OU and

6On the Transport Layer Security (TLS) page, select Request certificate via CA plugin to configure the profile thatrecognizes McAfee ePO Deep Command

7On the Network Configuration page, perform these steps to set up wireless connections, then click Next.aSelect Allow WiFi connection with the followi

•IDE redirection•KVM redirectionbIn Power Management Settings, select Always on (S0-S5).cIn Network Settings, type the password for locally accessing

Step Details1 Discovery and Reporting plug-in is installed on McAfee ePO, then deployed to client systems.This plug-in detects the Intel® AMT systems

Set up the environment for Microsoft CA authenticationTo use certificates generated by Microsoft CA, perform these tasks in addition to the other mand

Import certificates to serverIn an environment where McAfee ePO is deployed across different domains, import Microsoft CAcertificates to the system wh

Task1On the Certificate Authority server, click Start | Programs | Administrative Tools | Certification Authority.2From the Console Root tree, right-c

3Right-click the Certificate Templates and select Manage.4In the right-pane, right-click the Computer template and select Duplicate Template to open t

Enable the certificate template Enable the certificate template that you created for Intel® AMT configuration.Task1In the Certificate Authority server

Task1From the Intel® SCS Console, click the icon to create a profile and to open the Configuration Profilewizard.2In Profile Description, enter a uniq

cIn Network Settings, type Intel® ME BIOS Extension (MEBX) password for locally accessing theMEBX settings (default is admin on a new system).If you w

6Select Include all certificates in the certification path.7Type a password, then save the file as with .pfx extension.For example, test.pfx.8Run thes

TaskFor option definitions, click ? in the interface.1Click Start | Administrative Tools, then click Server Manager.2Expand Configuration, right-click

Modify DCOM permissions to add domain computers The configuration process requires appropriate DCOM permissions for domain computers in the serverwher

1IntroductionGetting started16McAfee ePO Deep Command 2.1.0 Product Guide

cAdd Domain Computers if it's not listed, then allow these permissions for the Domain Computers group.•Full Control•Read•Special Permission8Close

Intel® AMT action logsHere is the information about the feature-wise list of log entries created as a result of Intel® AMTactions.Table A-1 Server Ta

Table A-2 Audit Log entries (continued)Feature Audit Log entry DescriptionNormal Boot/Restart Initiated Normal Boot/Reboot Displays when Normal Boot/

IP address" print "Provide help as the first parameter to get more information"else: if input == "help" or input == &qu

try: print "Error in doing OOB Policy Enforcement on as the command failed to invoke properly due to the following err

IndexAactionsAMT policies, enforcing 111boot/reboot to BIOS 107configuration policy, enforcing 111IDE-redirection 109image redirection, stopping 111no

Ffrequently asked questions 141Hhost-based configurationauthentication 38client control mode 36move to admin control 95overview 36policy 49, 94user co

Sserver tasksAMT policies, enforcing 112AMT tag, assigning 25power on 112Tthird-party CAauthentication, setting up 150certificate chain, creating 151c

0-00

2InstallationPerform a series of tasks to set up your ePO Deep Command software.1Make sure that your system meets the requirements.2Install the ePO De

RequirementsVerify that your system meets these requirements before you start the installation process.System requirements Systems RequirementsMcAfee

Software requirements Make sure that you have the required software installed for the ePO Deep Command module thatyou're installing.Software Requ

COPYRIGHTCopyright © 2014 McAfee, Inc. Do not copy without permission.TRADEMARK ATTRIBUTIONSMcAfee, the McAfee logo, McAfee Active Protection, McAfee

Upgrade requirements You can upgrade to ePO Deep Command 2.1.0 from the software version 2.0.0.Supported Intel® AMT versionsSome features aren't

Required portsMake sure that your network security software doesn't block ports and services that are needed forIntel® AMT communications.Add the

Services installed on managed Intel® AMT systemsService/process Feature Ports DescriptionAMTMgmtService.exe Remoteconfiguration135 This process config

ePO Deep Command components in Software ManagerHere are the components that you see in Software Manager, when you select ePO Deep Command fromthe prod

Install the softwareInstall the extensions and deploy them to manage your Intel® AMT systems.Tasks• Install or upgrade the ePO Deep Command extensions

Deploy the Discovery and Reporting plug-inDeploy the Discovery and Reporting plug-in to Intel® AMT systems.Before you beginMake sure that the plug-in

Deploy the Management Framework clientDeploy the Management Framework client to your Intel® AMT systems to manage them using Intel®AMT actions, polici

3In Trusted Root Certificates, a pre-activated McAfee ePO Deep Command Root CA (CN=McAfee ePO DeepCommand Root <Date and time>) is listed. If yo

5In Credentials for Intel® AMT actions, select Change credentials, then select Use above credentials, or type the username and password. Use domain\us

TaskFor option definitions, click ? in the interface.1In the McAfee ePO console, click Menu | User Management | Permission Sets.2Select the permission

Contents1 Introduction 7Product features ... 7Intel AMT overview ... 9Product components

Manage certificatesUse certificate management options to export a ePO Deep Command root CA certificate for reuse,import it, or regenerate it with the

3For Trusted Root Certificate, click Generate New Certificate.A new entry is added for McAfee ePO Deep Command Root in Trusted Root Certificates.4Sele

Uninstall the ePO Deep Command clientCreate a client task to remove the client from Intel® AMT systems, then assign it to the systems.TaskFor option d

TaskFor option definitions, click ? in the interface.1In the McAfee ePO console, click Menu | Software | Software Manager.2On the Software Manager pag

2InstallationUninstall the software34McAfee ePO Deep Command 2.1.0 Product Guide

3Basics of Intel AMT configurationYou must configure your Intel® AMT systems before you can manage them using ePO Deep Command.You can configure your

Host-based configurationIn this method Intel® AMT systems are configured locally using an XML profile containing the requiredconfiguration settings.Th

Client Control mode network architectureThis illustration is an overview of a network configuration where your Intel® AMT systems supportClient Contro

Host-based configuration authenticationFor host-based configuration, provide credentials for Intel® AMT configuration and use McAfee ePODeep Command R

Admin Control mode network architectureThis illustration is an overview of a network configuration where your Intel® AMT systems supportAdmin Control

4 Configuring Intel AMT systems 43Synchronize with Windows Active Directory ... 43Register Windows Active Directory server ...

How RCS Manager plug-in worksThe RCS Manager plug-in helps you manage the configuration of your Intel® AMT firmware, throughMcAfee ePO.This diagram il

Certificates for TLSYou can use the Transport Layer Security (TLS) protocol to secure and authenticate communicationsacross your network.Intel® AMT us

Configuration statesePO Deep Command adds a system property to determine the configuration status of Intel® AMTsystems.• Pre-configuration — By defaul

4Configuring Intel AMT systemsYou can configure an Intel® AMT system using host-based configuration or remote configuration.• Host-based configuration

3On the Details page, complete these options.aSelect Active Directory from LDAP server type, then type the DNS-style domain name or IP address ofthe s

Tasks• Import a configuration profile template on page 45Import a configuration profile that you created in the Intel® RCS console or by usingACUWizar

TaskCreate policies based on the default policies such as McAfee Default or My Default. The default policiesprovide templates where you can add the da

fIn AMT User accounts and rights, perform one of these steps:• For Digest account, click New Digest User, type user name, type password, retype passwo

• IP address — Select the source for the IP address settings:• DHCP — from the DHCP server.• Static — the same IP address as the host.• FQDN — Select

4In Credentials for Intel® AMT actions, do one of these:• Use the default ePO_Admin account — Select Use above credentials, then select Show password

Create the Intel AMT configuration policies ... 94Create the Intel AMT policies ...96Creating the Client Task

Perform remote configurationInstall and configure the RCS Manager plug-in to manage the Intel® AMT firmware configuration fromMcAfee ePO.Before you be

• Intel® AMT systems must not be in a virtual private network (VPN) environment. Home domains ofMcAfee ePO and Intel® AMT systems differ in VPN enviro

TaskFor option definitions, click ? in the interface.1In the McAfee ePO console, click Menu | Software | Software Manager.2On the Software Manager pag

Configure Intel AMT systems using remote configuration policyCreate and enforce a remote configuration policy and select the Intel® RCS server and con

See also Create a policy to configure Intel AMT systems on page 94Enforce Intel AMT configuration policy on page 111Test your connection to an Intel A

Unconfigure Intel® AMT systems using policyYou can unconfigure your Intel® AMT systems using the Intel® AMT configuration policy.TaskFor option defini

TaskFor option definitions, click ? in the interface.1In the McAfee ePO console, click Menu | Reporting | Queries & Reports, then select ePO Deep

5Setting up your environment for RemoteAccessThe McAfee ePO Deep Command Gateway server acts as a proxy responsible for mediatingcommunication between

Remote Access depends on these components:• McAfee ePO• Intel® AMT systems configured for remote connectivity. (In some environments, these systems ar

TaskFor option definitions, click ? in the interface.1In the McAfee ePO console, click Menu | Software | Software Manager.2On the Software Manager pag

Create a configuration profile that uses Microsoft CA certificates ... 154Generate certificates for Stunnel using Microsoft CA ...

5Copy the files to the Stunnel installation directory. For example, C:\Program Files(x86)\stunnel.You can also rename these files:• CN_McAfee_ePO_Deep

2In cert, key, and CAfile, replace the file names and location for cira.pem, cira.key, and ca.cerrespectively with the actual values.3In ciraamt, use

5Setting up your environment for Remote AccessValidate certificate62McAfee ePO Deep Command 2.1.0 Product Guide

6Enabling Intel AMT wirelessmanageabilityWith Intel® AMT over a wireless connection, you can perform Intel® AMT actions on systems within theenterpris

Prerequisites for using wireless with ePO Deep CommandConsider these guidelines while performing Intel® AMT actions on the wireless clients.• Intel® A

An Intel® AMT wireless profile might not be updated when:• A profile with similar "SSID" is present on the system.• The system is configured

4On the Optional Settings page, select Network Configuration, select WiFi Connection, then click Next.5On the Network Configuration page, perform thes

bComplete these settings, then click OK.• Setup Name — Type a name for the Wi-Fi setup (up to 32 characters, and must not contain (/ \< >: ; * |

TaskFor option definitions, click ? in the interface.1In the McAfee ePO console, navigate to System Tree and open the system details of the wirelesscl

7Reporting on your Intel AMT systems With the ePO Deep Command Discovery and Reporting software, you can quickly determine the statusof the Intel® AMT

1IntroductionMcAfee ePO Deep Command provides centralized control to your Intel® Active Management Technology(AMT) systems regardless of whether they

Query DescriptionIntel® AMT ConfigurationStateDisplays a pie-chart of different Intel® AMT configuration states for alldetected systems supporting Int

Predefined RCS management queriesWhen the Profile Manager software is installed on McAfee ePO, these predefined queries are added tothe ePO Deep Comma

TaskFor option definitions, click ? in the interface.1In the McAfee ePO console, click Menu | Reporting | Queries & Reports.2From the Groups pane,

Group Filter Filters the results based on...BIOS Release DateThe release date of the BIOS running on Intel® AMTsystems.BIOS VersionThe version number

Group Filter Filters the results based on...KVMWhether the KVM (Keyboard, Video and Mouse switch)feature is supported on Intel® AMT systems.Last Error

Group Filter Filters the results based on...Wired Link StatusWhether Intel® AMT systems' physical networkconnection is functioning.Wired MAC Addr

• CILA Supported — Determines the number of managed systems that support Local Access connectionsout of the total number of managed systems. The admin

• Intel® AMT Configuration Mode — Determines the different configuration modes that are present in thetotal number of managed systems. Because ePO Dee

• Intel® AMT Version — Displays the different versions of Intel® AMT hardware present on the managedsystems. Because ePO Deep Command supports specifi

• SOL Supported and Enabled — Displays the number of managed systems that support SOL connectionsout of the total number of managed systems. This moni

Feature DescriptionIntel® AMT firmwareconfigurationUse ePO Deep Command to perform host-based configuration or remoteconfiguration on your Intel® AMT

Management Summary dashboardThe Management Summary dashboard displays a collection of monitors based on the results of the defaultePO Deep Command Fra

• Intel® AMT Configuration Events by Event type — Displays a pie chart representing the number ofconfiguration events for all detected Intel® AMT syst

• Ready for Host Based Configuration — Displays a pie-chart representing the number of Intel® AMT systemsthat meet and that do not meet the host-based

• Troubleshoot Remote Devices (KVM) — Displays a pie-chart representing the number of Intel® AMT systemsthat can be accessed using McAfee KVM to troub

• Quick reset of pre-boot password on McAfee encrypted devices — Displays a pie-chart representing the numberof Intel® AMT systems that can reset thei

• Wake-up devices for security scans and updates — Displays a pie-chart representing the number of Intel® AMTsystems that can automatically update the

Property Description WithIntel®MEIdriverinstalledWithoutIntel®MEIdriverinstalledNon-Intel®AMTSystemCILAReports whether the Client-Initiated Local Acce

Property Description WithIntel®MEIdriverinstalledWithoutIntel®MEIdriverinstalledNon-Intel®AMTSystemConfigurationStateReports the configuration state f

Property Description WithIntel®MEIdriverinstalledWithoutIntel®MEIdriverinstalledNon-Intel®AMTSystemIntel® MEIVersionReports the version number of the

Property Description WithIntel®MEIdriverinstalledWithoutIntel®MEIdriverinstalledNon-Intel®AMTSystemLast IDE-RSession StatusReports whether the status

Feature DescriptionMaintenance tasks Configure these maintenance tasks:• Synchronize Intel® AMT time • Renew Active Directorypassword• Synchronize net

Property Description WithIntel®MEIdriverinstalledWithoutIntel®MEIdriverinstalledNon-Intel®AMTSystemReported LocalAlarm ClockTimeDisplays the alarm clo

Property Description WithIntel®MEIdriverinstalledWithoutIntel®MEIdriverinstalledNon-Intel®AMTSystemWireless IPv4AddressReports the IPv4 address receiv

Option DefinitionHost-Based ConfigurationWhether host-based configuration is supported on the client: Supported orNot Supported.Is Embedded HBC Enable

8Managing your Intel AMT systems Manage the Intel® AMT systems in your network by using Intel® AMT policies, client task executionpolicies, Intel® AMT

Create the Intel AMT configuration policies Use the AMT Configuration Policies category to create policies to configure or unconfigure your Intel® AMT

3Select Allow ePO to enforce these settings, then perform one of these steps based on configuration modeof systems.• Admin Control mode — Select Remot

Create the Intel AMT policiesUse the AMT Policies category to create a policy to turn on your Intel® AMT systems, configure LocalAccess or Remote Acce

5Select Repeat Every to specify the days, hours, and minutes to turn on your systems at regularintervals, then save the policy.6In the System Tree, as

6Click Save.7In the System Tree, assign the policy to the required systems or group.• Systems — Select the systems, click Actions | Agent | Set Polici

TaskFor option definitions, click ? in the interface.1In the McAfee ePO console, from Policy Catalog, select ePO Deep Command 2.1.0 as the product and