Closed datapharmer closed 5 years ago
jsastriawan
commented
5 years ago CIRA itself is already TLS. Adding additional TLS will put unnecessary load to AMT firmware. Anyway, you can always comment out webrelay.ashx route where Ylian disabled TLS over CIRA.
Ylianst
commented
5 years ago jsastriawan is correct. CIRA is always TLS and there is no way to turn that off. As long as CIRA is configured with the right server host name and the correct server root cert, it will only connect securely to the correct server. I would keep the regular TLS off when over CIRA because the performance impact of double TLS is quite noticeable when using remote desktop.
datapharmer
commented
5 years ago Ok, that makes sense. My thought was it wouldn't hurt to allow tls/not-tls so tls could be used on local domains, but since the default script puts a bogus local domain in I'm not sure how much it matters.
Ylianst
commented
5 years ago Exactly. The script sets a random domain name in the Intel AMT environment detection so that CIRA is always used. By the way, Bryan and I are working on getting the MeshAgent to run the CIRA install/uninstall script and to setup Intel AMT into Client Control Mode (CCM). Once that work is done, it will be very easy to setup a batch of Intel AMT with CIRA.
ghost
commented
5 years ago @Ylianst Awesome, I'm looking forward to that. It would make it very convenient to set it up for all internal machines on a corporate network.
Currently when CIRA script is run TLS is left disabled. This could potentially expose connection credentials. It would be preferable if the CIRA script issued a certificate for connecting and enabled TLS by default.