Intel AMT Deploys but HW Connect / Intel AMT is Grey?

[82280zx]

If I change the group that has my Intel amt machine in it to deactivate I can watch the scripts run in Tracing, and it does switch the status of the machine to Not Activated (Pre). If I switch the type to Fully Automatic then the machine registers as Activated CCM, v12.0.40, TLS but my HW Connect and Intel AMT Tab is grey? Am I doing something wrong? I had this working at one point... and now I'm back to haunt you guys again, sorry!

[PathfinderNetworks]

I've had a lot of issues with AMT as well. I've noticed that you will get this exact issue with devices until they are able to make a CIRA connection. Once CIRA is active then you'll be able to use the Intel AMT options. But I have no clue why CIRA does or does not work. Seems to be totally random. I've had devices that show AMT as being activated for months with no CIRA connection. Then, just randomly out of the blue, they will connect with CIRA.
I wish there was some better way to nail all this down.

[Ylianst]

Yes, so the mesh agent can activate and configure Intel AMT, but the "HW Connect" button will only light up if MeshCentral can perform an "out-of-band" connection to Intel AMT. That is, MeshCentral needs to be able to communicate to AMT without the help of the operating system. Communication must bypass all OS drivers and MeshCentral and AMT must connect directly.

To do this, the device must use a Intel AMT managed network interface, like the built-in Ethernet or supported WIFI. MeshCentral must be in LAN or Hybrid mode with the device on the same network as the server, or in Hybrid or WAN mode with CIRA enabled. With CIRA, Intel AMT will connect back to the server and buttons will light up.

If you are using WIFI, you may need to setup AMT WIFI profiles so that AMT can associate to an AP when the computer is plugged in but sleeping. If you use some other way to connect to the Internet (4G modem, USB Ethernet, etc.) AMT will not work.

Hope that helps, Ylian

[82280zx]

Is there a way I can check if CIRA is enabled? My machines are in the same lan as the mesh server, I'm also needed to check to find out what mode I'm in? The machines are AMT capable for sure :)

[Ylianst]

I should display the server mode when typing "info" in the "MyServer"/"Console" tab. Regardless, unless you have:

"wanonly": true

in the settings section of the config.json, your server should be able to locally communicate with Intel AMT computers. You should not need CIRA in this case.

I am assuming that your AMT computer is already activated (you can go in MEBx and enable it). If so, you should be able to go to https://:16992 and login to the AMT web page to make sure everything works before doing too much work with MeshCentral.

Once you know AMT works. You can create a device group that is "Agent-less / AMT only" and then add your AMT device manually. You will type in the hostname, username and password for AMT and you should be good to go.

If you install the MeshAgent, it will show up in MeshCentral. Click on the device and you should see "Hostname", make sure that is set right. "Hostname" will only show up if you server is not in WAN mode. Once set, MeshCentral will try to login to AMT and if it does not work will display "invalid credentials" in red. You can then adjust it.

Let me know if that helps.

[82280zx]

Where is Meshcentral getting the hostname from? I noticed mine is in Hybrid mode, I may switch it over to wan mode only, the hostnames they are getting is a address I'm not familiar with unless it's using my docker container address...? Thanks again! I should also ask if there are any ports besides port 4433 that CIRA / AMT machines need to use?

[Ylianst]

MeshCentral will try to figure out the hostname on it's own by using the IP address the agent is connecting from or IP address from where meshcmd connected from. The hostname should be a DNS name or IP address where MeshCentral can connect to that device and only makes sense in local network or corporate networks. If you don't intend to have the server ever initiate a connection to a device, you should change to WAN mode using "wanonly": true in the settings section of the config.json file.

In addition to this, if you are in LAN or Hybrid modes, the MeshCentral server will send out wake-on-lan packets on the local network, etc. Probably not something you want if you are running on the Internet.

As for ports: Intel AMT only needs port 4433 to receive inbound CIRA connections from Intel AMT. If you are in LAN mode, port 4433 is turned off and not used. In Hybrid/WAN modes, it's enabled. In general, MeshCentral only uses ports 80, 443 and 4433. There is also port 9971 for bare-metal Intel AMT activation, but this is a rare usage. You can also setup a "agent only" HTTPS port, that one is set to any port you configure. It's like port 443, but only MeshAgent's can connect to it and used if you need to isolate the web interface.

Hope that helps.

[jjoelc]

Just wanted to add that there are several times I have seen this situation where the BIOS date was WAY off (I've seen ranges from 1974 to 2056 for the year...) When the BIOS date is that far off, it seems AMT is unable to establish a secure connection (it thinks the cert is invalid, of course) so refuses to connect. Just something relatively obscure to check that you may not immediately think of.

[Ylianst]

Yes, this is a good point. When connecting CIRA to the server, Intel AMT will check the clock against the server's certificate validity period. This is why MeshCentral will also sync the Intel AMT clock to the server clock on activation and will check it from time to time. If' it's more than (I think) 10 seconds off the server clock, it will re-sync it.

This said, I think some version of Intel AMT with LMS will sync the AMT clock to system clock, in that case if your device has a clock set to 1970 or something like that, it will not connect.

[petervanv]

i got an amt capable computer, its connecting in an group with agent and amt enabled settings. it say's only agent. When i make an group with only amt its finds it and connect it.

[82280zx]

Still not sure why my hw connect etc is grey =/ it looks like its communicating with my Mesh server, my setups a little different but I can switch the group to automatic / watch it install / talk to the amt machine and can also deactivate it... so my setup is a little different but it should be working? I'll explain it the best I can, front end is Ubuntu 20.04.2 LTS on a Raspberry Pi, I have Meshcentral 2 installed on this, NGINX Proxy manager is also installed on this same box (but it's installed in a docker container). I have the ports forwarded according to the guide here Mesh Central 2 User Guide on page 30. Ports are forwarded and working I can browse to https://mesh.mywebsite.com:4433 and see the MeshCentral MPS Server, Intel AMT computers should connect here.... amt clocks should be synced? I had my setup in Hybrid mode and now have it in WAN only mode to see if it would make a difference, still no luck.

[dinger1986]

AMT @si458