In this usage model, the management service for the home PC is provided by the companies that offer maintenance services for the PCs. These may be the call centers of Original Equipment Manufacturers (OEMs). Also they can be independent companies that only provide maintenance services for PCs manufactured by different OEMs. In this paper, we use the term Management Service Provider (MSP).

The OOB remote management in Intel^® AMT is implemented as a Web service. The remote boot, redirection, and hardware inventory functions are supported over a Transmission Control Protocol (TCP), and the IT management service can access these functions through designated ports. For example, to access NVM the management service should connect to the port 16992 or 16993, and for Serial Over LAN (SOL), the management service should connect to the port 16994 or 16995. The AMT management console, running as the client that requests the AMT services, will initialize the connection.

There are, however, two issues that block the application of Intel AMT for home PC maintenance.

Firstly, the Network Address Translation (NAT, which is a method of connecting multiple computers to the Internet (or any other IP network) using one IP address) firewall deployed by the Internet Service Provider (ISP) blocks the above communication between a home PC and management services. Generally, the NAT firewall sits between the home PC and the management service, provided by the MSP, to protect the local network and translate the IP address. The home PC is configured to use the local IP address that is not visible outside of the NAT firewall, so the active connection from outside the Internet, the MSP service in this scenario, will be refused access to the PC by the NAT firewall.

Figure 4: Intel^® AMT usage model for home PC
click image for larger view
 

Secondly, ISPs always require users to input the account name and password before allowing them to access the outside network. But when the OS is seriously corrupted by a virus or even when it has crashed, the user may not have a chance to input the account name and password. Therefore, the machine cannot access the outside network at all.

To adapt to this special environment of the home PC network, a new usage model of Intel AMT is proposed in this paper, which introduces an MSP proxy to bridge the home PC and MSP management console. The network deployment is shown in Figure 4. The MSP proxy sits behind the NAT firewall and is capable of performing direct communication with a group of home PCs from the same local network. Also, the proxy serves as a communication device for the MSP service that is located outside of the NAT firewall. The process of communication between the MSP proxy and the MSP service is as follows:

1. The active connection initiated by the MSP proxy is accepted by the NAT equipment.
2. Receiving the initial packet from the MSP proxy, the NAT will translate the local IP address and port of the proxy to the NAT equipment's address and port pair and record the mapping relationship for future use. Also the NAT will forward the packet to the MSP service.
3. After the MSP service receives the packet, it will record the proxy's IP address and port. Then the messages will be sent back from the MSP service to the proxy with this IP address and port.

After the connection between the MSP proxy and the MSP service is set up, all the control messages will be sent through the single TCP connection to penetrate the NAT firewall. The proxy provides interfaces (e.g., Simple Object Access Protocol (SOAP) [1] APIs) which can be invoked by the outside MSP services. Moreover, the MSP proxy can call the AMT services provided by the AMT device directly. In this way, the ISV proxy eliminates the necessity of introducing a separate NAT propagation module into the AMT platform.

The second issue mentioned above, that of home PC users not being able to authenticate the ISP to access the outside network can also be solved by introducing a proxy. The AMT device can obtain the IP address by using a Dynamic Host Configuration Protocol (DHCP) as long as the machine is connected to a power source and the network. Authentication is only required when the home PC needs to connect to the outside network. Since the proxy is deployed in the same local network as the home PC, the AMT device can visit the proxy directly without any authentication problem.

Therefore, the proxy can successfully remove the two barriers that block the use of Intel AMT to remotely manage home PCs.

Furthermore, in this usage model, the proxy does not store any client information, such as the home PC's local IP address and port; thus, it can be a very simple service that only provides a message transfer function. The detailed working process is described in Figure 5.

Figure 5: Working process
click image for larger view
 

Working Process

These are the steps involved in this process.

1. The home PC user gets the IP address of the MSP proxy from the IT technician and configures it into the AMT device.
2. When the home PC is enabled to be connected remotely with Intel AMT, the PC client will send a Hello packet to the MSP proxy. The Hello packet contains the Universally Unique Identifier (UUID) of the PC client that is burned into the platform's NVM during manufacturing.
3. After receiving the Hello packet, the MSP proxy will send a request to the MSP service that contains the IP address and UUID of the PC client.
4. The MSP service can get the UUID from the request packet and record the UUID and IP address of the PC client and the IP address and port of the proxy in the database. The UUID will be used as the key to identify the PC client.
5. When the IT technician manages the AMT device remotely, the MSP service finds the corresponding PC client record to get its information as well as the address of the MSP proxy. Then the MSP service sends a request to the proxy that contains the local IP address of the PC client and the function name it wants to call.
6. After parsing the request from the MSP service, the proxy calls the corresponding SOAP API provided by Intel AMT with the PC client's local IP. The proxy also forwards the response from the AMT machine to inform the MSP service if the request is executed successfully.

In the above solution, the MSP proxy is deployed as a separate piece of equipment located in the same local network as the PC clients. There is another solution that deploys the proxy together with the gateway. In this solution, the proxy is installed on the gateway running as a service module. The process to set up a connection between the MSP service and the PC client is the same as the process for the first solution.

Both these solutions have advantages and disadvantages. In the second solution, the MSP does not have to deploy separate proxy machines for each local network. However, the MSP requires the support of the ISP. If the ISP supports the proxy, this solution can decrease the cost. Compared with the second solution, the benefit of the first solution is its flexibility, since it does not depend on the support of the ISP. Although deploying separate proxy machines for the home PC local network is costly, it is advantageous to implement it in hotels, Internet cafés, schools, and other small businesses. If a small business wants to outsource the maintenance of PCs to an MSP, it can buy a proxy device from the MSP and deploy it on its local network. The business is free to choose any MSP according to its preference without having to be concerned whether this MSP is supported by the ISP.