RealTimeSystemManagement User Guide

Altiris Real-Time SystemManagement 7.5 User Guide

Altiris Real-Time System Management 7.5 UserGuide

The software described in this book is furnished under a license agreement and may be usedonly in accordance with the terms of the agreement.

Legal NoticeCopyright 2013 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo,the Checkmark Logo, Altiris, and any Altiris or Symantec trademarks used in the product aretrademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. andother countries. Other names may be trademarks of their respective owners.

This Symantec product may contain third party software for which Symantec is required toprovide attribution to the third party (Third Party Programs). Some of the Third Party Programsare available under open source or free software licenses. The License Agreementaccompanying the Licensed Software does not alter any rights or obligations you may haveunder those open source or free software licenses. For more information on the Third PartyPrograms, please see the Third Party Notice document for this Symantec product that maybe available at http://www.symantec.com/about/profile/policies/eulas/, the Third Party LegalNotice Appendix that may be included with this Documentation and/or Third Party Legal NoticeReadMe File that may accompany this Symantec product.

The product described in this document is distributed under licenses restricting its use, copying,distribution, and decompilation/reverse engineering. No part of this document may bereproduced in any form by any means without prior written authorization of SymantecCorporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIEDCONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIEDWARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE ORNON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCHDISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALLNOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTIONWITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THEINFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGEWITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer softwareas defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights inCommercial Computer Software or Commercial Computer Software Documentation", asapplicable, and any successor regulations. Any use, modification, reproduction release,performance, display or disclosure of the Licensed Software and Documentation by the U.S.Government shall be solely in accordance with the terms of this Agreement.

Symantec Corporation350 Ellis StreetMountain View, CA 94043

http://www.symantec.com

Technical SupportSymantec Technical Support maintains support centers globally. Technical Supportsprimary role is to respond to specific queries about product features and functionality.The Technical Support group also creates content for our online Knowledge Base.The Technical Support group works collaboratively with the other functional areaswithin Symantec to answer your questions in a timely fashion. For example, theTechnical Support group works with Product Engineering and Symantec SecurityResponse to provide alerting services and virus definition updates.

Symantecs support offerings include the following:

A range of support options that give you the flexibility to select the right amountof service for any size organization

Telephone and/or Web-based support that provides rapid response andup-to-the-minute information

Upgrade assurance that delivers software upgrades

Global support purchased on a regional business hours or 24 hours a day, 7days a week basis

Premium service offerings that include Account Management Services

For information about Symantecs support offerings, you can visit our website atthe following URL:

www.symantec.com/business/support/

All support services will be delivered in accordance with your support agreementand the then-current enterprise technical support policy.

Contacting Technical SupportCustomers with a current support agreement may access Technical Supportinformation at the following URL:


Before contacting Technical Support, make sure you have satisfied the systemrequirements that are listed in your product documentation. Also, you should be atthe computer on which the problem occurred, in case it is necessary to replicatethe problem.

When you contact Technical Support, please have the following informationavailable:

Product release level

Hardware information

Available memory, disk space, and NIC information

Operating system

Version and patch level

Network topology

Router, gateway, and IP address information

Problem description:

Error messages and log files

Troubleshooting that was performed before contacting Symantec

Recent software configuration changes and network changes

Licensing and registrationIf your Symantec product requires registration or a license key, access our technicalsupport Web page at the following URL:


Customer serviceCustomer service information is available at the following URL:


Customer Service is available to assist with non-technical questions, such as thefollowing types of issues:

Questions regarding product licensing or serialization

Product registration updates, such as address or name changes

General product information (features, language availability, local dealers)

Latest information about product updates and upgrades

Information about upgrade assurance and support contracts

Information about the Symantec Buying Programs

Advice about Symantec's technical support options

Nontechnical presales questions

Issues that are related to CD-ROMs, DVDs, or manuals

Support agreement resourcesIf you want to contact Symantec regarding an existing support agreement, pleasecontact the support agreement administration team for your region as follows:

[email protected] and Japan

[email protected], Middle-East, and Africa

[email protected] America and Latin America

Technical Support ............................................................................................... 4

Chapter 1 Introducing Real-Time System Management .................. 9About Real-Time System Management ............................................... 9

Chapter 2 Running one-to-many tasks .............................................. 11About one-to-many tasks ............................................................... 11Managing the power state of computers remotely ............................... 12Using the Restore State power action .............................................. 14Automatically turning off computers in critical state .............................. 15Collecting and viewing Intel AMT, DASH, and IPMI inventory ................ 16Updating BIOS settings ................................................................. 17Resetting a local user password on multiple computers ........................ 18Managing a process on multiple computers ....................................... 19Managing a service on multiple computers ........................................ 20Updating Intel AMT and DASH alert settings ..................................... 20Booting multiple computers from a remote location ............................. 22Filtering the network traffic on multiple computers .............................. 23Updating Intel AMT settings or unconfiguring Intel AMT ........................ 25

Chapter 3 Managing resourses one-to-one in real time ................ 27About one-to-one real time management ........................................... 27Initiating real time connection .......................................................... 28Turning off, turning on, or restarting a client computer .......................... 29Starting a Keyboard-Video-Mouse (KVM) remote control session ........... 30Starting a Serial-over-LAN (SOL) remote control session ...................... 31Booting a computer from remote location using IDE-R ......................... 33Blocking network traffic from and to the computer ............................... 34Configuring the Intel AMT device settings ......................................... 35Viewing client computer logs ........................................................... 36Managing BIOS settings ................................................................ 37Managing the properties of Symantec Management Agent in real

time ..................................................................................... 38Activating a virtual layer ................................................................. 39

Contents

Chapter 4 Additional functionality ..................................................... 41Additional functionality and portal actions available in Real-Time System

Manager ............................................................................... 41Resetting a domain user password .................................................. 41Running the port check .................................................................. 42Configuring the port check settings .................................................. 42Modifying the list of open network filtering ports .................................. 42Adding or removing custom views .................................................... 43

Appendix A List of available operations ............................................... 44List of available operations ............................................................. 44Managements processes ............................................................... 44Audit Nodes ................................................................................ 47Information Nodes ........................................................................ 48

Appendix B Troubleshooting .................................................................. 52Troubleshooting Real-Time System Manager connection ...................... 52

Configuring the firewall to allow WMI connection ........................... 54Configuring the firewall on a single computer ............................... 55Configuring the firewall on multiple domain computers with a group

policy ............................................................................. 56Disabling simple file sharing on Windows XP SP2 ......................... 57Configuring User Access Control on Windows Vista or later

versions of Windows ......................................................... 58

Appendix C Technical Reference ........................................................... 59Ports used by Real-Time System Manager ........................................ 59How authentication works .............................................................. 61About changes in default system security .......................................... 62Network filtering ports and settings ................................................... 62Power management and redirection capabilities ................................. 63

Index .................................................................................................................... 66

8Contents

Introducing Real-TimeSystem Management

This chapter includes the following topics:

About Real-Time System Management

About Real-Time System ManagementThe Real-Time Console Infrastructure software provides the necessary infrastructurefor real time management using the Real-Time System Manager. Also, Real-TimeConsole Infrastructure lets you perform one-to-many out-of-band managementtasks on a group of computers that support ASF, DASH, or AMT.

With Real-Time System Manager, you can view detailed real time information aboutthe managed computers and remotely perform various administrative tasks. Forexample, you can collect the hardware and the configuration inventory even if thecomputers are turned off. Also, you can restart the computer, reset a password,run a port scan, terminate a process. Real-Time System Manager also lets you runsome of the management tasks on a group of computers, immediately or on aschedule.

Using Real-Time System Manager with properly configured out-of-band capablecomputers, you can manage the computers that are turned off or that failed to loadan operating system. Managing computers remotely out of band lets you significantlyreduce the number of desk-side visits.

Some of the supported out-of-band features are as follows:

Remote boot through Integrated Drive Electronics Redirection (IDE-R)See Booting a computer from remote location using IDE-R on page 33.

Remote console redirectionSee Starting a Serial-over-LAN (SOL) remote control session on page 31.

1Chapter

See Starting a Keyboard-Video-Mouse (KVM) remote control sessionon page 30.

Hardware filtering of network traffic (Circuit Breaker) using Intel vPro SystemDefense technologySee Blocking network traffic from and to the computer on page 34.

Hardware alerts for Intel AMT and DASHSee Updating Intel AMT and DASH alert settings on page 20.

10Introducing Real-Time System ManagementAbout Real-Time System Management

Running one-to-many tasks


About one-to-many tasks

Managing the power state of computers remotely

Using the Restore State power action

Automatically turning off computers in critical state

Collecting and viewing Intel AMT, DASH, and IPMI inventory

Updating BIOS settings

Resetting a local user password on multiple computers

Managing a process on multiple computers

Managing a service on multiple computers

Updating Intel AMT and DASH alert settings

Booting multiple computers from a remote location

Filtering the network traffic on multiple computers

Updating Intel AMT settings or unconfiguring Intel AMT

About one-to-many tasksOne-to-many tasks let you manage multiple computers at the same time, but limitthe options that are available. Full list of remote management features is availableusing real time one-to-one management.

One-to-many actions are carried out in a form of scheduled tasks. You must installSymantec Management Agent on the client computer for in-band management.

2Chapter

For out-of-band management, client computers also must support ASF, DASH, orAMT technology.

For example, you can perform the following one-to-many tasks:

Boot a group of computers from either a PXE, a floppy/HDD/CD device, or animage that is located in a remote location.

Block network traffic to and from the client computer's operating system.

Remotely reset a password for a local user account on a group of computers.

Remotely start or stop a process on a group of computers.

Perform various power operations: start, stop or reboot a group of computers.

See List of available operations on page 44.

For more information on how to discover out-of-band capable computers, seehttp://www.symantec.com/docs/DOC6628.

Managing the power state of computers remotelyYou can manage the power state of client computers remotely using WMI, IntelAMT, ASF, IPMI, and DASH technologies.

For example, you can turn on the computers before delivering a software package.You can also turn off the computers that have sent critical SNMP alerts to NotificationServer.

See Automatically turning off computers in critical state on page 15.

Note: A graceful Reboot/Reset and Power Off through the WMI is always triedfirst. If the WMI operation fails, the Power Off, Reboot/Reset, and Restore Stateactions perform a hard shutdown (losing all unsaved data) through ASF, DASH,IPMI, or Intel AMT. To perform a hard shutdown, the target computers must supportand be properly configured to use these technologies.

To manage the power state of computers remotely

1 In the Symantec Management Console, on the Manage menu, click Jobs andTasks.

2 In the left pane, expand System Jobs and Tasks > Real-Time ConsoleInfrastructure > Power Management.

12Running one-to-many tasksManaging the power state of computers remotely

3 In the right pane, under Power action, select the power action to execute.

Choose from the following actions:

Turns on the target computers using the out-of-bandmanagement technology (ASF, DASH, IPMI, or IntelAMT) that the target computers are configured to use.

Power On

Attempts to turn off the target computer through WMI.If WMI fails, a hard shutdown is performed using oneof the out-of-band management technologies.

Power Off

Attempts to restart the target computer through WMI. IfWMI fails, a hard reset is performed using one of theout-of-band management technologies.

Reboot/Reset

You can use this power action when you include thepower management task in a job. You cannot use thispower action in a standalone task. This power actionlets you restore the power state that you changed byrunning another power management task earlier in thejob.

For example, you can run the Power On action, andlater in the job, you can run the Restore State action.The latter turns off the computers that were turned off,but the computers that were turned on stay turned on.

See Using the Restore State power action on page 14.

Restore State

13Running one-to-many tasksManaging the power state of computers remotely

4 (Optional) Configure the advanced boot options.

The options are as follows:

Prevents the users from interacting with the targetcomputer.

Lock client keyboard

Prevents the users from turning off and restartingthe computer using the buttons that are located onthe computer case.

Disable power buttons

Lets you start the computer without the startuppassword.

Bypass computer's startuppassword

When the computer starts, it can send the detailedprogress PET events to the SNMP server.

Use the Update Out-of-Band Alert Settings taskto configure the event's destination address.

See Updating Intel AMT and DASH alert settings on page 20.

Client's firmware transmits allprogress PET events

The availability of these features depends on the hardware that you use.

5 Click Save changes.

6 Run the task once or on a schedule.

For more information, view the topics about running and scheduling tasks inthe Symantec IT Management Suite powered by Altiris technology User Guide.

Choose a connection profile that is configured with correct WMI, ASF, DASH,IPMI, or Intel AMT credentials.

For more information, view the topics about connection profiles in the SymantecIT Management Suite powered by Altiris technology User Guide.

Using the Restore State power actionTheRestore State power action of the PowerManagement task returns computersto the power state they were in, before the previous power action ran.

The Restore State power action lets you run different jobs. For example:

Run the Power On action to turn on computers.

After that, run another task.

After that, run the Restore State task, to restore the power state of thecomputers.

14Running one-to-many tasksUsing the Restore State power action

In this example, if a computer was turned off, the Restore State action turns offthe computer. If a computer was turned on, the Restore State action keeps thecomputer turned on.

The Sample Job is an example of the Restore State power action usage in a job.For this power action to work, you must configure the Task Input to use the outputfrom the previous power management task, as shown in the sample job. You canuse the Restore State power action only in a job.

To use the Restore State power action


2 In the left pane, expand Samples > Real-Time Console Infrastructure >Sample Job.

3 On the Sample Job page, under Jobs/Tasks, click Run "Restore powerstate".

4 Under Task Input, see how the task input is configured.

Automatically turning off computers in critical stateUsing Real-Time Console Infrastructure with Event Console lets you automaticallyturn off the computers that have sent critical SNMP alerts (for example, the hardwarefailure alerts) to Notification Server. If the computers support and are properlyconfigured to use any of the out-of-band management technologies, you canremotely turn off the computers even if the computers have failed to load anoperating system.

See Updating Intel AMT and DASH alert settings on page 20.

To automatically turn off computers in critical state

1 In the Symantec Management Console, on the Settings menu, click AllSettings.

2 In the left pane, expand Monitoring and Alerting > Alert Rule Settings.

3 In the right pane, click the Task Rules tab.

4 On the toolbar, click Add.

5 Under Rule, on the toolbar, click Add > Alert protocol.

6 In the Select comparison drop-down list, click equals.

7 In the Enter value drop-down list, click Simple Network ManagementProtocol.

8 Under Rule, on the toolbar, click Add > Alert severity.

15Running one-to-many tasksAutomatically turning off computers in critical state

9 In the Select comparison drop-down list, click equals.

10 In the Enter value drop-down list, click Critical.

11 Under Task, click New.

12 In the Create New Task dialog box, in the left pane, click Real-Time ConsoleInfrastructure > Power Management.

13 In the right pane, click Power Off.

14 Click OK.

15 Turn on the task rule.

At the upper right of the page, click the colored circle, and then click On.

16 Click Save.

Collecting and viewing Intel AMT, DASH, and IPMIinventory

You can collect the hardware and the configuration inventory even if the computersare turned off. The inventory is stored in the NVRAM of properly configured IntelAMT and DASH computers. On computers with IPMI, the inventory is obtained fromthe Baseboard Management Controller.

To collect Intel AMT, DASH, or IPMI inventory from a client computer


2 In the left pane, click System Jobs and Tasks > Real-Time ConsoleInfrastructure > Get Out-of-Band Inventory.

3 Run the task once, or on a schedule.


Choose a connection profile that is configured with correct Intel AMT, DASH,or IPMI credentials.


16Running one-to-many tasksCollecting and viewing Intel AMT, DASH, and IPMI inventory

To view the Intel AMT, DASH, or IPMI inventory for a client computer

1 Open the Resource Manager for a computer by double-clicking on a specificresource that is found in a filter.


2 On the View menu, click Inventory.

3 In the tree view pane, expand the Real-Time Console Infrastructure folderand select an inventory data class.

You can also view out-of-band inventory from the Reports page.

To view Intel AMT, DASH, and IPMI inventory using a report

1 Click Reports > All reports.

2 In the left pane, click Reports > Remote Management > Real-Time ConsoleInfrastructure > Out-of-band Harware Inventory.

3 In the right pane, on the Out-of-Band Hardware Inventory page, underParameters, choose the setting for the report that you want to view.

Updating BIOS settingsThe Update BIOS settings task lets you remotely view and update the BIOSsettings of the target computers that can be managed through the DASH technology.To identify these computers, you must collect the DASH settings inventory.

Note:After you update BIOS settings, you must restart the target computers for thesettings to take effect. You can combine the BIOS management and powermanagement tasks into a job.

For more information, view the topics about connection profiles in the Symantec ITManagement Suite powered by Altiris technology User Guide.

You can also manage BIOS settings on a single computer in real time.

Run the Get Out-of-Band Inventory task.

See Collecting and viewing Intel AMT, DASH, and IPMI inventory on page 16.

In the Resource Manager, in the Inventory view, expand Real-Time ConsoleInfrastructure > RTCI DASHRegistered profile. If the computer supports WS-MANBIOS Management, the BIOS Management profile is displayed on this page.

17Running one-to-many tasksUpdating BIOS settings

To update BIOS settings

1 In the Symantec Management Console, on the Manage menu, click Jobs andTaks.

2 In the left pane, expand System Jobs and Tasks > Real-Time ConsoleInfrastructure > Update BIOS Settings.

3 Under the Select and configure BIOS settings, add the settings that youwant to modify.



6 Restart the target computers to apply the new BIOS settings.

Note: If BIOS is password protected, Symantec recommends, that you createa job that includes the Set Administrator Password task and the UpdateBIOS settings taks

See Managing the power state of computers remotely on page 12.

Resetting a local user password on multiplecomputers

You can reset the password for a local user on multiple computers at a time.

You can also perform this task on a single computer in real time.

You can also use Real-Time System Manager to reset the password for a domainuser.

See Resetting a domain user password on page 41.

To reset a local user password on multiple computers


2 In the left pane, expand System Jobs and Tasks > Real-Time SystemManager.

3 Click Password Management.

4 Type the user name that you want to reset the password for in the followingformat: COMPUTER\User

5 Type and confirm a new password.

18Running one-to-many tasksResetting a local user password on multiple computers

6 Type the name and password of an administrative user with permissions tomanage the specified user account.



FFor more information, view the topics about connection profiles in theSymantec IT Management Suite powered by Altiris technology User Guide.

Managing a process on multiple computersYou can run or stop a process on multiple computers at a time.

You can also manage processes on a single computer in real time.

See About one-to-one real time management on page 27.

To manage a process on multiple computers



3 Click Process Management.

4 Type the name of the process to run or stop.

Example: AeXNSAgent.exe

You can also type a full UNC path (Example: \\server\share\AeXNSAgent.exe)as long as you have the authentication infrastructure to support that. Thismeans that either you have no authentication (null session shares) or you haveKerberos with the intermediate computer trusted for delegation, and delegatablecredentials for the user.

5 Select an action.




19Running one-to-many tasksManaging a process on multiple computers

Managing a service on multiple computersYou can start, stop, restart a service on multiple computers at a time. You canchange the startup mode of a service.

You can manage services on a single computer in real time.

See About one-to-one real time management on page 27.

To manage a service on multiple computers



3 Click Service Management.

4 Type the name of the service to manage.

Example: cisvc

5 Select an action.




Updating Intel AMT and DASH alert settingsIntel AMT and DASH alerts help you respond to memory faults, temperature issues,hard drive warnings, chassis intrusion, and so forth. These alerts help you fix issuesbefore they become destructive.

The Update Out-of-Band Alert Settings task lets you remotely update the IntelAMT and DASH alert settings on properly configured client computers with IntelAMT or DASH.

You can configure the following alert settings:

Where to send the alerts.

Which alerts to send.

Which alerts to log.

You can also run this task on the computers that are turned off.

20Running one-to-many tasksManaging a service on multiple computers

This task also lets you configure the SNMP traps destination address for computerswith ASF. However, this functionality is performed in-band, through the WMIconnection. The ASF-capable computer must be turned on with a Microsoft Windowsoperating system running.

To update Intel AMT and DASH alert settings


2 In the left pane, expand System Jobs and Tasks > Real-Time ConsoleInfrastructure > Update Out-of-Band Alert Settings.

3 Under Subscription settings, type the SNMP servers IP address. This valueis applied to computers with Intel AMT and ASF.

By default, the task is configured with the Notification Server computers IPaddress. In this case, Event Console (a component of Notification Server)accepts and displays the SNMP events that the client computers send.

For more information, view topics about alert management in the Altiris MonitorSolution for Servers from Symantec User Guide.

4 Type the SNMP community string.

Example: public

5 Type the destination URI for DASH alerts.

By default, the value is set to the Notification Servers Web service eventlistener, which is part of the Pluggable Protocol Architecture component:http:///Altiris/WSEL/wsel.aspx

Currently, DASH does not support sending alerts through an HTTPS connection.If your Notification Server is installed on a secure Web site, configure thewsel.aspx file so that it can be accessed through HTTP.

6 Select the DASH alerts delivery mode.


The DASH client computer does not verify if the eventlistener accepted the alert.

Push

The DASH client computer verifies if the event listeneraccepted the alert. If no reply is received from the eventlistener, the client computer can unsubscribe this particularevent filter (vendor dependent).

Pushwith acknowledge

21Running one-to-many tasksUpdating Intel AMT and DASH alert settings

7 Under Select and configure event filters, click Add, select the alerts thatyou want to configure with the task, and then click OK.

8 Under Select and configure event filters, select one or more alerts, and, onthe Actions menu, click what you want to do with this alert.


Activates the alert. When the alert triggers, a message is sentto the destination address that you provided in the Subscriptionsettings section.

Subscribe

Deactivates the alert, but does not remove it from the memory.Unsubscribe

Removes the alert from the client computers memory andreclaims space.

Remove from client

9 (Optional) If the client computer does not have enough free space to fit all ofthe alerts that you configured. To allow partial alert subscription, check Allowpartial alert application.

10 (Optional) To remove all previous alert subscriptions from the client computerand reclaim space before applying new subscriptions, check Remove 3rdparty filters and alert subscriptions.

11 Click Save Changes.



Choose a connection profile that is configured with correct Intel AMT, DASH,or WMI credentials.


Note: Alerts that are marked as critical power down the client computers. Youcan configure which alerts are considered critical.

Booting multiple computers from a remote location(Intel AMT, ASF, DASH)

You can boot the computers with ASF, DASH, or Intel AMT from a remote diskdrive or image.

22Running one-to-many tasksBooting multiple computers from a remote location

You can also perform this task on a single computer in real time.

See Booting a computer from remote location using IDE-R on page 33.

To boot multiple computers from a remote location



3 Click Boot Redirection.

4 In the right pane, click a device to boot from.

5 To start the computer from an image, click Browse to navigate to a networkshare where the image is located.

Warning: Do not use an image file that is placed on a CD or a DVD-ROM tostart the computer. Use only the images that are stored on local or networkhard disk drives.




Warning: If there is already an active IDE-R session, it is terminated when thetask runs.

Filtering the network traffic on multiple computers(Intel AMT only)

The Intel AMT network filtering (Circuit Breaker) functionality lets you block networktraffic from and to the target computers' operating systems. For example, you canuse this feature to isolate infected computers from the network.

Note:Network Filtering works only if both the client operating system and Intel AMTnetwork settings are configured to use Dynamic Host Configuration Protocol (DHCP).

Some ports stay open when network filtering is active.

23Running one-to-many tasksFiltering the network traffic on multiple computers

See Network filtering ports and settings on page 62.

You can customize the ports that you want to stay open.

See Modifying the list of open network filtering ports on page 42.

You can also manage network traffic on a single computer in real time.

See Blocking network traffic from and to the computer on page 34.

To filter the network traffic on multiple computers



3 Click Network Filtering.

4 If you want to block network traffic to and from the operating system, do thefollowing:

Click Filter network traffic other than to and from the NotificationServer.

Choose if you want to use the default solution filtering settings or browsefor a custom .xml file.

(Optional) To prevent the client computer from sending malicious packets,check Enable anti-spoofing filter. This feature forces the identityverification of outgoing network traffic and drops packets if the computer issuspected of originating malicious attacks that are known as IP spoofing.

5 (Optional) To protect the client computer from network flooding, click Limit thenumber of PING packets to, and type the number of packets per secondallowed to pass through the Intel AMT network filter.

Default: 10 packets per second.

6 (Optional) To disable network filtering, click Allow all network traffic.




24Running one-to-many tasksFiltering the network traffic on multiple computers

Updating Intel AMT settings or unconfiguring IntelAMT

You can use the Update Intel AMT Settings task to update the configuration andthe network settings of the Intel AMT device on properly configured client computerswith Intel AMT. Also, you can use this task to unconfigure the Intel AMT device.

To update Intel AMT settings


2 In the left pane, expand System Jobs and Tasks > Real-Time ConsoleInfrastructure > Update Intel AMT Settings.

3 Select which of the following Intel AMT features you want to allow:

You can use this web-based interface for direct remotemanagement and maintenance of Intel AMT devices.When Web UI is enabled, you can access the Intel AMTmanagement console using the following URL:http://:16992 (or port 16993for Intel AMT computers configured in secure mode).

Web UI

This feature is also known as Serial-over-LAN. It lets youmanage an Intel AMT computer remotely byencapsulating keystrokes and character display data ina TCP/IP stream.

Task progresswindow andremote control

This feature is also known as IDE-Redirection. It remotelyenables, disables, formats, or configures individual floppyor IDE CD drives. It also reloads operating systems andsoftware from remote locations.

Redirect to optical/floppydrive or image on a server

4 Define the network settings as follows:

Check if you want the Intel AMT device to respond to a ping.Respond to ping

25Running one-to-many tasksUpdating Intel AMT settings or unconfiguring Intel AMT




Choose a connection profile that is configured with active Intel AMT credentials.


To unconfigure Intel AMT devices


2 In the left pane, expand System Jobs and Tasks > Real-Time ConsoleInfrastructure > Update Intel AMT Settings.

3 Check Unconfigure Intel AMT, and then choose the unconfiguration methodand the Intel AMT mode to set after unconfiguration.


Removes all Intel AMT settings except for administrative user credentials andPID-PPS pairs. After partial unconfiguration is complete, the Intel AMT clientcomputer starts sending configuration requests to the setup and configurationserver (Intel SCS). The computer is not available for management throughthe Intel AMT interface until it is configured again by Intel SCS.

Partial

Removes all settings from the Intel AMT device. You must initialize, set up,and configure the device again.

If you click this option, you can also select a Small Business or Enterpriseconfiguration model to set after unconfiguration is complete.

Full




Choose a connection profile that is configured with active Intel AMT credentials.


26Running one-to-many tasksUpdating Intel AMT settings or unconfiguring Intel AMT

Managing resoursesone-to-one in real time


About one-to-one real time management

Initiating real time connection

Turning off, turning on, or restarting a client computer

Starting a Keyboard-Video-Mouse (KVM) remote control session

Starting a Serial-over-LAN (SOL) remote control session

Booting a computer from remote location using IDE-R

Blocking network traffic from and to the computer

Configuring the Intel AMT device settings

Viewing client computer logs

Managing BIOS settings

Managing the properties of Symantec Management Agent in real time

Activating a virtual layer

About one-to-one real time managementReal time one-to-one management allows you to use the full list of remote featuresavailable in Real-Time System Manager.

For example, you can perform the following one-to-one tasks:

3Chapter

Take full control of the client computer with active keyboard, display and mouse.

View detailed information and audit dynamic proccesses.

Manage BIOS settings with console view.

Change the NS server that the client computer is assigned to.

Manage software virtualization layers.

Real-Time System Manager can connect to the target computer using the followingprotocols: WMI, ASF, Intel AMT, DASH, SNMP, IPMI. Connection protocols definewhich features are available.

See List of available operations on page 44.

Setting up the connection profiles and credentials:http://www.symantec.com/docs/HOWTO62827.

With Real-Time System Manager, you can manage computers in-band andout-of-band. Out-of-band means that computer is not turned on or the operatingsystem is not running. You can manage a computer in such state if the clientcomputer has AMT, ASF, DASH, or IPMI technology present and is configured forout-of-band management.

For more information on how to discover out-of-band capable computers, seehttp://www.symantec.com/docs/DOC6628.

Initiating real time connectionThere are three different ways to initiate a real time connection to a client computerthat you want to manage.

You can open a management session in a pop-up dialog box, while maintainingyour current position in the Symantec Management Console.

To connect to a client computer using a pop-up dialog box

1 In the Symantec Management Console, on the Actions menu, click RemoteManagement > Real-Time Management.

2 On the Real-Time Management page, type the host name or the IP of thecomputer that you want to connect to, and then click Connect.

You can use the Real-Time System Manager Portal, that also displays the portalactions that are available to you before establishing a real time connection.

See Additional functionality and portal actions available in Real-Time SystemManager on page 41.

28Managing resourses one-to-one in real timeInitiating real time connection

To connect using the Real-Time System Manager Portal

1 In the Symantec Management Console, on the Home menu, click RemoteManagement > Real-Time System Manager Portal.

2 On the Real-Time System Manager Portal page, in the Manage Web Part,in the Computer text box, type the IP address or the name of the computerthat you want to manage, and then click Connect.

You can initiate a real time connection to a client computer from any resource listin the Symantec Management Console.

To initiate real time connection from a resources list

1 Open a list of computer resources.

2 Right-click the computer resource, click Remote Management, and then clickone of the following:

Manage

Manage Power State and RedirectionSee Turning off, turning on, or restarting a client computer on page 29.

Manage Users

Port checkSee Running the port check on page 42.

Trace Route

Turning off, turning on, or restarting a client computerYou can view the power state of a remote computer, and then turn off, turn on, orrestart the client computer remotely.

Note: The availability of power commands depends on the current power state andthe technologies (WMI, ASF, Intel AMT, DASH, IPMI) that are available on thetarget computer. For example, WMI power management is limited to Reboot andPower off commands and can be performed on a computer with a running operatingsystem. This limitation is because WMI is an in-band functionality.

For client computers with properly configured out-of-band technologies, you canconfigure the Redirection options before restarting or turning on the clientcomputer.

29Managing resourses one-to-one in real timeTurning off, turning on, or restarting a client computer

Turning off, turning on, or restarting a client computer

1 Connect to the client computer, that you want to manage.

See Initiating real time connection on page 28.

2 In the navigation pane, underReal-TimeConsoles, expandReal-Time SystemManager > Management Operations > Manage Power State andRedirection.

3 In the right pane, on the Manage Power State and Redirection page, underRemote power management, select a power action.

4 (Optional) To perform a graceful restart or shutdown through WMI, checkAllowuser to save data before power operation.

If the WMI operation fails, the hard shutdown of the target computer isperformed out-of-band using ASF, DASH, Intel AMT, or IPMI. The hardshutdown is possible if any of these technologies are supported and properlyconfigured on the target computer.

5 Click Run task now.

Starting a Keyboard-Video-Mouse (KVM) remotecontrol session

Keyboard-Video-Mouse remote control lets you access any client computer andmanage it in-band or out-of-band. This type of remote control does not depend onany features of the operating system, it is fully hardware-based and it can bypassvirus protection firewall. It lets you troubleshoot a client computer remotely, withfull access to video and input devices.

To initiate a remote control session, the client computer user must provide to theadministrator a six-digit code, that pops up once a remote control session isrequested. Client computer user is always aware of an active remote control sessionby a specific icon in the corner of the screen.

If the operating system of the client computer is down, the booting process can beredirected to an external location or a network drive.

The prerequisites for using remote control are the following:

Intel vPro Technology (Intel AMT), version 6 or later

Integrated Intel video adapter

Power cable plugged in

Network cable plugged in

30Managing resourses one-to-one in real timeStarting a Keyboard-Video-Mouse (KVM) remote control session

Current IP address of the computer that you want to manage

WS-MAN protocol (DASH + AMT profile and credentials)

Note: You can remotely access a client computer with Intel AMT below version 6using Intel AMT feature Serial-over-LAN (SOL).See Starting a Serial-over-LAN(SOL) remote control session on page 31.

You must configure the client computer for management. Ensure that remote controlsessions are allowed on the client computer.

To start a KVM remote control session


2 On the Real-Time System Manager Portal page, in the Manage Web part,in the Computer text box, type the IP address of the computer that you wantto manage, and then click Connect.

3 On the Resource Manager page, in the right pane, under Supportedprotocols, click Default Connection Profile.

4 In the Select connection profile dialog box, enable AMT and DASH profiles,and then click OK.

For more information on setting up the connection profiles and credentials,see: http://www.symantec.com/docs/HOWTO62827

5 In the navigation pane, underReal-TimeConsoles, expandReal-Time SystemManager > Management Operations, and then click Remote Control.

6 In the right pane, underRemote control options, click Start Remote Control.

To avoid problems with service keys, a virtual keyboard with F-service keys isavailable under the screen.

Note: If you want to reboot the client computer during a wireless KVM remote controlsession, click Switch to Me before you reboot the client computer to keep thesession active. After the operation system on the client computer reboots, clickSwitch to Host to restore the wireless connection on the client computer.

Starting a Serial-over-LAN (SOL) remote controlsession

(Intel AMT only)

31Managing resourses one-to-one in real timeStarting a Serial-over-LAN (SOL) remote control session

The Intel AMT feature Serial-over-LAN (SOL) redirects the remote computer'sscreen text output to a virtual serial port that Real-Time System Manager can readand display in the Symantec Management Console. For example, this feature letsyou access the remote computer's BIOS using the remote terminal window andchange BIOS settings, or watch the boot process.

To use this feature with the Intel AMT client computers that are configured in securemode, their Fully Qualified Domain Name (FQDN) must be resolved correctly onthe Notification Server computer. Also, you must configure the connection profileto use the right certificates for authentication.

If the SOL session cannot start, make sure that the Intel AMT device is configuredto allow this functionality.

See Configuring the Intel AMT device settings on page 35.

To start a SOL remote control session

1 Connect to the client computer that you want to manage.


2 In the navigation pane, under Real-Time Consoles, click Real-Time SystemManager > Management Operations > Manage Power State andRedirection.

3 To create a new SOL session after you turn on the target computer, in the rightpane, underRedirection options, checkDisplay task progress and remotelycontrol computer.

Note that, if the session is closed from the client side (for example, the computeris restarted locally), the Remote Control Terminal is not closed automatically.In this case, you must close the terminal window manually.

Note: Boot redirection to local devices (PXE server, CD-ROM, local HDD) isnot supported during a SOL remote control session. You can only redirect theboot to a remote device (CD or floppy image, remote CD-ROM, or to a server).

Warning: If there is already an active SOL session, it is terminated when thetask runs.

32Managing resourses one-to-one in real timeStarting a Serial-over-LAN (SOL) remote control session

4 (Optional) To change the BIOS settings remotely during the SOL session,check Enter BIOS on startup.

Note that, when you exit the BIOS on the client computer, the client computerstops sending the information to the terminal. However, the Remote ControlTerminal windows is not closed automatically. In this case, you must closethe terminal window manually.

5 Turn on or restart the computer.

See Turning off, turning on, or restarting a client computer on page 29.

To view the details of an active SOL session

1 On the Manage Power State and Redirection page, click Details.

2 (Optional) To disconnect an active SOL session, in the Redirection Detailsdialog box, click Stop remote control.

3 Click Close.

Booting a computer from remote location using IDE-R(Intel AMT, ASF, DASH)

The IDE-R feature of Intel AMT, ASF, and DASH technologies lets you boot thetarget computer from a remote disk drive or image. This feature lets you diagnoseand fix the operating system problems.

To use this feature with the Intel AMT client computers that are configured in securemode, their Fully Qualified Domain Name (FQDN) must be resolved correctly onthe Notification Server computer. Also, you must configure the connection profileto use the right certificates for authentication.

If the IDE-R session cannot start, make sure that the Intel AMT device is configuredto allow this functionality.

See Configuring the Intel AMT device settings on page 35.

You can also run this task on multiple computers, immediately or on a schedule.

See Booting multiple computers from a remote location on page 22.

To start an IDE-R session

1 Connect to the client computer you want to manage.


2 In the navigation pane, under Real-Time Consoles, click Real-Time SystemManager > Management Operations > Manage Power State andRedirection.

33Managing resourses one-to-one in real timeBooting a computer from remote location using IDE-R

3 In the right pane, on the Manage Power State and Redirection page, underRedirection options, check Perform boot from, and then, in the drop-downmenu, click the device to boot from.

Warning: If there is already an active IDE-R session, it is terminated when thetask runs.

4 To start the computer from an image, on the right, click Browse to navigate toa network share where the image is located.

Warning: Do not use an image file that is placed on a CD or a DVD-ROM tostart the computer. Use only the images that are stored on local or networkhard disk drives.

5 Turn on or restart the computer.


To view details of active IDE-R session

1 On the Manage Power State and Redirection page, under Redirectionoptions, click Details.

2 (Optional) To disconnect a boot device, in the Redirection Details dialog box,click Stop redirection.

3 Click Close.

Blocking network traffic from and to the computer(Intel AMT only)

The network filtering (Circuit Breaker) functionality on Intel AMT lets you blocknetwork traffic from and to the target computer's operating system. For example,you can use this feature to isolate an infected computer from the network.

Note: Network filtering works only if both client operating system and Intel AMTnetwork settings are configured to use Dynamic Host Configuration Protocol (DHCP).

Note: Some ports stay open when network filtering is active.


34Managing resourses one-to-one in real timeBlocking network traffic from and to the computer


See Filtering the network traffic on multiple computers on page 23.

To block network traffic from and to the computer



2 In the navigation pane, under Real-Time Consoles, click Real-Time SystemManager > Networking > Intel AMT Network Filtering.

3 In the right pane, under Intel AMT Network Filtering, select Filter networktraffic other than to and from the Notification Server.

4 (Optional) To prevent the target computer from sending malicious packets,check Enable anti-spoofing filter.

This feature forces the identity verification of outgoing network traffic and dropspackets if the computer is suspected of originating malicious attacks that areknown as IP spoofing.


To protect the target computer from network flooding



2 In the navigation pane, under Real-Time Consoles, click Real-Time SystemManager > Networking > Intel AMT Network Filtering.

3 In the right pane, under Intel AMT Network Filtering, select Limit the numberof PING packets to, and then type the number of packets per second, thatare allowed to pass through the Intel vPro network filter.

The default setting is packets per second.


Configuring the Intel AMT device settings(Intel AMT only)

You can allow or forbid SOL and IDE-R sessions. You can configure Intel AMTpower-saving settings.

35Managing resourses one-to-one in real timeConfiguring the Intel AMT device settings

To allow SOL and IDE-R sessions



2 In the navigation pane, under Real-Time Consoles, click Real-Time SystemManager > Configuration > Intel AMT Settings.

3 To allow the target computer to start SOL sessions, in the right pane, underAllow following settings, check Task progresswindow and remote control.

4 To allow the target computer to start IDE-R sessions, in the right pane, underAllow following settings,check Redirect to optical/floppy drive or imageon a server.


To change the Intel AMT power-saving settings



2 In the navigation pane, under Real-Time Consoles, click Real-Time SystemManager > Configuration > Intel AMT Settings.

3 To allow the Intel AMT device to enter sleep state, in the right pane, underAllow following settings, checkUseManageability Engine's power savingmode after, and then type the timeout value.

Example: 5 minutes.


See Starting a Serial-over-LAN (SOL) remote control session on page 31.

See Booting a computer from remote location using IDE-R on page 33.

Viewing client computer logsYou can view the client computer events logs.

Windows event logs (application, security and system logs)

Intel AMT log

Symantec Management Agent diagnostic logSee Managing the properties of Symantec Management Agent in real timeon page 38.

36Managing resourses one-to-one in real timeViewing client computer logs

To view Windows Application Log

1 Connect to the client computer, that you want to see the Application Log for.


2 In the Navigation pane, expand Real-Time Consoles > Real-Time SystemManager > Event Logs > Application Log.

3 In the right pane, view the application log information.

Note: By default, only error type of events are viewed in the list. To change theparameters, on theAppliction Log page, double-click Event filters, and applynew filters.

To view the Intel AMT log

1 Connect to the client computer, that you want to see the AMT Log for.


2 Click Real-Time System Manager > Event Logs > Intel AMT Event Log.

Managing BIOS settings(Broadcom DASH only)

You can use the Manage BIOS Settings page to remotely view and update theBIOS settings of the target computers that are capable of BIOS management throughthe DASH technology. To identify these computers, you must collect the DASHsettings inventory.

To check if the functionality is supported by the client computer

1 In the Resource Manager, in the Inventory view, expand Real-Time ConsoleInfrastructure > RTCI DASH Registered profile.

2 IfBIOSManagement profile is displayed on this page, then the client computersupports WS-MAN BIOS Management.


See Updating BIOS settings on page 17.

37Managing resourses one-to-one in real timeManaging BIOS settings

To update BIOS settings



2 In the navigation pane, under Real-Time Consoles, click Real-Time SystemManager > Management Operations > Manage BIOS Settings.

3 In the right pane, on the Manage BIOS Settings page, under Available BIOSsettings, configure BIOS settings.

If BIOS is protected by administrator or system passwords, specify thepasswords.


5 Restart the client computer for the new settings to take effect.


If you have a system password set on the target computer, on the ManagePower State and Redirection page, check Bypass computer's startuppassword, and then restart the computer using ASF protocol.

Managing the properties of Symantec ManagementAgent in real time

To manage Symantec Management Agent properties using Real-Time SystemManager, you must connect to a client computer with a WMI profile and credentials.

To manage the properties of Symantec Management Agent in real time


2 On the Real-Time System Manager Portal page, in the Manage Web part,in the Computer text box, type the IP address of the computer, that you wantto manage, and then click Connect.


38Managing resourses one-to-one in real timeManaging the properties of Symantec Management Agent in real time

4 In the Select connection profile dialog box, choose the WMI profile, and thenclick OK.

For more information on setting up the connection profiles and credentials see:http://www.symantec.com/docs/HOWTO62827

5 In the navigation pane, underReal-TimeConsoles, expandReal-Time SystemManager > Software > Symantec Management Agent, and then click oneof the following management or audit nodes.

View and filter Symantec Management Agent logs. You canfilter by severity, or view all entries: errors, warnings, andinformation. Diagnostic log can be exported into a file.

Diagnostic Log

View, turn on/off the maintenance windows on the clientcomputer.

Maintenance Windows

View the full list of plug-ins that are installed on the clientcomputer.

Registered Plug-ins

Assign the client computer to a different NotificationServer.

Force an update for Symantec Management Agent.

Force a collection of basic inventory.

Enable diagnostics.

Settings

Review the tasks that are currently running on the clientcomputer.

Tasks

Activating a virtual layerSoftware Virtualization Solution only virtualizes the application environment, notthe complete PC. It installs the Altiris Software Virtualization Agent that providesfalse information to the host operating system. The operating system works as if itis running a normal application, while in fact the associated file and registry callsare redirected to a newly created virtual layer, where the application actually resides.You can install several applications into the same layer, or configure them separatelyin their own individual environments, to avoid any potential conflicts. The initiallayer, that is created when the application is installed is read-only, so it cannot becorrupted. A separate associated editable layer holds the program data, configurationfiles, etc. After you delete that information, the application returns to its initialcondition.

After you install Software Virtualization Solution and create layers, you can manageexisting layers using Real-Time System Manager.

39Managing resourses one-to-one in real timeActivating a virtual layer

For more information about the requirements, installation, and configuration ofSoftware Virtualization Solution, seeAltiris Software Virtualization Solution ReferenceGuide.

http://www.symantec.com/docs/DOC1655

The prerequisites for managing virtual layers in real time are as follows:

Connection to the client computer with a WMI profile and credentials

Software Virtualization Solution installed in a mode that provides WMI classes

Real-Time System Manager lets you:

Activate and deactivate existing layers

Enable layers to start automatically after the boot of the client computer

Reset layers

Remove existing layers

View details for existing layers

To activate a virtual layer


2 On the Real-Time System Manager Portal page, in the Manage Web part,in the Computer text box, type the IP address of the computer, that you wantto manage, and then click Connect.


4 In the Select connection profile dialog box, activate the WMI profile, and thenclick OK.

For more information on setting up the connection profiles and credentials see:http://www.symantec.com/docs/HOWTO62827

5 In the navigation panel, under Real-Time Consoles, expand Real-TimeSystem Manager > Software > Manage Virtual Layers.

6 In the right pane, click the layer in the list, that you need to activate, and then,on the toolbar, click Activate.

On the toolbar, to allow or deny the layer to start automatically after the restartof the operation system on the client computer, click Auto or Manual.

40Managing resourses one-to-one in real timeActivating a virtual layer

Additional functionality


Additional functionality and portal actions available in Real-Time System Manager

Resetting a domain user password

Running the port check

Configuring the port check settings

Modifying the list of open network filtering ports

Adding or removing custom views

Additional functionality and portal actions availablein Real-Time System Manager

Additional functionality and customization capabilities are available in Real-TimeSystem Manager.

Resetting a domain user passwordYou can reset a domain user password.

To reset a domain user password


2 In the Tools Web part, click Reset Domain Password.

3 In the Reset Domain Password dialog box, fill in the required fields, and thenclick OK.

4Chapter

You can also reset user passwords on multiple computers.

See Resetting a local user password on multiple computers on page 18.

Running the port checkThe Port Check tool lets you detect which ports are open on the target computer.You can run the Port Check tool from a computer filter.

See Configuring the port check settings on page 42.

To run the port check

1 In the Symantec Management Console, on the Manage menu, click Filters.

2 In the left pane, select a filter.

For example, click Computer Filters > All Computers.

3 In the right pane, right-click on a computer resource, and then click RemoteManagement > Port check.

Configuring the port check settingsReal-Time Console Infrastructure includes a Port Check tool. This tool lets youdetect which ports are open on the target computer. You can run the Port Checktool from a computer filter.

See Running the port check on page 42.

You can configure the port check settings that the Port Check tool uses. Forexample, you can configure which ports to check.

To configure port check settings

1 In the Symantec Management Console, click Home > Remote Management> Real-Time System Manager Portal.

2 In the left pane, click Port Check.

3 On the Port Check page, click Configure Ports.

4 On the Modify Ports page, add or remove ports to check.

5 Click OK.

Modifying the list of open network filtering portsYou can modify the list of ports to keep open when network filtering is active on theNetwork Filters page.

42Additional functionalityRunning the port check


See Blocking network traffic from and to the computer on page 34.

See Filtering the network traffic on multiple computers on page 23.

To modify the list of open network filtering ports


2 In the left pane, click Remote Management > Real-Time System Manager> Network Filters.

3 Modify the filters.

Adding or removing custom viewsYou can add or remove custom views, which appear in the Resource Manager'sReal-Time view.

For example, you can add the Linux OpenWSMan view, which is included inReal-Time Console Infrastructure.

The location of the custom view file is C:\ProgramFiles\Altiris\RTCI\Web\Samples\Linux-Demo.config

For more information on how to configure the Linux OpenWSMan sample view,see http://www.symantec.com/docs/HOWTO10140.

To add or remove a custom view


2 In the left pane, click Remote Management > Real-Time ConsoleInfrastructure > Manage Custom Views.

3 On the Manage Custom Views page, add or remove a view.

43Additional functionalityAdding or removing custom views

List of available operations

This appendix includes the following topics:

List of available operations

Managements processes

Audit Nodes

Information Nodes

List of available operationsBy default, all of the actions in Real-Time System Manager and Real-Time ConsoleInfrastructure are available in-band and one-on-one, with a few exceptions that aremarked in the footnotes. Actions that are available out-of-band or as one-to-manytasks are marked with X-s in corresponding columns.

Nodes are divided into 3 groups: management processes, audit and informationsections. Information nodes provide constant data about client computers. Auditnodes allow you to track variable information about client computers in real time.

Managements processesTable A-1 Management Operations

1-to-manyOut-of-bandTechnicalRequirements

Available Data

xWMIManage Local Users and Groups

-WMIManage Printers

xWMIManage Processes

AAppendix

Table A-1 Management Operations (continued)


Available Data

xWMIManage Services

xxAMT or DASHManage Alerts

-xAMTMedia redirectionRemote Control

-xDASHRemote control *

xxWMI or AMT or DASH

or IPMI

Power Up

Power Down

Restart

Basic PowerOperations

Manage Power State and Redirection

xxAMT

Bypass bootpassword

LockKeyboard

AdvancedPowerOptions

xAMTConsole Terminal Redirection(SOL)

xAMTBIOS Management with SOL

xxAMT or ASFLocal media redirection

xxAMTRemote media redirection

xxDASHBIOS Management **

* Remote control is currently supported only on Intel AMT clients with AMT version6+ and Intel integrated Video Adapter.

** To use BIOS Management under DASH, client computer must support BIOSManagement DASH Profile.

Table A-2 Configuration


Available Data

xxAMTUnconfigure Intel AMT DeviceIntel AMT ConfigurationMode

xxAMTIntel AMT Settings

45List of available operationsManagements processes

Table A-2 Configuration (continued)


Available Data

xAMTIntel Remote Access Policy

Table A-3 Software

TechnicalRequirements

Available Data

WMIDiagnostic Log *

WMIMaintenance Windows *

WMIRegistered Plug-ins *

WMISettings *

WMITasks *

WMIDetails

Activate

Deactivate

Reset

Auto or Manual

Remove

Software Virtualization Layers **

* Symantec Agent must be installed.

** Requires Symantec Workspace Virtualization Agent with Admin Tools.

46List of available operationsManagements processes

Audit NodesTable A-4 Summary

Out-of-bandTechnicalRequirements

Available Data

xWMI or AMT or DASHComputer nameBasic Information

WMIPrimary owner name

WMICurrently logged in user

WMIDomain

WMIOperation system

AMTProduct

xWMIVersion

xWMI or AMTNameCPU Information

WMI or AMT or DASHCurrent/max speed

WMILoad percentage

WMI or AMT or DASHVirtualMemory Usage

xWMI or AMT or DASHPhysical

WMICommitted

WMIPage file @ C

WMI or AMTCapacityDisk Usage

WMIUsed

WMIFree

WMIFile system

WMI or AMTNetwork Connectivity

WMISecurity

47List of available operationsAudit Nodes

Table A-5 Event Logs

Out-of-bandTechnicalRequirements

Available Data

WMIApplication Log

WMISecurity Log

WMISystem Log

WMIDirectory Service Log *

WMIDNS Server Log *

WMIFile Replication Service Log *

xIPMISystem Event Log

xAMTIntel AMT Event Log

* This log is only available for clients that are Domain Controllers.

Information NodesInformation nodes are mostly available as in-band one-on-one actions, exceptionsare marked in the footnotes.

In some cases it is possible to modify the settings from the Detailed view of someof the information nodes.

48List of available operationsInformation Nodes

Table A-6 Information nodes (static)


Available DataNodes

WMILocal TimeOperating System

WMIOperating System

WMIPage File Settings

WMIPrinting Job

WMIProxy Server

WMIQuick-FixEngineering

WMIRegistry

WMIRegistry

WMIShare

WMITerminal Server

WMIKeyboardInput and Output Devices

WMIModem

WMIMonitor

WMIPointing Device

WMIPrinter

WMIVideo Adapter

WMIIDE ControllerControllers and Ports

WMIParallel Port

WMISerial Port

WMIUSB Controller

WMISCSI Controller

WMIUSB Hub


Table A-6 Information nodes (static) (continued)


Available DataNodes

xAMTAgent WatchdogsPhysical System

AMTBattery

xWMI or AMT orIPMI

BIOS

xWMI or AMT orDASH or SNMP orIPMI

Computer System

DASHDASH RegisteredProfiles

DASHDASH Software

DASHFanPhysical System

AMT or DASHField ReplaceableUnit

xWMI or AMT orDASH or IPMI

MotherboardDevice

DASHPower Supply

WMI or AMT orDASH

Processor

xDASH or IPMISensors

WMISMBIOS

WMISound Device

WMI or DASHCache MemoryMemory

WMILogical MemoryConfiguration

xWMI or DASHPhysical Memory

xWMI and AMTDisk DriveMass Storage

WMILogical Drive

xWMIMedia Device


Table A-6 Information nodes (static) (continued)


Available DataNodes

WMI and SNMPIP Route TableNetworking

WMI and SNMPNetwork Adapter

xWMI or AMT orSNMP or IPMI

Network AdapterConfiguration

WMINetworkConnection

WMIServer Connection

WMIServer Session

xxAMTFilternetworktraffic

IntelAMTNetworkFiltering

xAMTExportfilteringsettings

xIntel AMT NetworkSettings

xWireless Profile


Troubleshooting


Troubleshooting Real-Time System Manager connection

Troubleshooting Real-Time System Managerconnection

Listed bellow are some of the reasons why Real-Time System Manager cannotestablish a real time connection.

BAppendix

Table B-1 Possible reasons of real time connection errors

Possible reasonsTechnology

The connection credentials are incorrect.

The computer is turned off .

The operating system is not loaded.

The computer is not connected to the network.

The firewall does not allow incoming WMI connections.

See Configuring the firewall to allow WMI connection on page 54.

Simple file sharing is enabled.

See Disabling simple file sharing on Windows XP SP2 on page 57.

User Access Control is turned on.

See Configuring User Access Control on Windows Vista or later versions ofWindows on page 58.

You are connecting to Microsoft Windows Home (Basic) editions, where WMIremote connection is not available.

You are connecting with a user that has an empty password.

WMI


ASF is turned on in the BIOS but not configured.

ASF is turned off in the BIOS.


The target computer is not ASF capable.

ASF


The Intel AMT device is not configured.

The Intel AMT device is in secure mode, but the connection profile is notconfigured to use the correct certificates, and vice versa.

For more information on configuring connection profiles, see the SymantecIT Management Suite powered by Altiris technology User Guide.

Intel AMT is turned off in the BIOS.


The computer is not Intel AMT capable.

Intel AMT

53TroubleshootingTroubleshooting Real-Time System Manager connection

Table B-1 Possible reasons of real time connection errors (continued)

Possible reasonsTechnology


DASH is turned on in the BIOS but not configured.

DASH is turned off in the BIOS.


The target computer is not DASH capable.

DASH


The IPMI device is not configured.

The IPMI device is in secure mode, but the connection profile is not configuredto use the correct certificates.

IPMI is turned off in the BIOS.


The target computer is not IPMI capable.

IPMI

The SNMP community string is incorrect.

SNMP is not installed on the target computer.

The SNMP service is not running on the target computer.

The Notification Server computer is not in the list of hosts to accept the SNMPpackets from. Check SNMP service properties.

SNMP

Configuring the firewall to allow WMI connectionWMI connection through the Real-Time view can fail when you try to connect to acomputer with Microsoft Windows XP Service Pack 2, Windows Vista, or Windows7 operating system.

This issue can occur when the default configuration of the Windows Firewall programblocks incoming network traffic for Windows Management Instrumentation (WMI)connection. For the connection to succeed, the remote computer must permitincoming network traffic on TCP ports 135, 445, and additional dynamically-assignedports, typically in the range of 1024 to 1034.

You can resolve this issue in one of the following ways:

Configure the firewall on the computer that you want to connect to.See Configuring the firewall on a single computer on page 55.

Configure the firewall on all computers in the domain using a group policy.


See Configuring the firewall on multiple domain computers with a group policyon page 56.

Temporarily disable the firewall.

See Troubleshooting Real-Time System Manager connection on page 52.

Configuring the firewall on a single computerYou can configure the firewall using the computers local settings.


To configure the firewall on Windows XP SP2

1 Log on to the target computer as the administrator.

2 Click Start > Run, in the Open field, type gpedit.msc, and then click OK.

3 In the Group Policy window, expand Local Computer Policy > ComputerConfiguration > Administrative Templates > Network > NetworkConnections > Windows Firewall, and the click one of the following:

If the computer is in a domain, click Domain Profile.

If the computer is not in a domain, click Standard Profile.

4 In the right pane, double-click Windows Firewall: Allow remoteadministration exception, in theWindows firewall dialog box, select Enable,and then click OK.

To configure the firewall on Windows Vista


2 From the Control Panel, open the Windows Firewall Settings dialog box.

3 On the Exceptions tab, check Windows Management Instrumentation(WMI).

To configure the firewall on Windows 7


2 From the Control Panel, locate and open the Windows Firewall configurationdialog box.

3 In the left pane, clickAllow a program or feature throughWindows Firewall.

4 Check Windows Management Instrumentation (WMI).


Configuring the firewall on multiple domain computers with a grouppolicy

Before you start the firewall configuration, ensure sure that all the computers thatyou want to manage with this policy are in the same organizational unit.

For more information about how to use a group policy, visit the following MicrosoftWeb site:

http://technet.microsoft.com/en-us/windowsserver/grouppolicy/default.aspx

These steps assume that Windows Firewall is configured to use the domain profile.The domain profile is the most typical scenario.

For more information about Windows Firewall profiles and about how Windowsselects the profile to load, see theDeployingWindows Firewall Settings for MicrosoftWindows XP with Service Pack 2 guide.

For more information, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyID=4454e0e1-61fa-447a-bdcd-499f73a637d1&DisplayLang=en


To configure the firewall on multiple domain computers with a group policy

1 Create a group policy object for the organizational unit that contains theWindows XP SP2 computers that you want to manage:

Log on to a domain controller.

Click Start > Run, type dsa.msc in the Open dialog box, and then click OK.

Expand your domain, right-click the organizational unit in which you wantto create the group policy, and then click Properties.

On the Group Policy tab, click New.

Type a name for the group policy object, and then press Enter.

Click Close.

2 Log on to a domain-member computer that is running Windows XP SP2. Logon with a user account that is a member of one or more of the following securitygroups:

Domain Admins

Enterprise Admins

Group Policy Creator Owners

3 Click Start > Run, in the Open field, type mmc, and then click OK.


4 On the File menu, click Add/Remove Snap-in.

5 On the Standalone tab, click Add.

6 In theAdd Standalone Snap-in dialog box, clickGroup Policy, and then clickAdd.

7 In the Select Group Policy Object dialog box, click Browse.

8 Click the group policy object that you want to update with the new WindowsFirewall settings.

For example, click the organizational unit that contains the Windows XP SP2computers, click OK, and then click the group policy object that you created instep 1.

9 Click OK, and then click Finish.

10 Click Close, and then click OK.

11 Under Console Root, expand the group policy object that you selected in step8, and then click Computer Configuration > Administrative Templates >Network > Network Connections > Windows Firewall > Domain Profile.

12 In the right pane, double-click Windows Firewall: Allow remoteadministration exception.

13 Click Enabled, and then specify the administrative scope in the Allowunsolicited incoming messages from dialog box.

For example, to permit remote administration from a particular IP address, typethat IP address in the Allow unsolicited incoming messages from dialogbox. To permit remote administration from a particular subnet, type that subnetby using the Classless Internet Domain Routing (CIDR) format. In this scenario,type 192.168.1.0/24 to specify the network 192.168.1.0 with a 24-bit subnetmask of 255.255.255.0.

For more information on how to specify a valid administrative scope, see theSyntax area of the Setting tab in this policy.

14 Click OK, and then on the File menu, click Exit .

Disabling simple file sharing on Windows XP SP2The ForceGuest option that is enabled by default on all Windows XP computersthat are members of a workgroup (in contrast to domain members). All users wholog onto such computers over the network are forced to use the Guest account.This is limitation is Windows XP specific.



To disable simple file sharing on Windows XP SP2

Do one of the following steps:

Open Control Panel, double-click Folder Options, and on the View tab,uncheck Use simple file sharing. Click OK.

On the client computer, in the Windows registry, set the ForceGuestDWORD value equal to 0 (zero) under the[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] key.For more information, see Microsoft knowledge base articles :http://support.microsoft.com/default.aspx?scid=KB;EN-US;180548http://support.microsoft.com/default.aspx?scid=kb;en-us;290403

Configuring User Access Control on Windows Vista or later versionsof Windows

You must turn off the User Access Control (UAC) on non-domain computers if youwant to install the Symantec Management Agent to those computers and managethe computers remotely through WMI.

For more information, see Microsoft article http://technet.microsoft.com/en-us/windowsvista/aa905108.aspx.


To configure User Access Control on Windows Vista

1 On the client computer with the Microsoft Windows Vista operating system,open the Control Panel.

2 Double-click User Accounts.

3 In the User Accounts dialog box, click Turn User Account Control on oroff.

4 Uncheck Use User Account Control (UAC) to help protect your computer,and then click OK.

To configure User Access Control on Windows 7

1 On the client computer with the Microsoft Windows 7 operating system, openthe Control Panel.

2 Click User Accounts.

3 Click Change User Account Control settings.

4 Move the slider to Never notify, and then click OK.


Technical Reference


Ports used by Real-Time System Manager

How authentication works

About changes in default sys

Date post:	16-Oct-2015
Category:	Documents
Upload:	shahid-wahab-nawab
View:	18 times
Download:	0 times

RealTimeSystemManagement User Guide

Documents